53 files changed, 600 insertions, 313 deletions
diff --git a/README.md b/README.md
index 22d094d04..e1dc875ab 100644
--- a/README.md
+++ b/README.md
@@ -115,4 +115,5 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ## New profiles:
-gnome-sound-recorder, godot, jerry, keepassxc-cli, keepassxc-proxy, klatexformula, klatexformula_cmdl, links, newsbeuter, OpenArena, pandoc, qgis, rhythmbox-client, tcpdump, teams-for-linux, tshark, xlinks, zeal
+gnome-sound-recorder, godot, jerry, keepassxc-cli, keepassxc-proxy, klatexformula, klatexformula_cmdl, links, newsbeuter, OpenArena, pandoc, qgis, rhythmbox-client, tcpdump, teams-for-linux, tshark, xlinks, zeal,
+mpg123,
diff --git a/RELNOTES b/RELNOTES
index c35b2971a..d5baa3bc4 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,10 +1,11 @@
 firejail (0.9.61) baseline; urgency=low
  * work in progress
+  * added file-copy-limit in /etc/firejail/firejail.config
  * profile templates
  * new profiles: qgis, klatexformula, klatexformula_cmdl, links, xlinks
  * new profiles: pandoc, teams-for-linux, OpenArena, gnome-sound-recorder
  * new profiles: godot, tcpdump, tshark, newsbeuter, keepassxc-cli
-  * new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal
+  * new profiles: keepassxc-proxy, rhythmbox-client, jerry, zeal, mpg123
 -- netblue30 <netblue30@yahoo.com>  Sat, 1 Jun 2019 08:00:00 -0500
 firejail (0.9.60) baseline; urgency=low
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py
index 65bfba52d..c6c6f908d 100755
--- a/contrib/fix_private-bin.py
+++ b/contrib/fix_private-bin.py
@@ -61,7 +61,6 @@ def fixSymlinkedBins(files, replMap):
        if shouldUpdate:
            with open(filename, "w") as file:
                file.writelines(lines)
-            pass
 def createSetOfBinaries(files):
@@ -70,7 +69,6 @@ def createSetOfBinaries(files):
        """
    s = set()
    for filename in files:
-        lines = None
        with open(filename, "r") as file:
            for line in file:
                if privRx.search(line):
diff --git a/contrib/fjclip.py b/contrib/fjclip.py
index 3d0c56dc6..30323b1d5 100755
--- a/contrib/fjclip.py
+++ b/contrib/fjclip.py
@@ -1,6 +1,5 @@
 #!/usr/bin/env python
-import re
 import sys
 import subprocess
 import fjdisplay
diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh
new file mode 100755
index 000000000..3ee3fffb3
--- /dev/null
+++ b/contrib/gdb-firejail.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -x
+# gdb setuid helper script.
+# This script forks a background process as the current user which will
+# immediately send itself a `STOP` signal.  Then gdb running as root will
+# attach to that process, which will send it the `CONT` signal to continue
+# execution.  Then the backgrounded process will exec the program with the
+# given arguments.  This will allow the root gdb to trace the unprivileged
+# setuid firejail process from the absolute beginning.
+if [ -z "${1##*/firejail}" ]; then
+    FIREJAIL=$1
+else
+    # First argument is not named firejail, then add default unless environment
+    # variable already set.
+    set -- ${FIREJAIL:=$(which firejail)} "$@"
+fi
+bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" &
+sudo gdb -e  "$FIREJAIL" -p "$!"
+\ No newline at end of file
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index 89543d6cc..6b7db6b44 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -6,8 +6,9 @@ include celluloid.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.config/gnome-mpv
 noblacklist ${HOME}/.config/celluloid
+noblacklist ${HOME}/.config/gnome-mpv
+noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
diff --git a/etc/conplay.profile b/etc/conplay.profile
new file mode 100644
index 000000000..101ce2f17
--- /dev/null
+++ b/etc/conplay.profile
@@ -0,0 +1,14 @@
+# Firejail profile for conplay
+# Persistent local customizations
+include conplay.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+## system-wide profile
+#+ overrides
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+# Redirect
+include mpg123.profile
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index ae82d72b5..7ca5a6b89 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -134,6 +134,8 @@ blacklist ${RUNUSER}/kdesud_*
 # gnome
 # contains extensions, last used times of applications, and notifications
 blacklist ${HOME}/.local/share/gnome-shell
+# no direct modification of dconf database
+read-only ${HOME}/.config/dconf
 # systemd
 blacklist ${HOME}/.config/systemd
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 3e6706101..c061e94a2 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -319,6 +319,7 @@ blacklist ${HOME}/.config/xviewer
 blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
 blacklist ${HOME}/.config/yelp
+blacklist ${HOME}/.config/youtube-dl
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
diff --git a/etc/firejail.config b/etc/firejail.config
index dbe4fb1ea..4c0cb2a41 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -2,6 +2,9 @@
 # keyword-argument pairs, one per line. Most features are enabled by default.
 # Use 'yes' or 'no' as configuration values.
+# Allow symbolic links in path of user home directories, default disabled.
+# homedir-symlink no
 # Enable AppArmor functionality, default enabled.
 # apparmor yes
@@ -35,6 +38,11 @@
 # cannot be overridden by --noblacklist or --ignore.
 # disable-mnt no
+# Set the limit for file copy in several --private-* options. The size is set
+# in megabytes. By default we allow up to 500MB.
+# Note: the files are copied in RAM.
+# file-copy-limit 500
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
diff --git a/etc/gajim.profile b/etc/gajim.profile
index 74ab9f8b7..85d9b9bd9 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -20,6 +20,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+# Comment the following line if you need to whitelist other folders than ~/Downloads
 include disable-xdg.inc
 mkdir ${HOME}/.cache/gajim
diff --git a/etc/galculator.profile b/etc/galculator.profile
index 3dda48192..f757aed69 100644
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@@ -47,4 +47,4 @@ private-etc alternatives,fonts
 private-lib
 private-tmp
-memory-deny-write-execute
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/less.profile b/etc/less.profile
index e6366ad28..0f31d344b 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -8,13 +8,13 @@ include less.local
 include globals.local
 noblacklist ${HOME}/.lesshst
+read-only ${HOME}
+read-write ${HOME}/.lesshst
-include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-include disable-programs.inc
 apparmor
 caps.drop all
diff --git a/etc/mpg123-alsa.profile b/etc/mpg123-alsa.profile
new file mode 100644
index 000000000..378435af1
--- /dev/null
+++ b/etc/mpg123-alsa.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-alsa
+# Persistent local customizations
+include mpg123-alsa.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-id3dump.profile b/etc/mpg123-id3dump.profile
new file mode 100644
index 000000000..370a57b3c
--- /dev/null
+++ b/etc/mpg123-id3dump.profile
@@ -0,0 +1,12 @@
+# Firejail profile for mpg123-id3dump
+# Persistent local customizations
+include mpg123-id3dump.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+machine-id
+nosound
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-jack.profile b/etc/mpg123-jack.profile
new file mode 100644
index 000000000..e36a2e5b3
--- /dev/null
+++ b/etc/mpg123-jack.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-jack
+# Persistent local customizations
+include mpg123-jack.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-nas.profile b/etc/mpg123-nas.profile
new file mode 100644
index 000000000..cdbf0b1d2
--- /dev/null
+++ b/etc/mpg123-nas.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-nas
+# Persistent local customizations
+include mpg123-nas.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-openal.profile b/etc/mpg123-openal.profile
new file mode 100644
index 000000000..e5585feaa
--- /dev/null
+++ b/etc/mpg123-openal.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-openal
+# Persistent local customizations
+include mpg123-openal.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-oss.profile b/etc/mpg123-oss.profile
new file mode 100644
index 000000000..dcb92ecd6
--- /dev/null
+++ b/etc/mpg123-oss.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-oss
+# Persistent local customizations
+include mpg123-oss.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-portaudio.profile b/etc/mpg123-portaudio.profile
new file mode 100644
index 000000000..319843504
--- /dev/null
+++ b/etc/mpg123-portaudio.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-portaudio
+# Persistent local customizations
+include mpg123-portaudio.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-pulse.profile b/etc/mpg123-pulse.profile
new file mode 100644
index 000000000..31063a96b
--- /dev/null
+++ b/etc/mpg123-pulse.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-pulse
+# Persistent local customizations
+include mpg123-pulse.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123-strip.profile b/etc/mpg123-strip.profile
new file mode 100644
index 000000000..62de57c22
