93 files changed, 1207 insertions, 331 deletions

diff --git a/Makefile.in b/Makefile.in
index 9574c74bc..dbf53e2cb 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -141,7 +141,7 @@ uninstall:
         rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
         
 DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
-DISTFILES_TEST = "test/apps test/apps-x11 test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils"
+DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils"
 
 dist:
         mv config.status config.status.old
diff --git a/README b/README
index 46c314a64..cbd15f02a 100644
--- a/README
+++ b/README
@@ -47,6 +47,7 @@ Aleksey Manevich (https://github.com/manevich)
         - added --join-or-start command
         - CVE-2016-7545
 Fred-Barclay (https://github.com/Fred-Barclay)
+        - lots of profile fixes
         - added Vivaldi, Atril profiles
         - added PaleMoon profile
         - split Icedove and Thunderbird profiles
@@ -69,7 +70,7 @@ Fred-Barclay (https://github.com/Fred-Barclay)
         - added audacity profile
         - fixed Telegram and qtox profiles
         - added Atom Beta and Atom profiles
-        - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles.
+        - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles
         - several private-bin conversions
         - added jitsi profile
         - pidgin private-bin conversion
@@ -77,6 +78,16 @@ Fred-Barclay (https://github.com/Fred-Barclay)
         - added gnome-chess profile
         - added DOSBox profile
         - evince profile enhancement
+        - tightened Spotify profile
+        - added xiphos and Tor Browser Bundle profiles
+valoq (https://github.com/valoq)
+        - LibreOffice profile fixes
+        - cherrytree profile fixes
+        - added support for /srv in --whitelist feature
+        - Eye of GNOME and Evolution profiles
+        - blacklist suid binaries in disable-common.inc
+Rafael Cavalcanti (https://github.com/rccavalcanti)
+        - chromium profile fixes for Arch Linux
 Deelvesh Bunjun (https://github.com/DeelveshBunjun)
         - added xpdf profile
 vismir2 (https://github.com/vismir2)
@@ -84,9 +95,6 @@ vismir2 (https://github.com/vismir2)
 Dara Adib (https://github.com/daradib)
         - ssh profile fix
         - evince profile fix
-valoq (https://github.com/valoq)
-        - LibreOffice profile fixes
-        - cherrytree profile fixes
 vismir2 (https://github.com/vismir2)
         - feh, ranger, 7z, keepass, keepassx and zathura profiles
         - lots of profile fixes
diff --git a/README.md b/README.md
index 1038e1ef8..ff1b2e8ba 100644
--- a/README.md
+++ b/README.md
@@ -42,76 +42,15 @@ If you keep your Firejail profiles in a public repository, please give us a link
 * https://github.com/chiraag-nataraj/firejail-profiles
 
 * https://github.com/triceratops1/fe
-`````
 
+Use this issue to request new profiles: https://github.com/netblue30/firejail/issues/825
 `````
-# Current development version: 0.9.43
 
-## X11 development
-`````
-       --x11=none
-              Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and  the
-              file  specified  in  ${XAUTHORITY} environment variable.  Remove
-              DISPLAY and XAUTHORITY environment variables.  Stop  with  error
-              message if X11 abstract socket will be accessible in jail.
-
-      --x11=xorg
-              Sandbox the application using the untrusted mode implemented  by
-              X11  security  extension.   The  extension  is available in Xorg
-              package and it is installed by default on most  Linux  distribu‐
-              tions.  It  provides support for a simple trusted/untrusted con‐
-              nection model. Untrusted clients are restricted in certain  ways
-              to  prevent  them from reading window contents of other clients,
-              stealing input events, etc.
-
-              The untrusted mode has several limitations.  A  lot  of  regular
-              programs   assume  they are a trusted X11 clients and will crash
-              or lock up when run in  untrusted  mode.  Chromium  browser  and
-              xterm are two examples.  Firefox and transmission-gtk seem to be
-              working fine.  A network namespace  is  not  required  for  this
-              option.
-
-              Example:
-              $ firejail --x11=xorg firefox
 `````
-
-## Other command line options
+# Current development version: 0.9.45
 `````
-      --put=name|pid src-filename dest-filename
-              Put src-filename in sandbox container.  The container is specified by name or PID.
-
-       --allusers
-              All user home directories are visible inside the sandbox. By default, only current user home
-              directory is visible.
-
-              Example:
-              $ firejail --allusers
-
-       --join-or-start=name
-              Join the sandbox identified by name or start a new one.  Same as "firejail  --join=name"  if
-              sandbox with specified name exists, otherwise same as "firejail --name=name ..."
-              Note that in contrary to other join options there is respective profile option.
-
-      --no3d Disable 3D hardware acceleration.
-
-              Example:
-              $ firejail --no3d firefox
-
-      --veth-name=name
-              Use this name for the interface  connected  to  the  bridge  for
-              --net=bridge_interface commands, instead of the default one.
-
-              Example:
-              $ firejail --net=br0 --veth-name=if0
 