--- /dev/null
+++ b/etc/mpg123-strip.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123-strip
+# Persistent local customizations
+include mpg123-strip.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123.bin.profile b/etc/mpg123.bin.profile
new file mode 100644
index 000000000..0a01d0829
--- /dev/null
+++ b/etc/mpg123.bin.profile
@@ -0,0 +1,9 @@
+# Firejail profile for mpg123.bin
+# Persistent local customizations
+include mpg123.bin.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/mpg123.profile b/etc/mpg123.profile
new file mode 100644
index 000000000..8a8907c39
--- /dev/null
+++ b/etc/mpg123.profile
@@ -0,0 +1,38 @@
+# Firejail profile for mpg123
+# Description: MPEG audio player/decoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mpg123.local
+# Persistent global definitions
+include globals.local
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodbus
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+#private-bin mpg123*
+private-dev
+private-tmp
+memory-deny-write-execute
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile
index f0309da9a..878a5f654 100644
--- a/etc/mpsyt.profile
+++ b/etc/mpsyt.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/mps-youtube
 noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.mplayer
 noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/mps
@@ -29,10 +30,12 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/mps-youtube
 mkdir ${HOME}/.config/mpv
+mkdir ${HOME}/.config/youtube-dl
 mkdir ${HOME}/.mplayer
 mkdir ${HOME}/mps
 whitelist ${HOME}/.config/mps-youtube
 whitelist ${HOME}/.config/mpv
+whitelist ${HOME}/.config/youtube-dl
 whitelist ${HOME}/.mplayer
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/mps
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 07a6ba42b..d8163d20a 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -8,6 +8,7 @@ include mpv.local
 include globals.local
 noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -42,5 +43,6 @@ shell none
 tracelog
 private-bin env,mpv,python*,youtube-dl
-private-cache
+# Causes slow OSD, see #2838
+#private-cache
 private-dev
diff --git a/etc/mumble.profile b/etc/mumble.profile
index 2d8607e53..94ccbad0c 100644
--- a/etc/mumble.profile
+++ b/etc/mumble.profile
@@ -43,4 +43,4 @@ disable-mnt
 private-bin mumble
 private-tmp
-memory-deny-write-execute
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/obs.profile b/etc/obs.profile
index 038242cae..4277bdab3 100644
--- a/etc/obs.profile
+++ b/etc/obs.profile
@@ -36,7 +36,7 @@ seccomp
 shell none
 tracelog
-private-bin obs,python*
+private-bin bash,obs,obs-ffmpeg-mux,python*,sh
 private-cache
 private-dev
 private-tmp
diff --git a/etc/out123.profile b/etc/out123.profile
new file mode 100644
index 000000000..4754c05ba
--- /dev/null
+++ b/etc/out123.profile
@@ -0,0 +1,9 @@
+# Firejail profile for out123
+# Persistent local customizations
+include out123.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include mpg123.profile
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile
index 621fef49f..e74394b22 100644
--- a/etc/pavucontrol.profile
+++ b/etc/pavucontrol.profile
@@ -45,4 +45,4 @@ private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
 private-lib
 private-tmp
-memory-deny-write-execute
+#memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 6cb3fe4cd..abbd76aff 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -22,6 +22,7 @@ include whitelist-var-common.inc
 caps.drop all
 machine-id
+nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,5 +39,3 @@ tracelog
 private-bin qpdfview
 private-dev
 private-tmp
-memory-deny-write-execute
diff --git a/etc/riot-desktop.profile b/etc/riot-desktop.profile
index e91d25196..e6af4c2cb 100644
--- a/etc/riot-desktop.profile
+++ b/etc/riot-desktop.profile
@@ -7,5 +7,8 @@ include riot-desktop.local
 # added by included profile
 #include globals.local
+ignore seccomp
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mincore,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pivot_root,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 # Redirect
 include riot-web.profile
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
index f83caee8a..c7324e6ca 100644
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@@ -7,6 +7,7 @@ include smplayer.local
 include globals.local
 noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.mplayer
 # Allow python (blacklisted by disable-interpreters.inc)
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index f41453bf3..490255fa6 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -34,7 +34,7 @@ shell none
 # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop"
 disable-mnt
-private-bin bash,electron,env,sh,wire-desktop
+private-bin bash,electron,electron4,env,sh,wire-desktop
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 28b5f2376..6fc519bee 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -7,9 +7,10 @@ include youtube-dl.local
 # Persistent global definitions
 include globals.local
-# breaks when installed via pip
+# breaks when installed under ${HOME} via `pip install --user` (see #2833)
 ignore noexec ${HOME}
+noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
 noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
@@ -48,7 +49,6 @@ seccomp
 shell none
 tracelog
-disable-mnt
 private-bin env,ffmpeg,python*,youtube-dl
 private-cache
 private-dev
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 9fca2a39b..3f507a361 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -25,9 +25,11 @@
 #include <pwd.h>
 int arg_quiet = 0;
+int arg_debug = 0;
 static int arg_follow_link = 0;
-#define COPY_LIMIT (500 * 1024 *1024)
+static int copy_limit = 500 * 1024 *1024; // 500 MB
+#define COPY_LIMIT (
 static int size_limit_reached = 0;
 static unsigned file_cnt = 0;
 static unsigned size_cnt = 0;
@@ -184,8 +186,8 @@ static int fs_copydir(const char *infname, const struct stat *st, int ftype, str
        mode_t mode = s.st_mode;
        // recalculate size
-        if ((s.st_size + size_cnt) > COPY_LIMIT) {
+        if ((s.st_size + size_cnt) > copy_limit) {
-                fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (COPY_LIMIT / 1024) / 1024);
+                fprintf(stderr, "Error fcopy: size limit of %dMB reached\n", (copy_limit / 1024) / 1024);
                size_limit_reached = 1;
                free(outfname);
                return 0;
@@ -330,6 +332,9 @@ int main(int argc, char **argv) {
        char *quiet = getenv("FIREJAIL_QUIET");
        if (quiet && strcmp(quiet, "yes") == 0)
                arg_quiet = 1;
+        char *debug = getenv("FIREJAIL_DEBUG");
+        if (debug && strcmp(debug, "yes") == 0)
+                arg_debug = 1;
        char *src;
        char *dest;
@@ -384,6 +389,14 @@ int main(int argc, char **argv) {
                exit(1);
        }
+        // extract copy limit size from env variable, if any
+        char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT");
+        if (cl) {
+                copy_limit = atoi(cl) * 1024 * 1024;
+                if (arg_debug)
+                        printf("file copy limit %d bytes\n", copy_limit);
+        }
        // copy files
        if ((arg_follow_link ? stat : lstat)(src, &s) == -1) {
                fprintf(stderr, "Error fcopy: src %s: %s\n", src, strerror(errno));
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 04bf123ad..95ad95e95 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -119,6 +119,7 @@ code
 code-oss
 conkeror
 conky
+conplay
 corebird
 crawl
 crawl-tiles
@@ -379,6 +380,17 @@ mp3splt
 mp3splt-gtk
 mp3wrap
 mpDris2
+mpg123
+mpg123.bin
+mpg123-alsa
+mpg123-id3dump
+mpg123-jack
+mpg123-nas
+mpg123-openal
+mpg123-oss
+mpg123-portaudio
+mpg123-pulse
+mpg123-strip
 mplayer
 mpsyt
 mpv
@@ -432,6 +444,7 @@ opera
 opera-beta
 orage
 ostrichriders
+out123
 palemoon
 pandoc
 parole
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 7c60d9189..1da765d8f 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -126,16 +126,25 @@ void appimage_set(const char *appimage) {
                printf("appimage mounted on %s\n", mntdir);
        EUID_USER();
+        char* abspath = realpath(appimage, NULL);
+        if (abspath == NULL)
+                errExit("Failed to obtain absolute path");
        // set environment
-        if (setenv("APPIMAGE", appimage, 1) < 0)
+        if (setenv("APPIMAGE", abspath, 1) < 0)
                errExit("setenv");
        if (mntdir && setenv("APPDIR", mntdir, 1) < 0)
                errExit("setenv");
+        if (size != 0 && setenv("ARGV0", appimage, 1) < 0)
+                errExit("setenv");
+        if (setenv("OWD", cfg.cwd, 1) < 0)
+                errExit("setenv");
        // build new command line
        if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1)
                errExit("asprintf");
+        free(abspath);
        free(mode);
 #ifdef HAVE_GCOV
        __gcov_flush();
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index b11d795a9..84054fe76 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -50,6 +50,7 @@ int checkcfg(int val) {
                cfg_val[CFG_DISABLE_MNT] = 0;
                cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES;
                cfg_val[CFG_XPRA_ATTACH] = 0;
+                cfg_val[CFG_HOMEDIR_SYMLINK] = 0;
                // open configuration file
                const char *fname = SYSCONFDIR "/firejail.config";
@@ -85,6 +86,7 @@ int checkcfg(int val) {
                        ptr = line_remove_spaces(buf);
                        if (!ptr)
                                continue;
+                        PARSE_YESNO(CFG_HOMEDIR_SYMLINK, "homedir-symlink")
                        PARSE_YESNO(CFG_FILE_TRANSFER, "file-transfer")
                        PARSE_YESNO(CFG_DBUS, "dbus")
                        PARSE_YESNO(CFG_JOIN, "join")
@@ -207,6 +209,12 @@ int checkcfg(int val) {
                                        goto errout;
                                cfg_val[CFG_ARP_PROBES] = arp_probes;
                        }
+                        // file copy limit
+                        else if (strncmp(ptr, "file-copy-limit ", 16) == 0) {
+                                if (setenv("FIREJAIL_FILE_COPY_LIMIT", ptr + 16, 1) == -1)
+                                        errExit("setenv");
+                        }
                        else
                                goto errout;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 630adc3d7..4bd70697e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -720,6 +720,8 @@ enum {
        CFG_PRIVATE_CACHE,
        CFG_CGROUP,
        CFG_NAME_CHANGE,
+        CFG_HOMEDIR_SYMLINK,
+        // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
        CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 9a15d825e..ce2ca5e2a 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -441,6 +441,8 @@ static int get_mount_flags(const char *path, unsigned long *flags) {
 // mount a writable tmpfs on directory
 void fs_tmpfs(const char *dir, unsigned check_owner) {
        assert(dir);
+        if (arg_debug)
+                printf("Mounting tmpfs on %s\n", dir);
        // get a file descriptor for dir, fails if there is any symlink
        int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
        if (fd == -1)
@@ -449,12 +451,9 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
        if (fstat(fd, &s) == -1)
                errExit("fstat");
        if (check_owner && s.st_uid != getuid()) {
-                fwarning("no tmpfs mounted on %s: not owned by the current user\n", dir);
+                fprintf(stderr, "Error: cannot mount tmpfs on %s: not owned by the current user\n", dir);
-                close(fd);
+                exit(1);
-                return;
        }
-        if (arg_debug)
-                printf("Mounting tmpfs on %s\n", dir);
        // preserve ownership, mode
        char *options;
        if (asprintf(&options, "mode=%o,uid=%u,gid=%u", s.st_mode & 07777, s.st_uid, s.st_gid) == -1)
@@ -1127,11 +1126,36 @@ void fs_overlayfs(void) {
 #ifdef HAVE_CHROOT
 // exit if error
+static void fs_check_chroot_subdir(const char *subdir, int parentfd, int check_writable) {
+        assert(subdir);
+        int fd = openat(parentfd, subdir, O_PATH|O_CLOEXEC);
+        if (fd == -1) {
+                if (errno == ENOENT)
+                        fprintf(stderr, "Error: cannot find /%s in chroot directory\n", subdir);
+                else {
+                        perror("open");
+                        fprintf(stderr, "Error: cannot open /%s in chroot directory\n", subdir);
+                }
+                exit(1);
+        }
+        struct stat s;
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
+        close(fd);
+        if (!S_ISDIR(s.st_mode) || s.st_uid != 0) {
+                fprintf(stderr, "Error: chroot /%s should be a directory owned by root\n", subdir);
+                exit(1);
+        }
+        if (check_writable && ((S_IWGRP|S_IWOTH) & s.st_mode) != 0) {
+                fprintf(stderr, "Error: only root user should be given write permission on chroot /%s\n", subdir);
+                exit(1);
+        }
+}
+// exit if error
 void fs_check_chroot_dir(const char *rootdir) {
        EUID_ASSERT();
        assert(rootdir);
-        char *dir = EMPTY_STRING;
-        struct stat s;
        char *overlay;
        if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1)
@@ -1150,6 +1174,7 @@ void fs_check_chroot_dir(const char *rootdir) {
        }
        // rootdir has to be owned by root and is not allowed to be generally writable,
        // this also excludes /tmp, /var/tmp and such
+        struct stat s;
        if (fstat(parentfd, &s) == -1)
                errExit("fstat");
        if (s.st_uid != 0) {
@@ -1161,64 +1186,12 @@ void fs_check_chroot_dir(const char *rootdir) {
                exit(1);
        }
-        // check /dev
+        // check subdirectories in rootdir
-        dir = "dev";
+        fs_check_chroot_subdir("dev", parentfd, 0);
-        int fd = openat(parentfd, dir, O_PATH|O_CLOEXEC);
+        fs_check_chroot_subdir("etc", parentfd, 1);
-        if (fd == -1)
+        fs_check_chroot_subdir("proc", parentfd, 0);
-                goto error1;
+        fs_check_chroot_subdir("tmp", parentfd, 0);
-        if (fstat(fd, &s) == -1)
+        fs_check_chroot_subdir("var/tmp", parentfd, 0);
-                errExit("fstat");
-        if (!S_ISDIR(s.st_mode) || s.st_uid != 0)
-                goto error2;
-        close(fd);
-        // check /var/tmp
-        dir = "var/tmp";
-        fd = openat(parentfd, dir, O_PATH|O_CLOEXEC);
-        if (fd == -1)
-                goto error1;
-        if (fstat(fd, &s) == -1)
-                errExit("fstat");
-        if (!S_ISDIR(s.st_mode) || s.st_uid != 0)
-                goto error2;
-        close(fd);
-        // check /proc
-        dir = "proc";
-        fd = openat(parentfd, dir, O_PATH|O_CLOEXEC);
-        if (fd == -1)
-                goto error1;
-        if (fstat(fd, &s) == -1)
-                errExit("fstat");
-        if (!S_ISDIR(s.st_mode) || s.st_uid != 0)
-                goto error2;
-        close(fd);
-        // check /tmp
-        dir = "tmp";
-        fd = openat(parentfd, dir, O_PATH|O_CLOEXEC);
-        if (fd == -1)
-                goto error1;
-        if (fstat(fd, &s) == -1)
-                errExit("fstat");
-        if (!S_ISDIR(s.st_mode) || s.st_uid != 0)
-                goto error2;
-        close(fd);
-        // check /etc
-        dir = "etc";
-        fd = openat(parentfd, dir, O_PATH|O_CLOEXEC);
-        if (fd == -1)
-                goto error1;
-        if (fstat(fd, &s) == -1)
-                errExit("fstat");
-        if (!S_ISDIR(s.st_mode) || s.st_uid != 0)
-                goto error2;
-        if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) {
-                fprintf(stderr, "Error: only root user should be given write permission on chroot /etc\n");
-                exit(1);
-        }
-        close(fd);
        // there should be no checking on <chrootdir>/etc/resolv.conf
        // the file is replaced with the real /etc/resolv.conf anyway
@@ -1249,32 +1222,10 @@ void fs_check_chroot_dir(const char *rootdir) {
 #endif
        // check x11 socket directory
-        if (getenv("FIREJAIL_X11")) {
+        if (getenv("FIREJAIL_X11"))
-                dir = "tmp/.X11-unix";
+                fs_check_chroot_subdir("tmp/.X11-unix", parentfd, 0);
-                fd = openat(parentfd, dir, O_PATH|O_CLOEXEC);
-                if (fd == -1)
-                        goto error1;
-                if (fstat(fd, &s) == -1)
-                        errExit("fstat");
-                if (!S_ISDIR(s.st_mode) || s.st_uid != 0)
-                        goto error2;
-                close(fd);
-        }
        close(parentfd);
-        return;
-error1:
-        if (errno == ENOENT)
-                fprintf(stderr, "Error: cannot find /%s in chroot directory\n", dir);
-        else {
-                perror("open");
-                fprintf(stderr, "Error: cannot open /%s in chroot directory\n", dir);
-        }
-        exit(1);
-error2:
-        fprintf(stderr, "Error: chroot /%s should be a directory owned by root\n", dir);
-        exit(1);
 }
 // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index bd036908a..d807f527d 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -137,8 +137,8 @@ static void deventry_mount(void) {
 }
 static void create_char_dev(const char *path, mode_t mode, int major, int minor) {
-        dev_t dev = makedev(major, minor);
+        dev_t device = makedev(major, minor);
-        if (mknod(path, S_IFCHR | mode, dev) == -1)
+        if (mknod(path, S_IFCHR | mode, device) == -1)
                goto errexit;
        if (chmod(path, mode) < 0)
                goto errexit;
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 3f6d78db4..01a807883 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -239,13 +239,16 @@ void fs_private_homedir(void) {
        // mount bind private_homedir on top of homedir
        if (arg_debug)
                printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
-        // get a file descriptor for private_homedir, fails if there is any symlink