 `````
-
-## New profile commands
-
-x11 xpra, x11 xephyr, x11 none, x11 xorg, allusers, join-or-start
-
-## New profiles
-
-qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape, feh, ranger, zathura, 7z, keepass, keepassx,
-claws-mail, mutt, git, emacs, vim, xpdf
+## New Profiles
+xiphos, Tor Browser Bundle
 
diff --git a/RELNOTES b/RELNOTES
index 4c191fc82..c0fb8b20b 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,9 +1,15 @@
-firejail (0.9.43) baseline; urgency=low
+firejail (0.9.45) baseline; urgency=low
+  * development version, work in progress
+ -- netblue30 <netblue30@yahoo.com>  Sun, 23 Oct 2016 08:00:00 -0500
+  * new profiles: xiphos, Tor Browser Bundle
+
+firejail (0.9.44) baseline; urgency=low
   * CVE-2016-7545 submitted by Aleksey Manevich
-  * development version
   * modifs: removed man firejail-config
   * modifs: --private-tmp whitelists /tmp/.X11-unix directory
   * modifs: Nvidia drivers added to --private-dev
+  * modifs: /srv supported by --whitelist
+  * feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
   * feature: support starting/joining sandbox is a single command
     (--join-or-start)
   * feature: X11 detection support for --audit
@@ -15,11 +21,15 @@ firejail (0.9.43) baseline; urgency=low
   * feature: X11 security extension (--x11=xorg)
   * feature: disable 3D hardware acceleration (--no3d)
   * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
+  * feature: move files in sandbox (--put)
+  * feature: accept wildcard patterns in user  name field of restricted
+    shell login feature
   * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
   * new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
-  * new profiles: claws-mail, mutt, git, emacs, vim, xpdf
+  * new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
+  * new profiles: Flowblade, Eye of GNOME (eog), Evolution
   * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Fri, 9 Sept 2016 08:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Fri, 21 Oct 2016 08:00:00 -0500
 
 firejail (0.9.42) baseline; urgency=low
   * security: --whitelist deleted files, submitted by Vasya Novikov
diff --git a/configure b/configure
index 48b891c40..a470dffba 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.44~rc1.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.45.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.44~rc1'
-PACKAGE_STRING='firejail 0.9.44~rc1'
+PACKAGE_VERSION='0.9.45'
+PACKAGE_STRING='firejail 0.9.45'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
 
@@ -1259,7 +1259,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.44~rc1 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.45 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1320,7 +1320,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.44~rc1:";;
+     short | recursive ) echo "Configuration of firejail 0.9.45:";;
    esac
   cat <<\_ACEOF
 
@@ -1424,7 +1424,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.44~rc1
+firejail configure 0.9.45
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1726,7 +1726,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.44~rc1, which was
+It was created by firejail $as_me 0.9.45, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4303,7 +4303,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.44~rc1, which was
+This file was extended by firejail $as_me 0.9.45, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4357,7 +4357,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.44~rc1
+firejail config.status 0.9.45
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 108b558d4..95947a8e3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.44~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.45, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
index 9a8d93875..fa0b316bb 100644
--- a/etc/atom-beta.profile
+++ b/etc/atom-beta.profile
@@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
 nosound
 protocol unix,inet,inet6,netlink
diff --git a/etc/atom.profile b/etc/atom.profile
index 3cb86847e..61930d5c1 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
 nosound
 protocol unix,inet,inet6,netlink
diff --git a/etc/atril.profile b/etc/atril.profile
index d9e10b072..fbcca0c1b 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
-nonewprivs
 nogroups
+nonewprivs
 noroot
 nosound
 protocol unix
diff --git a/etc/audacity.profile b/etc/audacity.profile
index be3fac9be..827fa4301 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
 protocol unix
 seccomp
diff --git a/etc/aweather.profile b/etc/aweather.profile
index 4e5c36f50..fa8654f1e 100644
--- a/etc/aweather.profile
+++ b/etc/aweather.profile
@@ -11,8 +11,8 @@ whitelist ~/.config/aweather
 
 caps.drop all
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
 nosound
 protocol unix,inet,inet6
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index ec6d0d69d..139dec8ec 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -9,11 +9,10 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 nosound
 seccomp
 protocol unix,inet,inet6,netlink
 tracelog
-
-
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 0d383aebf..4109af9a4 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -25,4 +25,7 @@ whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 
+# specific to Arch
+whitelist ~/.config/chromium-flags.conf
+
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 19a23d764..82398473d 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -137,6 +137,11 @@ blacklist /etc/gshadow+
 blacklist /etc/ssh
 blacklist /var/backup
 
+# system directories    
+blacklist /sbin
+blacklist /usr/sbin
+blacklist /usr/local/sbin
+
 # system management
 # blacklist ${PATH}/umount
 # blacklist ${PATH}/mount
@@ -149,11 +154,22 @@ blacklist ${PATH}/xev
 blacklist ${PATH}/strace
 blacklist ${PATH}/nc
 blacklist ${PATH}/ncat
-
-# system directories    
-blacklist /sbin
-blacklist /usr/sbin
-blacklist /usr/local/sbin
+blacklist ${PATH}/gpasswd
+blacklist ${PATH}/newgidmap
+blacklist ${PATH}/newgrp
+blacklist ${PATH}/newuidmap
+blacklist ${PATH}/pkexec
+blacklist ${PATH}/sg
+blacklist ${PATH}/rsh
+blacklist ${PATH}/rlogin
+blacklist ${PATH}/rcp
+blacklist ${PATH}/crontab
+blacklist ${PATH}/ksu
+blacklist ${PATH}/chsh
+blacklist ${PATH}/chfn
+blacklist ${PATH}/chage
+blacklist ${PATH}/expiry
+blacklist ${PATH}/unix_chkpwd
 
 # prevent lxterminal connecting to an existing lxterminal session
 blacklist /tmp/.lxterminal-socket*
@@ -173,28 +189,6 @@ blacklist ${PATH}/terminix
 blacklist ${PATH}/urxvtc
 blacklist ${PATH}/urxvtcd
 
-# disable common suid programms
-blacklist ${PATH}/firejail
-blacklist ${PATH}/sudo
-blacklist ${PATH}/su
-blacklist ${PATH}/mount
-blacklist ${PATH}/umount
-blacklist ${PATH}/fusermount
-blacklist ${PATH}/passwd
-blacklist ${PATH}/gpasswd
-blacklist ${PATH}/newgidmap
-blacklist ${PATH}/newgrp
-blacklist ${PATH}/newuidmap
-blacklist ${PATH}/pkexec
-blacklist ${PATH}/sg
-blacklist ${PATH}/rsh
-blacklist ${PATH}/rlogin
-blacklist ${PATH}/rcp
-blacklist ${PATH}/crontab
-blacklist ${PATH}/ksu
-blacklist ${PATH}/chsh
-blacklist ${PATH}/chfn
-blacklist ${PATH}/chage
-blacklist ${PATH}/expiry
-blacklist ${PATH}/ping
-blacklist ${PATH}/unix_chkpwd
+# kernel files
+blacklist /vmlinuz*
+blacklist /initrd*
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 971857710..2ac367f37 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -20,7 +20,7 @@ blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
 # clang/llvm
 blacklist /usr/bin/clang*
 blacklist /usr/bin/llvm*
-blacklist /usb/bin/lldb*
+blacklist /usr/bin/lldb*
 blacklist /usr/lib/llvm*
 