+        // get file descriptors for homedir and private_homedir, fails if there is any symlink
-        int fd = safe_fd(private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        int src = safe_fd(private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-        if (fd == -1)
+        if (src == -1)
+                errExit("safe_fd");
+        int dst = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (dst == -1)
                errExit("safe_fd");
        // check if new home directory is owned by the user
        struct stat s;
-        if (fstat(fd, &s) == -1)
+        if (fstat(src, &s) == -1)
                errExit("fstat");
        if (s.st_uid != getuid()) {
                fprintf(stderr, "Error: private directory is not owned by the current user\n");
@@ -253,17 +256,27 @@ void fs_private_homedir(void) {
        }
        if ((S_IRWXU & s.st_mode) != S_IRWXU)
                fwarning("no full permissions on private directory\n");
-        // mount via the link in /proc/self/fd
+        // mount via the links in /proc/self/fd
-        char *proc;
+        char *proc_src, *proc_dst;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+        if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
+                errExit("asprintf");
+        if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
                errExit("asprintf");
-        if (mount(proc, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0)
+        if (mount(proc_src, proc_dst, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0)
                errExit("mount bind");
-        free(proc);
+        free(proc_src);
-        close(fd);
+        free(proc_dst);
+        close(src);
-        fs_logger3("mount-bind", private_homedir, cfg.homedir);
+        close(dst);
-        fs_logger2("whitelist", cfg.homedir);
+        // check /proc/self/mountinfo to confirm the mount is ok
+        MountData *mptr = get_last_mount();
+        size_t len = strlen(homedir);
+        if (strncmp(mptr->dir, homedir, len) != 0 ||
+                (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
+                errLogExit("invalid private mount");
+        fs_logger3("mount-bind", private_homedir, homedir);
+        fs_logger2("whitelist", homedir);
 // preserve mode and ownership
 //      if (chown(homedir, s.st_uid, s.st_gid) == -1)
 //              errExit("mount-bind chown");
@@ -310,13 +323,13 @@ void fs_private(void) {
        int aflag = store_asoundrc();
        // mask /home
-        if (arg_debug)
-                printf("Mounting a new /home directory\n");
        if (u == 0 && arg_allusers) // allow --allusers when starting the sandbox as root
                ;
        else {
+                if (arg_debug)
+                        printf("Mounting a new /home directory\n");
                if (arg_allusers)
-                        fwarning("--allusers disabled by --private or --whitelist\n");
+                        fwarning("allusers option disabled by private or whitelist option\n");
                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                        errExit("mounting home directory");
                fs_logger("tmpfs /home");
@@ -330,19 +343,24 @@ void fs_private(void) {
        fs_logger("tmpfs /root");
        if (u != 0) {
-                // create /home/user
+                if (strncmp(homedir, "/home/", 6) == 0) {
-                if (arg_debug)
+                        // create /home/user
-                        printf("Create a new user directory\n");
+                        if (arg_debug)
-                if (mkdir(homedir, S_IRWXU) == -1) {
+                                printf("Create a new user directory\n");
-                        if (mkpath_as_root(homedir) == -1)
+                        if (mkdir(homedir, S_IRWXU) == -1) {
-                                errExit("mkpath");
+                                if (mkpath_as_root(homedir) == -1)
-                        if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST)
+                                        errExit("mkpath");
-                                errExit("mkdir");
+                                if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST)
+                                        errExit("mkdir");
+                        }
+                        if (chown(homedir, u, g) < 0)
+                                errExit("chown");
+                        fs_logger2("mkdir", homedir);
+                        fs_logger2("tmpfs", homedir);
                }
-                if (chown(homedir, u, g) < 0)
+                else
-                        errExit("chown");
+                        // user directory is outside /home, mask it as well
-                fs_logger2("mkdir", homedir);
+                        fs_tmpfs(homedir, 1);
-                fs_logger2("tmpfs", homedir);
        }
        skel(homedir, u, g);
@@ -464,14 +482,14 @@ static void duplicate(char *name) {
        }
        else if (S_ISDIR(s.st_mode)) {
                // create the directory in RUN_HOME_DIR
-                char *name;
+                char *path;
                char *ptr = strrchr(fname, '/');
                ptr++;
-                if (asprintf(&name, "%s/%s", RUN_HOME_DIR, ptr) == -1)
+                if (asprintf(&path, "%s/%s", RUN_HOME_DIR, ptr) == -1)
                        errExit("asprintf");
-                mkdir_attr(name, 0755, getuid(), getgid());
+                mkdir_attr(path, 0755, getuid(), getgid());
-                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, name);
+                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, path);
-                free(name);
+                free(path);
        }
        else
                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, RUN_HOME_DIR);
@@ -528,8 +546,20 @@ void fs_private_home_list(void) {
        if (arg_debug)
                printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir);
-        if (mount(RUN_HOME_DIR, homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        int fd = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1)
+                errExit("safe_fd");
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(RUN_HOME_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
+        free(proc);
+        close(fd);
+        // check /proc/self/mountinfo to confirm the mount is ok
+        MountData *mptr = get_last_mount();
+        if (strcmp(mptr->dir, homedir) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
+                errLogExit("invalid private-home mount");
        fs_logger2("tmpfs", homedir);
        if (uid != 0) {
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index bce44b9e5..a950d1124 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -237,11 +237,6 @@ static void whitelist_path(ProfileEntry *entry) {
                return;
        }
-#ifdef TEST_MOUNTINFO
-        printf("TEST_MOUNTINFO\n");
-        path = "/etc/.";
-#endif
        // create path of the mount target if necessary
        int fd2 = mkpath(path, 0755);
        if (fd2 == -1) {
@@ -305,7 +300,10 @@ static void whitelist_path(ProfileEntry *entry) {
        // check the last mount operation
        MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
+#ifdef TEST_MOUNTINFO
+        printf("TEST_MOUNTINFO\n");
+        mptr->dir = "foo";
+#endif
        // confirm the file was mounted on the right target
        // strcmp does not work here, because mptr->dir can be a child mount
        size_t path_len = strlen(path);
@@ -712,8 +710,16 @@ void fs_whitelist(void) {
                if (stat(cfg.homedir, &s) == 0) {
                        // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR
                        mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid());
-                        if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                        if (fd == -1)
+                                errExit("safe_fd");
+                        char *proc;
+                        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                                errExit("asprintf");
+                        if (mount(proc, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                                errExit("mount bind");
+                        free(proc);
+                        close(fd);
                        // mount a tmpfs and initialize /home/user, overrides --allusers
                        fs_private();
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 34c6f4044..d00147c74 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -26,7 +26,6 @@
 #include <sys/mount.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
-#include <fcntl.h>
 #include <dirent.h>
 #include <pwd.h>
 #include <errno.h>
@@ -38,6 +37,20 @@
 #include <net/if.h>
 #include <sys/utsname.h>
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+#ifdef __ia64__
+/* clone(2) has a different interface on ia64, as it needs to know
+   the size of the stack */
+int __clone2(int (*fn)(void *),
+             void *child_stack_base, size_t stack_size,
+             int flags, void *arg, ...
+              /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ );
+#endif
 uid_t firejail_uid = 0;
 gid_t firejail_gid = 0;
@@ -233,6 +246,41 @@ static pid_t require_pid(const char *name) {
        return pid;
 }
+// return 1 if there is a link somewhere in path of directory
+static int has_link(const char *dir) {
+        assert(dir);
+        int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1) {
+                if (errno == ENOTDIR && is_dir(dir))
+                        return 1;
+        }
+        else
+                close(fd);
+        return 0;
+}
+static void build_cfg_homedir(const char *dir) {
+        EUID_ASSERT();
+        assert(dir);
+        if (dir[0] != '/') {
+                fprintf(stderr, "Error: invalid user directory \"%s\"\n", dir);
+                exit(1);
+        }
+        // symlinks are rejected in many places, provide a solution for home directories
+        if (checkcfg(CFG_HOMEDIR_SYMLINK)) {
+                cfg.homedir = realpath(dir, NULL);
+                if (cfg.homedir)
+                        return;
+        }
+        else if (has_link(dir)) {
+                fprintf(stderr, "Error: path of user directory contains a symbolic link. "
+                        "Please provide resolved path in password database (/etc/passwd) "
+                        "or enable symbolic link resolution in Firejail configuration file.\n");
+                exit(1);
+        }
+        cfg.homedir = clean_pathname(dir);
+}
 // init configuration
 static void init_cfg(int argc, char **argv) {
        EUID_ASSERT();
@@ -256,15 +304,12 @@ static void init_cfg(int argc, char **argv) {
                errExit("strdup");
        // build home directory name
-        cfg.homedir = NULL;
+        if (pw->pw_dir == NULL) {
-        if (pw->pw_dir != NULL) {
-                cfg.homedir = clean_pathname(pw->pw_dir);
-                assert(cfg.homedir);
-        }
-        else {
                fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username);
                exit(1);
        }
+        build_cfg_homedir(pw->pw_dir);
+        assert(cfg.homedir);
        cfg.cwd = getcwd(NULL, 0);
        if (!cfg.cwd && errno != ENOENT)
@@ -917,7 +962,6 @@ int main(int argc, char **argv) {
        // check if the user is allowed to use firejail
        init_cfg(argc, argv);
-        assert(cfg.homedir);
        // get starting timestamp, process --quiet
        start_timestamp = getticks();
@@ -2541,10 +2585,18 @@ int main(int argc, char **argv) {
        EUID_ASSERT();
        EUID_ROOT();
+#ifdef __ia64__
+        child = __clone2(sandbox,
+                child_stack,
+                STACK_SIZE,
+                flags,
+                NULL);
+#else
        child = clone(sandbox,
                child_stack + STACK_SIZE,
                flags,
                NULL);
+#endif
        if (child == -1)
                errExit("clone");
        EUID_USER();
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 5c5ace90b..ee2e497cb 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -25,9 +25,13 @@
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
+#include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 #define MAXBUF 1024
 // linked list of users
@@ -79,8 +83,16 @@ static void sanitize_home(void) {
                errExit("mkdir");
        // keep a copy of the user home directory
-        if (mount(cfg.homedir, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+        int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1)
+                errExit("safe_fd");
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
+        free(proc);
+        close(fd);
        // mount tmpfs in the new home
        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index f91e5ab7c..288726d22 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -268,6 +268,7 @@ static int monitor_application(pid_t app_pid) {
        if (cfg.timeout) {
                options = WNOHANG;
                timeout = cfg.timeout;
+                sleep(1);
        }
        int status = 0;
@@ -302,8 +303,11 @@ static int monitor_application(pid_t app_pid) {
                        // handle --timeout
                        if (options) {
                                if (--timeout == 0)  {
+                                        // SIGTERM might fail if the process ignores it (SIG_IGN)
+                                        // we give it 100ms to close properly and after that we SIGKILL it
                                        kill(-1, SIGTERM);
-                                        sleep(1);
+                                        usleep(100000);
+                                        kill(-1, SIGKILL);
                                        flush_stdin();
                                        _exit(1);
                                }
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 7dca9aa99..a41e32569 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -104,7 +104,7 @@ static struct sock_fprog prog = {
        .filter = filter,
 };
-int sbox_run(unsigned filter, int num, ...) {
+int sbox_run(unsigned filtermask, int num, ...) {
        EUID_ROOT();
        int i;
@@ -129,10 +129,26 @@ int sbox_run(unsigned filter, int num, ...) {
        if (child < 0)
                errExit("fork");
        if (child == 0) {
-                // clean the new process
+                // preserve firejail-specific env vars
+                char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT");
+                if (cl) {
+                        // duplicate the value, who knows what's going to happen with it in clearenv!