 # tcc - Tiny C Compiler
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 369e4813c..6e22fe04d 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -7,6 +7,8 @@ blacklist ${HOME}/.wine
 blacklist ${HOME}/.Mathematica
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.stellarium
+blacklist ${HOME}/.sword
+blacklist ${HOME}/.xiphos
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/mupen64plus
@@ -35,6 +37,11 @@ blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/cherrytree
 blacklist ${HOME}/.xpdfrc
+blacklist ${HOME}/.openshot
+blacklist ${HOME}/.openshot_qt
+blacklist ${HOME}/.flowblade
+blacklist ${HOME}/.config/flowblade
+blacklist ${HOME}/.config/eog
 
 
 # Media players
@@ -72,8 +79,12 @@ blacklist ${HOME}/.8pecxstudios
 blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/inox
 blacklist ${HOME}/.muttrc
+blacklist ${HOME}/.mutt
 blacklist ${HOME}/.mutt/muttrc
 blacklist ${HOME}/.msmtprc
+blacklist ${HOME}/.config/evolution
+blacklist ${HOME}/.local/share/evolution
+blacklist ${HOME}/.cache/evolution
 
 # Instant Messaging
 blacklist ${HOME}/.config/hexchat
diff --git a/etc/eog.profile b/etc/eog.profile
index 32b54a042..7eb7fd127 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -9,9 +9,9 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
-nogroups
 protocol unix
 seccomp
 shell none
@@ -20,4 +20,3 @@ private-bin eog
 private-dev
 private-etc fonts
 private-tmp
-
diff --git a/etc/evolution.profile b/etc/evolution.profile
index cf581643d..d097c0f34 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -14,9 +14,9 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
-nogroups
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/feh.profile b/etc/feh.profile
index 5fcb6bf25..e3b1ec528 100644
--- a/etc/feh.profile
+++ b/etc/feh.profile
@@ -5,14 +5,14 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
-seccomp
-protocol unix
 netfilter
 net none
+nogroups
 nonewprivs
 noroot
-nogroups
 nosound
+protocol unix
+seccomp
 shell none
 
 private-bin feh
diff --git a/etc/file.profile b/etc/file.profile
index 2e54030b1..199a97fad 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -1,16 +1,17 @@
 # file profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
-tracelog
+blacklist /tmp/.X11-unix
+
+hostname file
 net none
+no3d
+nosound
+quiet
 shell none
+tracelog
+
+private-dev
 private-bin file
 private-etc magic.mgc,magic,localtime
-hostname file
-private-dev
-nosound
-no3d
-blacklist /tmp/.X11-unix
-
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index 551c17a78..fe1d9d20d 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -13,10 +13,9 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
-
 shell none
+
 private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
-whitelist /tmp/.X11-unix
 private-dev
-nosound
 
+whitelist /tmp/.X11-unix
diff --git a/etc/flowblade.profile b/etc/flowblade.profile
new file mode 100644
index 000000000..12afdb0aa
--- /dev/null
+++ b/etc/flowblade.profile
@@ -0,0 +1,13 @@
+# FlowBlade profile
+noblacklist ${HOME}/.flowblade
+noblacklist ${HOME}/.config/flowblade
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
diff --git a/etc/franz.profile b/etc/franz.profile
index 3cb7942ab..0b3be551b 100644
--- a/etc/franz.profile
+++ b/etc/franz.profile
@@ -6,12 +6,12 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 
 caps.drop all
-seccomp
-protocol unix,inet,inet6,netlink
 netfilter
-#tracelog
 nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
+#tracelog
 
 whitelist ${DOWNLOADS}
 mkdir ~/.config/Franz
diff --git a/etc/gajim.profile b/etc/gajim.profile
index 04902a734..809378ef9 100644
--- a/etc/gajim.profile
+++ b/etc/gajim.profile
@@ -22,8 +22,8 @@ include /etc/firejail/disable-devel.inc
 
 caps.drop all
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/gimp.profile b/etc/gimp.profile
index 23361b771..cb441fc9d 100644
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
+nosound
 protocol unix
 seccomp
-private-dev
-private-tmp
+
 noexec ${HOME}
 noexec /tmp
-nogroups
-nosound
+
+private-dev
+private-tmp
diff --git a/etc/git.profile b/etc/git.profile
index 2fb55377d..73122d347 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -12,15 +12,15 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
-quiet
 
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
-nogroups
 nosound
 protocol unix,inet,inet6
+quiet
 seccomp
 shell none
 