+                        cl = strdup(cl);
+                        if (!cl)
+                                errExit("strdup");
+                }
                clearenv();
+                if (cl) {
+                        if (setenv("FIREJAIL_FILE_COPY_LIMIT", cl, 1) == -1)
+                                errExit("setenv");
+                        free(cl);
+                }
+                if (arg_quiet) // --quiet is passed as an environment variable
+                        setenv("FIREJAIL_QUIET", "yes", 1);
+                if (arg_debug) // --debug is passed as an environment variable
+                        setenv("FIREJAIL_DEBUG", "yes", 1);
-                if (filter & SBOX_STDIN_FROM_FILE) {
+                if (filtermask & SBOX_STDIN_FROM_FILE) {
                        int fd;
                        if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) {
                                fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE);
@@ -141,7 +157,7 @@ int sbox_run(unsigned filter, int num, ...) {
                        dup2(fd,STDIN_FILENO);
                        close(fd);
                }
-                else if ((filter & SBOX_ALLOW_STDIN) == 0) {
+                else if ((filtermask & SBOX_ALLOW_STDIN) == 0) {
                        int fd = open("/dev/null",O_RDWR, 0);
                        if (fd != -1) {
                                dup2(fd, STDIN_FILENO);
@@ -159,17 +175,17 @@ int sbox_run(unsigned filter, int num, ...) {
                umask(027);
                // apply filters
-                if (filter & SBOX_CAPS_NONE) {
+                if (filtermask & SBOX_CAPS_NONE) {
                        caps_drop_all();
                }
-                else if (filter & SBOX_CAPS_NETWORK) {
+                else if (filtermask & SBOX_CAPS_NETWORK) {
 #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
                        uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN;
                        set |=  ((uint64_t) 1) << CAP_NET_RAW;
                        caps_set(set);
 #endif
                }
-                else if (filter & SBOX_CAPS_HIDEPID) {
+                else if (filtermask & SBOX_CAPS_HIDEPID) {
 #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
                        uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE;
                        set |=  ((uint64_t) 1) << CAP_SYS_PACCT;
@@ -177,7 +193,7 @@ int sbox_run(unsigned filter, int num, ...) {
 #endif
                }
-                if (filter & SBOX_SECCOMP) {
+                if (filtermask & SBOX_SECCOMP) {
                        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
                                perror("prctl(NO_NEW_PRIVS)");
                        }
@@ -186,22 +202,16 @@ int sbox_run(unsigned filter, int num, ...) {
                        }
                }
-                if (filter & SBOX_ROOT) {
+                if (filtermask & SBOX_ROOT) {
                        // elevate privileges in order to get grsecurity working
                        if (setreuid(0, 0))
                                errExit("setreuid");
                        if (setregid(0, 0))
                                errExit("setregid");
                }
-                else if (filter & SBOX_USER)
+                else if (filtermask & SBOX_USER)
                        drop_privs(1);
-                clearenv();
-                // --quiet is passed as an environment variable
-                if (arg_quiet)
-                        setenv("FIREJAIL_QUIET", "yes", 1);
                if (arg[0])     // get rid of scan-build warning
                        execvp(arg[0], arg);
                else
diff --git a/src/firejail/util.c b/src/firejail/util.c
index fff0bbf2f..918077235 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -50,7 +50,7 @@ void errLogExit(char* fmt, ...) {
        char *msg1;
        char *msg2  = "Access error";
        if (vasprintf(&msg1, fmt, args) != -1 &&
-            asprintf(&msg2, "Access error: pid %d, last mount name:%s dir:%s type:%s - %s", getuid(), m->fsname, m->dir, m->fstype, msg1) != -1)
+            asprintf(&msg2, "Access error: uid %d, last mount name:%s dir:%s type:%s - %s", getuid(), m->fsname, m->dir, m->fstype, msg1) != -1)
                syslog(LOG_CRIT, "%s", msg2);
        va_end(args);
        closelog();
@@ -487,7 +487,6 @@ char *line_remove_spaces(const char *buf) {
        size_t len = strlen(buf);
        if (len == 0)
                return NULL;
-        assert(len + 1 != 0 && buf[len] == '\0');
        // allocate memory for the new string
        char *rv = malloc(len + 1);
@@ -554,15 +553,13 @@ char *split_comma(char *str) {
 char *clean_pathname(const char *path) {
        assert(path);
        size_t len = strlen(path);
-        assert(len + 1 != 0 && path[len] == '\0');
        char *rv = malloc(len + 1);
        if (!rv)
                errExit("malloc");
        if (len > 0) {
-                size_t i, j, cnt;
+                size_t i = 0, j = 0, cnt = 0;
-                for (i = 0, j = 0, cnt = 0; i < len; i++) {
+                for (; i < len; i++) {
                        if (path[i] == '/')
                                cnt++;
                        else
@@ -1142,56 +1139,47 @@ void disable_file_path(const char *path, const char *file) {
        free(fname);
 }
-// The returned file descriptor should be suitable for privileged operations on
+// open file without following any symbolic link
-// user controlled paths
+// returns a file descriptor on success, or -1 if a symlink is found
 int safe_fd(const char *path, int flags) {
        assert(path);
-        // reject empty string, relative path
        if (*path != '/')
                goto errexit;
-        // reject ".."
        if (strstr(path, ".."))
                goto errexit;
-        char *p = strrchr(path, '/');
-        assert(p);
-        // reject trailing slash, root directory
-        if (*(p + 1) == '\0')
-                goto errexit;
-        // reject trailing dot
-        if (*(p + 1) == '.' && *(p + 2) == '\0')
-                goto errexit;
-        // work with a copy of path
-        char *dup = strdup(path);
-        if (!dup)
-                errExit("strdup");
        int parentfd = open("/", O_PATH|O_DIRECTORY|O_CLOEXEC);
        if (parentfd == -1)
                errExit("open");
-        // traverse the path and return -1 if a symlink is encountered
        int fd = -1;
-        char *current_tok = EMPTY_STRING;
+        char *last_tok = EMPTY_STRING;
+        char *dup = strdup(path);
+        if (!dup)
+                errExit("strdup");
        char *tok = strtok(dup, "/");
-        assert(tok);
+        if (!tok) { // root directory
+                free(dup);
+                return parentfd;
+        }
        while (tok) {
                // open the element, assuming it is a directory; this fails with ENOTDIR if it is a symbolic link
+                // if token is a single dot, the previous directory is reopened
                fd = openat(parentfd, tok, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
                if (fd == -1) {
                        // if the following token is NULL, the current token is the final path element
                        // try again to open it, this time using the passed flags, and return -1 or the descriptor
-                        current_tok = tok;
+                        last_tok = tok;
                        tok = strtok(NULL, "/");
                        if (!tok)
-                                fd = openat(parentfd, current_tok, flags|O_NOFOLLOW);
+                                fd = openat(parentfd, last_tok, flags|O_NOFOLLOW);
                        close(parentfd);
                        free(dup);
                        return fd; // -1 if open failed
                }
                // move on to next path segment
-                current_tok = tok;
+                last_tok = tok;
                tok = strtok(NULL, "/");
                if (tok) {
                        close(parentfd);
@@ -1202,13 +1190,13 @@ int safe_fd(const char *path, int flags) {
        // we are here because the last path element exists and is of file type directory
        // reopen it using the passed flags
        close(fd);
-        fd = openat(parentfd, current_tok, flags|O_NOFOLLOW);
+        fd = openat(parentfd, last_tok, flags|O_NOFOLLOW);
        close(parentfd);
        free(dup);
        return fd; // -1 if open failed
 errexit:
-        fprintf(stderr, "Error: cannot open \"%s\", invalid filename\n", path);
+        fprintf(stderr, "Error: cannot open \"%s\": invalid path\n", path);
        exit(1);
 }
diff --git a/src/lib/pid.c b/src/lib/pid.c
index c4235ede3..04bc8d132 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -329,10 +329,9 @@ void pid_read(pid_t mon_pid) {
                }
        }
-        pid_t child = -1;
        struct dirent *entry;
        char *end;
-        while (child < 0 && (entry = readdir(dir))) {
+        while ((entry = readdir(dir))) {
                pid_t pid = strtol(entry->d_name, &end, 10);
                pid %= max_pids;
                if (end == entry->d_name || *end)
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c
index 3983510ec..b2f64f18e 100644
--- a/src/libpostexecseccomp/libpostexecseccomp.c
+++ b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -40,9 +40,7 @@ static void load_seccomp(void) {
                return;
        }
        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
-        struct sock_filter *filter = MAP_FAILED;
+        struct sock_filter *filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
-        if (size != 0)
-                filter = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
        close(fd);
        if (filter == MAP_FAILED) {
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index 397761c74..60fdb5470 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -41,54 +41,45 @@ typedef FILE *(*orig_fopen64_t)(const char *pathname, const char *mode);
 static orig_fopen64_t orig_fopen64 = NULL;
 //
-// pid
+// library constructor/destructor
 //
+static FILE *ftty = NULL;
 static pid_t mypid = 0;
-static inline pid_t pid(void) {
-        if (!mypid)
-                mypid = getpid();
-        return mypid;
-}
-//
-// process name
-//
 #define MAXNAME 16
-static char myname[MAXNAME];
+static char myname[MAXNAME] = {'\0', };
-static int nameinit = 0;
-static char *name(void) {
+static void init(void) __attribute__((constructor));
-        if (!nameinit) {
+void init(void) {
-                // initialize the name of the process based on /proc/PID/comm
+        orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
-                memset(myname, 0, MAXNAME);
+        // tty
-                pid_t p = pid();
+        ftty = orig_fopen("/dev/tty", "w");
-                char *fname;
-                if (asprintf(&fname, "/proc/%u/comm", p) == -1)
+        // pid
-                        return "unknown";
+        mypid = getpid();
-                // read file
+        // process name
-                if (!orig_fopen)
+        char *fname;
-                        orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
+        if (asprintf(&fname, "/proc/%u/comm", mypid) == -1)
-                FILE *fp  = orig_fopen(fname, "r");
+                strncpy(myname, "unknown", MAXNAME-1);
-                if (!fp)
-                        return "unknown";
+        // read file
-                if (fgets(myname, MAXNAME, fp) == NULL) {
+        FILE *fp = orig_fopen(fname, "r");
-                        fclose(fp);
+        if (!fp || fgets(myname, MAXNAME, fp) == NULL)
-                        free(fname);
+                strncpy(myname, "unknown", MAXNAME-1);
-                        return "unknown";
-                }
+        // clean '\n'
+        char *ptr = strchr(myname, '\n');
-                // clean '\n'
+        if (ptr)
-                char *ptr = strchr(myname, '\n');
+                *ptr = '\0';
-                if (ptr)
-                        *ptr = '\0';
+        fclose(fp);
+        free(fname);
-                fclose(fp);
+}
-                free(fname);
-                nameinit = 1;
-        }
-        return myname;
+static void fini(void) __attribute__((destructor));
+void fini(void) {
+        fclose(ftty);
 }
 //
@@ -235,23 +226,23 @@ static char *translate(XTable *table, int val) {
 static void print_sockaddr(int sockfd, const char *call, const struct sockaddr *addr, int rv) {
        if (addr->sa_family == AF_INET) {
                struct sockaddr_in *a = (struct sockaddr_in *) addr;
-                printf("%u:%s:%s %d %s port %u:%d\n", pid(), name(), call, sockfd, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv);
+                fprintf(ftty, "%u:%s:%s %d %s port %u:%d\n", mypid, myname, call, sockfd, inet_ntoa(a->sin_addr), ntohs(a->sin_port), rv);
        }
        else if (addr->sa_family == AF_INET6) {
                struct sockaddr_in6 *a = (struct sockaddr_in6 *) addr;
                char str[INET6_ADDRSTRLEN];
                inet_ntop(AF_INET6, &(a->sin6_addr), str, INET6_ADDRSTRLEN);
-                printf("%u:%s:%s %d %s:%d\n", pid(), name(), call, sockfd, str, rv);
+                fprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, str, rv);
        }
        else if (addr->sa_family == AF_UNIX) {
                struct sockaddr_un *a = (struct sockaddr_un *) addr;
                if (a->sun_path[0])
-                        printf("%u:%s:%s %d %s:%d\n", pid(), name(), call, sockfd, a->sun_path, rv);
+                        fprintf(ftty, "%u:%s:%s %d %s:%d\n", mypid, myname, call, sockfd, a->sun_path, rv);
                else
-                        printf("%u:%s:%s %d @%s:%d\n", pid(), name(), call, sockfd, a->sun_path + 1, rv);
+                        fprintf(ftty, "%u:%s:%s %d @%s:%d\n", mypid, myname, call, sockfd, a->sun_path + 1, rv);
        }
        else {
-                printf("%u:%s:%s %d family %d:%d\n", pid(), name(), call, sockfd, addr->sa_family, rv);
+                fprintf(ftty, "%u:%s:%s %d family %d:%d\n", mypid, myname, call, sockfd, addr->sa_family, rv);
        }
 }
@@ -267,7 +258,7 @@ int open(const char *pathname, int flags, mode_t mode) {
                orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open");
        int rv = orig_open(pathname, flags, mode);
-        printf("%u:%s:open %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:open %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -278,7 +269,7 @@ int open64(const char *pathname, int flags, mode_t mode) {
                orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64");
        int rv = orig_open64(pathname, flags, mode);
-        printf("%u:%s:open64 %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:open64 %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -290,7 +281,7 @@ int openat(int dirfd, const char *pathname, int flags, mode_t mode) {
                orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat");
        int rv = orig_openat(dirfd, pathname, flags, mode);
-        printf("%u:%s:openat %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:openat %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -301,7 +292,7 @@ int openat64(int dirfd, const char *pathname, int flags, mode_t mode) {
                orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64");
        int rv = orig_openat64(dirfd, pathname, flags, mode);
-        printf("%u:%s:openat64 %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:openat64 %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -312,7 +303,7 @@ FILE *fopen(const char *pathname, const char *mode) {
                orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
        FILE *rv = orig_fopen(pathname, mode);
-        printf("%u:%s:fopen %s:%p\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:fopen %s:%p\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -322,7 +313,7 @@ FILE *fopen64(const char *pathname, const char *mode) {
                orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64");
        FILE *rv = orig_fopen64(pathname, mode);
-        printf("%u:%s:fopen64 %s:%p\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:fopen64 %s:%p\n", mypid, myname, pathname, rv);
        return rv;
 }
 #endif /* __GLIBC__ */
@@ -336,7 +327,7 @@ FILE *freopen(const char *pathname, const char *mode, FILE *stream) {
                orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen");
        FILE *rv = orig_freopen(pathname, mode, stream);
-        printf("%u:%s:freopen %s:%p\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:freopen %s:%p\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -348,7 +339,7 @@ FILE *freopen64(const char *pathname, const char *mode, FILE *stream) {
                orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64");
        FILE *rv = orig_freopen64(pathname, mode, stream);
-        printf("%u:%s:freopen64 %s:%p\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:freopen64 %s:%p\n", mypid, myname, pathname, rv);
        return rv;
 }
 #endif /* __GLIBC__ */
@@ -361,7 +352,7 @@ int unlink(const char *pathname) {
                orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink");
        int rv = orig_unlink(pathname);
-        printf("%u:%s:unlink %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:unlink %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -372,7 +363,7 @@ int unlinkat(int dirfd, const char *pathname, int flags) {
                orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat");
        int rv = orig_unlinkat(dirfd, pathname, flags);
-        printf("%u:%s:unlinkat %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:unlinkat %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -384,7 +375,7 @@ int mkdir(const char *pathname, mode_t mode) {
                orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir");