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index 353ecceae..801304c18 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -6,13 +6,12 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 # Whitelist
-mkdir ~/.config/Gpredict
 whitelist ~/.config/Gpredict
 
 caps.drop all
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
 nosound
 protocol unix,inet,inet6
@@ -21,5 +20,6 @@ shell none
 tracelog
 
 private-bin gpredict
+private-etc fonts,resolv.conf
 private-dev
 private-tmp
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 67f10c4e1..c866c9e63 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -7,14 +7,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+nogroups
 nonewprivs
 noroot
-nogroups
-private-dev
 protocol unix
 seccomp
 nosound
 
+private-dev
+
 #Experimental:
 #shell none
 #private-bin gwenview
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 5e73969c4..d51b9a951 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -1,12 +1,14 @@
 # gzip profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
-tracelog
-net none
-shell none
+
 blacklist /tmp/.X11-unix
-private-dev
-nosound
+
+net none
 no3d
+nosound
+quiet
+shell none
+tracelog
 
+private-dev
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index cf885fba2..a0e86b6c9 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -6,13 +6,15 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
+nosound
 protocol unix
 seccomp
-private-dev
-private-tmp
+
 noexec ${HOME}
 noexec /tmp
-nogroups
-nosound
+
+private-dev
+private-tmp
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
index c61158f8b..046499abe 100644
--- a/etc/jitsi.profile
+++ b/etc/jitsi.profile
@@ -6,8 +6,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
-nonewprivs
 nogroups
+nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 8c8fd18c4..bc21ba604 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/less.profile b/etc/less.profile
index 6dfae027e..08758aead 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -2,8 +2,10 @@
 quiet
 ignore noroot
 include /etc/firejail/default.profile
-tracelog
+
 net none
+nosound
 shell none
+tracelog
+
 private-dev
-nosound
diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile
index 6e059ea52..76e864e0c 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/luminance-hdr.profile
@@ -5,17 +5,19 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+ipc-namespace
 netfilter
-protocol unix
+nogroups
 nonewprivs
 noroot
+nosound
+protocol unix
 seccomp
 shell none
 tracelog
-private-tmp
-private-dev
+
 noexec ${HOME}
 noexec /tmp
-nogroups
-nosound
-ipc-namespace
+
+private-tmp
+private-dev
diff --git a/etc/mutt.profile b/etc/mutt.profile
index cda7fc4bf..b532ded67 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -2,6 +2,7 @@
 
 noblacklist ~/.muttrc
 noblacklist ~/.mutt
+noblacklist ~/.mutt/muttrc
 noblacklist ~/.mailcap
 noblacklist ~/.gnupg
 noblacklist ~/.mail
diff --git a/etc/okular.profile b/etc/okular.profile
index df142ccfc..b43a5fbea 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -9,14 +9,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
-nonewprivs
 nogroups
+nonewprivs
 noroot
-private-dev
 protocol unix
 seccomp
 nosound
 
+private-dev
+
 #Experimental:
 #net none
 #shell none
diff --git a/etc/openshot.profile b/etc/openshot.profile
new file mode 100644
index 000000000..f12bd7d11
--- /dev/null
+++ b/etc/openshot.profile
@@ -0,0 +1,13 @@
+# OpenShot profile
+noblacklist ${HOME}/.openshot
+noblacklist ${HOME}/.openshot_qt
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index 47be2b6ea..850706145 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/pix.profile b/etc/pix.profile
index 80c05fd09..e21ddadc6 100644
--- a/etc/pix.profile
+++ b/etc/pix.profile
@@ -8,8 +8,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
-nonewprivs
 nogroups
+nonewprivs
 noroot
 nosound
 protocol unix
@@ -20,4 +20,3 @@ tracelog
 private-bin pix
 whitelist /tmp/.X11-unix
 private-dev
-
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index 22c5bafc5..a9323448b 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -14,10 +14,10 @@ whitelist ~/.local/share/psi+
 mkdir ~/.cache/psi+
 whitelist ~/.cache/psi+
 
-include /etc/firejail/whitelist-common.inc
-
 caps.drop all
 netfilter
 noroot
 protocol unix,inet,inet6
 seccomp
+
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 138b6db55..67829c9ca 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -15,6 +15,6 @@ seccomp
 # there are some problems with "Open destination folder", see bug #536
 #shell none
 #private-bin qbittorrent
-whitelist /tmp/.X11-unix
 private-dev
-nosound
+
+whitelist /tmp/.X11-unix
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 07ea173e6..06c0db206 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -18,5 +18,5 @@ shell none
 tracelog
 
 private-bin qpdfview
-private-tmp
 private-dev
+private-tmp
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 927487037..81d8aa10e 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -11,8 +11,8 @@ whitelist ${DOWNLOADS}
 
 caps.drop all
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index 2ab5d8a8e..2b28fce73 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -14,16 +14,17 @@ whitelist ${HOME}/.cache/QuiteRss
 
 caps.drop all
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
-private-bin quiterss
-private-dev
 nosound
-#private-etc X11,ssl
 protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
 
+private-bin quiterss
+private-dev
+#private-etc X11,ssl
+
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/ranger.profile b/etc/ranger.profile
index a040cd6bc..323e64dee 100644
--- a/etc/ranger.profile
+++ b/etc/ranger.profile
@@ -12,13 +12,12 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
 net none
+nogroups
 nonewprivs
 noroot
-nogroups
 protocol unix
 seccomp
 nosound
 
 private-tmp
 private-dev
-
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 0e8527ae7..e5e192486 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
-nogroups
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index 15df2c374..1226a51cd 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -16,4 +16,3 @@ shell none
 private-bin rtorrent
 whitelist /tmp/.X11-unix
 private-dev
-nosound
diff --git a/etc/server.profile b/etc/server.profile
index 22cef0a3c..b8a34feb2 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -6,11 +6,12 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
-private
-private-dev
-nosound
-no3d
-private-tmp
 blacklist /tmp/.X11-unix
+
+no3d
+nosound
 seccomp
 
+private
+private-dev
+private-tmp
diff --git a/etc/slack.profile b/etc/slack.profile
index 1009f7ee0..a85a28f03 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -1,3 +1,4 @@
+# Firejail profile for Slack
 noblacklist ${HOME}/.config/Slack
 noblacklist ${HOME}/Downloads
 
@@ -6,25 +7,25 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
-mkdir ${HOME}/.config
-mkdir ${HOME}/.config/Slack
-whitelist ${HOME}/.config/Slack
-whitelist ${HOME}/Downloads
-
-protocol unix,inet,inet6,netlink
-private-dev
-private-tmp
-private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime
-name slack
 blacklist /var
 
-include /etc/firejail/whitelist-common.inc
-
 caps.drop all
-seccomp
+name slack
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
+protocol unix,inet,inet6,netlink
+seccomp
 shell none
+
 private-bin slack
+private-dev
+private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime
+private-tmp
+
+mkdir ${HOME}/.config
+mkdir ${HOME}/.config/Slack
+whitelist ${HOME}/.config/Slack
+whitelist ${HOME}/Downloads
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 73d427db3..6dbcc03ee 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -7,16 +7,13 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
-# Whitelist the folders needed by Spotify - This is more restrictive
-# than a blacklist though, but this is all spotify requires for
-# streaming audio
+# Whitelist the folders needed by Spotify
 mkdir ${HOME}/.config/spotify
 whitelist ${HOME}/.config/spotify
 mkdir ${HOME}/.local/share/spotify
 whitelist ${HOME}/.local/share/spotify
 mkdir ${HOME}/.cache/spotify
 whitelist ${HOME}/.cache/spotify
-include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 netfilter
@@ -27,5 +24,20 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
-#private-bin spotify
+private-bin spotify
+private-etc fonts,machine-id,pulse,resolv.conf
 private-dev
+private-tmp
+
+blacklist ${HOME}/.Xauthority
+blacklist ${HOME}/.bashrc
+blacklist /boot
+blacklist /lost+found
+blacklist /media
+blacklist /mnt
+blacklist /opt
+blacklist /root
+blacklist /sbin
+blacklist /srv
+blacklist /sys
+blacklist /var
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
new file mode 100644
index 000000000..ee19cee25
--- /dev/null
+++ b/etc/start-tor-browser.profile
@@ -0,0 +1,20 @@
+# Firejail profile for the Tor Brower Bundle
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
+private-etc fonts
+private-dev
+private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index f99a65009..7c464bf88 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -1,10 +1,11 @@
 # strings profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
-tracelog
+
 net none
-shell none
-private-dev
 nosound
+quiet
+shell none
+tracelog
 