        int rv = orig_mkdir(pathname, mode);
-        printf("%u:%s:mkdir %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:mkdir %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -395,7 +386,7 @@ int mkdirat(int dirfd, const char *pathname, mode_t mode) {
                orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat");
        int rv = orig_mkdirat(dirfd, pathname, mode);
-        printf("%u:%s:mkdirat %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:mkdirat %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -406,56 +397,56 @@ int rmdir(const char *pathname) {
                orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir");
        int rv = orig_rmdir(pathname);
-        printf("%u:%s:rmdir %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:rmdir %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
 // stat
-typedef int (*orig_stat_t)(const char *pathname, struct stat *buf);
+typedef int (*orig_stat_t)(const char *pathname, struct stat *statbuf);
 static orig_stat_t orig_stat = NULL;
-int stat(const char *pathname, struct stat *buf) {
+int stat(const char *pathname, struct stat *statbuf) {
        if (!orig_stat)
                orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat");
-        int rv = orig_stat(pathname, buf);
+        int rv = orig_stat(pathname, statbuf);
-        printf("%u:%s:stat %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:stat %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
 #ifdef __GLIBC__
-typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *buf);
+typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *statbuf);
 static orig_stat64_t orig_stat64 = NULL;
-int stat64(const char *pathname, struct stat64 *buf) {
+int stat64(const char *pathname, struct stat64 *statbuf) {
        if (!orig_stat64)
                orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64");
-        int rv = orig_stat64(pathname, buf);
+        int rv = orig_stat64(pathname, statbuf);
-        printf("%u:%s:stat64 %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:stat64 %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
 #endif /* __GLIBC__ */
 // lstat
-typedef int (*orig_lstat_t)(const char *pathname, struct stat *buf);
+typedef int (*orig_lstat_t)(const char *pathname, struct stat *statbuf);
 static orig_lstat_t orig_lstat = NULL;
-int lstat(const char *pathname, struct stat *buf) {
+int lstat(const char *pathname, struct stat *statbuf) {
        if (!orig_lstat)
                orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat");
-        int rv = orig_lstat(pathname, buf);
+        int rv = orig_lstat(pathname, statbuf);
-        printf("%u:%s:lstat %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:lstat %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
 #ifdef __GLIBC__
-typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *buf);
+typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *statbuf);
 static orig_lstat64_t orig_lstat64 = NULL;
-int lstat64(const char *pathname, struct stat64 *buf) {
+int lstat64(const char *pathname, struct stat64 *statbuf) {
        if (!orig_lstat64)
                orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64");
-        int rv = orig_lstat64(pathname, buf);
+        int rv = orig_lstat64(pathname, statbuf);
-        printf("%u:%s:lstat64 %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
 #endif /* __GLIBC__ */
@@ -468,7 +459,7 @@ DIR *opendir(const char *pathname) {
                orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir");
        DIR *rv = orig_opendir(pathname);
-        printf("%u:%s:opendir %s:%p\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:opendir %s:%p\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -480,7 +471,7 @@ int access(const char *pathname, int mode) {
                orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");
        int rv = orig_access(pathname, mode);
-        printf("%u:%s:access %s:%d\n", pid(), name(), pathname, rv);
+        fprintf(ftty, "%u:%s:access %s:%d\n", mypid, myname, pathname, rv);
        return rv;
 }
@@ -501,14 +492,14 @@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
 // socket
 typedef int (*orig_socket_t)(int domain, int type, int protocol);
 static orig_socket_t orig_socket = NULL;
-static char buf[1024];
+static char socketbuf[1024];
 int socket(int domain, int type, int protocol) {
        if (!orig_socket)
                orig_socket = (orig_socket_t)dlsym(RTLD_NEXT, "socket");
        int rv = orig_socket(domain, type, protocol);
-        char *ptr = buf;
+        char *ptr = socketbuf;
-        ptr += sprintf(ptr, "%u:%s:socket ", pid(), name());
+        ptr += sprintf(ptr, "%u:%s:socket ", mypid, myname);
        char *str = translate(socket_domain, domain);
        if (str == NULL)
                ptr += sprintf(ptr, "%d ", domain);
@@ -538,7 +529,7 @@ int socket(int domain, int type, int protocol) {
                        sprintf(ptr, "%s", str);
        }
-        printf("%s:%d\n", buf, rv);
+        fprintf(ftty, "%s:%d\n", socketbuf, rv);
        return rv;
 }
@@ -576,7 +567,7 @@ int system(const char *command) {
                orig_system = (orig_system_t)dlsym(RTLD_NEXT, "system");
        int rv = orig_system(command);
-        printf("%u:%s:system %s:%d\n", pid(), name(), command, rv);
+        fprintf(ftty, "%u:%s:system %s:%d\n", mypid, myname, command, rv);
        return rv;
 }
@@ -588,7 +579,7 @@ int setuid(uid_t uid) {
                orig_setuid = (orig_setuid_t)dlsym(RTLD_NEXT, "setuid");
        int rv = orig_setuid(uid);
-        printf("%u:%s:setuid %d:%d\n", pid(), name(), uid, rv);
+        fprintf(ftty, "%u:%s:setuid %d:%d\n", mypid, myname, uid, rv);
        return rv;
 }
@@ -600,7 +591,7 @@ int setgid(gid_t gid) {
                orig_setgid = (orig_setgid_t)dlsym(RTLD_NEXT, "setgid");
        int rv = orig_setgid(gid);
-        printf("%u:%s:setgid %d:%d\n", pid(), name(), gid, rv);
+        fprintf(ftty, "%u:%s:setgid %d:%d\n", mypid, myname, gid, rv);
        return rv;
 }
@@ -612,7 +603,7 @@ int setfsuid(uid_t uid) {
                orig_setfsuid = (orig_setfsuid_t)dlsym(RTLD_NEXT, "setfsuid");
        int rv = orig_setfsuid(uid);
-        printf("%u:%s:setfsuid %d:%d\n", pid(), name(), uid, rv);
+        fprintf(ftty, "%u:%s:setfsuid %d:%d\n", mypid, myname, uid, rv);
        return rv;
 }
@@ -624,7 +615,7 @@ int setfsgid(gid_t gid) {
                orig_setfsgid = (orig_setfsgid_t)dlsym(RTLD_NEXT, "setfsgid");
        int rv = orig_setfsgid(gid);
-        printf("%u:%s:setfsgid %d:%d\n", pid(), name(), gid, rv);
+        fprintf(ftty, "%u:%s:setfsgid %d:%d\n", mypid, myname, gid, rv);
        return rv;
 }
@@ -636,7 +627,7 @@ int setreuid(uid_t ruid, uid_t euid) {
                orig_setreuid = (orig_setreuid_t)dlsym(RTLD_NEXT, "setreuid");
        int rv = orig_setreuid(ruid, euid);
-        printf("%u:%s:setreuid %d %d:%d\n", pid(), name(), ruid, euid, rv);
+        fprintf(ftty, "%u:%s:setreuid %d %d:%d\n", mypid, myname, ruid, euid, rv);
        return rv;
 }
@@ -648,7 +639,7 @@ int setregid(gid_t rgid, gid_t egid) {
                orig_setregid = (orig_setregid_t)dlsym(RTLD_NEXT, "setregid");
        int rv = orig_setregid(rgid, egid);
-        printf("%u:%s:setregid %d %d:%d\n", pid(), name(), rgid, egid, rv);
+        fprintf(ftty, "%u:%s:setregid %d %d:%d\n", mypid, myname, rgid, egid, rv);
        return rv;
 }
@@ -660,7 +651,7 @@ int setresuid(uid_t ruid, uid_t euid, uid_t suid) {
                orig_setresuid = (orig_setresuid_t)dlsym(RTLD_NEXT, "setresuid");
        int rv = orig_setresuid(ruid, euid, suid);
-        printf("%u:%s:setresuid %d %d %d:%d\n", pid(), name(), ruid, euid, suid, rv);
+        fprintf(ftty, "%u:%s:setresuid %d %d %d:%d\n", mypid, myname, ruid, euid, suid, rv);
        return rv;
 }
@@ -672,7 +663,7 @@ int setresgid(gid_t rgid, gid_t egid, gid_t sgid) {
                orig_setresgid = (orig_setresgid_t)dlsym(RTLD_NEXT, "setresgid");
        int rv = orig_setresgid(rgid, egid, sgid);
-        printf("%u:%s:setresgid %d %d %d:%d\n", pid(), name(), rgid, egid, sgid, rv);
+        fprintf(ftty, "%u:%s:setresgid %d %d %d:%d\n", mypid, myname, rgid, egid, sgid, rv);
        return rv;
 }
@@ -687,6 +678,6 @@ static void log_exec(int argc, char** argv) {
        int rv = readlink("/proc/self/exe", buf, PATH_MAX);
        if (rv != -1) {
                buf[rv] = '\0'; // readlink does not add a '\0' at the end
-                printf("%u:%s:exec %s:0\n", pid(), name(), buf);
+                fprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf);
        }
 }
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 201339c8b..951618669 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -8,6 +8,12 @@ Start a sandbox:
 firejail [OPTIONS] [program and arguments]
 .RE
 .PP
+Start an AppImage program:
+.PP
+.RS
+firejail [OPTIONS] --appimage [appimage-file and arguments]
+.RE
+.PP
 File transfer from an existing sandbox
 .PP
 .RS