+private-dev
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index d46467b99..69b2a0db2 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -11,7 +11,9 @@ nonewprivs
 noroot
 protocol unix
 seccomp
-private-dev
-private-tmp
+
 noexec ${HOME}
 noexec /tmp
+
+private-dev
+private-tmp
diff --git a/etc/tar.profile b/etc/tar.profile
index 663ac3805..91fdaf48d 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -1,18 +1,18 @@
 # tar profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
-tracelog
+blacklist /tmp/.X11-unix
+
+hostname tar
 net none
+no3d
+nosound
+quiet
 shell none
+tracelog
 
 # support compressed archives
 private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
 private-dev
-nosound
-no3d
 private-etc passwd,group,localtime
-hostname tar
-blacklist /tmp/.X11-unix
-
diff --git a/etc/telegram.profile b/etc/telegram.profile
index 8e91e426b..7615c8eef 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -10,4 +10,3 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
-
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 0cfa4fcfc..316cdfec6 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -18,6 +18,6 @@ shell none
 tracelog
 
 private-bin transmission-gtk
-whitelist /tmp/.X11-unix
 private-dev
 
+whitelist /tmp/.X11-unix
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 754211a63..51c58e224 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -14,9 +14,10 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
+shell none
 tracelog
 
-shell none
 private-bin transmission-qt
-whitelist /tmp/.X11-unix
 private-dev
+
+whitelist /tmp/.X11-unix
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index 522b4bd1e..f42e6c69a 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -9,17 +9,16 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
+nosound
 protocol unix,inet,inet6
 seccomp
+shell none
 
+private-bin uget-gtk
+private-dev
+
+whitelist /tmp/.X11-unix
 whitelist ${DOWNLOADS}
 mkdir ~/.config/uGet
 whitelist ~/.config/uGet
 include /etc/firejail/whitelist-common.inc
-
-shell none
-private-bin uget-gtk
-whitelist /tmp/.X11-unix
-private-dev
-nosound
-
diff --git a/etc/unrar.profile b/etc/unrar.profile
index f29d1b51b..0700cafe9 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -1,17 +1,18 @@
 # unrar profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
-tracelog
+blacklist /tmp/.X11-unix
+
+hostname unrar
 net none
+no3d
+nosound
+quiet
 shell none
+tracelog
+
 private-bin unrar
 private-dev
-nosound
-no3d
 private-etc passwd,group,localtime
-hostname unrar
 private-tmp
-blacklist /tmp/.X11-unix
-
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 07224855f..a43785795 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -1,16 +1,16 @@
 # unzip profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
+blacklist /tmp/.X11-unix
 
-tracelog
+hostname unzip
 net none
+no3d
+nosound
+quiet
 shell none
+tracelog
+
 private-bin unzip
-private-etc passwd,group,localtime
-hostname unzip
 private-dev
-nosound
-no3d
-blacklist /tmp/.X11-unix
-
+private-etc passwd,group,localtime
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index 8ea9d5163..5ba0896ab 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -1,15 +1,15 @@
 # uudeview profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
-tracelog
+blacklist /etc
+
+hostname uudeview
 net none
+nosound
+quiet
 shell none
+tracelog
+
 private-bin uudeview
 private-dev
-private-etc nonexisting_fakefile_for_empty_etc
-hostname uudeview
-nosound
-uudeview
-
diff --git a/etc/vim.profile b/etc/vim.profile
index 3c1fefe41..b161fcbb0 100644
--- a/etc/vim.profile
+++ b/etc/vim.profile
@@ -1,5 +1,4 @@
 # vim profile
-
 noblacklist ~/.vim
 noblacklist ~/.vimrc
 noblacklist ~/.viminfo
@@ -10,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
-nogroups
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
new file mode 100644
index 000000000..148b7efc8
--- /dev/null
+++ b/etc/virtualbox.profile
@@ -0,0 +1,12 @@
+# VirtualBox profile
+
+noblacklist ${HOME}/.VirtualBox
+noblacklist ${HOME}/VirtualBox VMs
+noblacklist ${HOME}/.config/VirtualBox
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+
+
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
new file mode 100644
index 000000000..b7fb6ecf3
--- /dev/null
+++ b/etc/xiphos.profile
@@ -0,0 +1,30 @@
+# Firejail profile for xiphos
+noblacklist ~/.sword
+noblacklist ~/.xiphos
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+blacklist ~/.bashrc
+blacklist ~/.Xauthority
+
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-bin xiphos
+private-etc fonts,resolv.conf,sword
+private-dev
+private-tmp
+
+whitelist ${HOME}/.sword
+whitelist ${HOME}/.xiphos
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index e036fba21..7ea368bbe 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -7,15 +7,12 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
-shell none
+net none
 nonewprivs
 noroot
 protocol unix
+shell none
 seccomp
+
 private-dev
 private-tmp
-net none
-
-
-
-
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 54d5ed89b..191d2f67f 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -9,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
-nonewprivs
 nogroups
+nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index a9d027c38..04f98cef6 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -1,12 +1,14 @@
 # xzdec profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
-tracelog
-net none
-shell none
+
 blacklist /tmp/.X11-unix
-private-dev
-nosound
+
+net none
 no3d
+nosound
+quiet
+shell none
+tracelog
 
+private-dev
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 7093c52b2..ab2e99dbc 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -7,14 +7,14 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
-seccomp
-protocol unix
 netfilter
+nogroups
 nonewprivs
 noroot
-nogroups
 nosound
 shell none
+seccomp
+protocol unix
 
 private-bin zathura
 private-dev
diff --git a/mkuid.sh b/mkuid.sh
index c95741043..a59f58143 100755
--- a/mkuid.sh
+++ b/mkuid.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 echo "extracting UID_MIN and GID_MIN"
 echo "#ifndef FIREJAIL_UIDS_H" > uids.h
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index a8ed6f691..0c2e85904 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -161,3 +161,10 @@
 /etc/firejail/emacs.profile
 /etc/firejail/vim.profile
 /etc/firejail/xpdf.profile
+/etc/firejail/virtualbox.profile
+/etc/firejail/openshot.profile
+/etc/firejail/flowblade.profile
+/etc/firejail/eog.profile
+/etc/firejail/evolution.profile
+/etc/firejail/start-tor-browser.profile
+/etc/firejail/xiphos.profile
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
new file mode 100755
index 000000000..017d5e1c3
--- /dev/null
+++ b/platform/rpm/old-mkrpm.sh
@@ -0,0 +1,542 @@
+#!/bin/bash
+VERSION="0.9.44"
+rm -fr ~/rpmbuild
+rm -f firejail-$VERSION-1.x86_64.rpm
+
+mkdir -p ~/rpmbuild/{RPMS,SRPMS,BUILD,SOURCES,SPECS,tmp}
+cat <<EOF >~/.rpmmacros
+%_topdir   %(echo $HOME)/rpmbuild
+%_tmppath  %{_topdir}/tmp
+EOF
+
+cd ~/rpmbuild
+echo "building directory tree"
+
+mkdir -p firejail-$VERSION/usr/bin
+install -m 755 /usr/bin/firejail firejail-$VERSION/usr/bin/.
+install -m 755 /usr/bin/firemon firejail-$VERSION/usr/bin/.
+install -m 755 /usr/bin/firecfg firejail-$VERSION/usr/bin/.
+
+mkdir -p  firejail-$VERSION/usr/lib/firejail
+install -m 755 /usr/lib/firejail/faudit  firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/firecfg.config  firejail-$VERSION/usr/lib/firejail/.
+install -m 755 /usr/lib/firejail/fshaper.sh  firejail-$VERSION/usr/lib/firejail/.
+install -m 755 /usr/lib/firejail/ftee  firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/libtrace.so  firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/libtracelog.so  firejail-$VERSION/usr/lib/firejail/.
+install -m 644 /usr/lib/firejail/libconnect.so  firejail-$VERSION/usr/lib/firejail/.
+
+mkdir -p firejail-$VERSION/usr/share/man/man1
+install -m 644 /usr/share/man/man1/firejail.1.gz firejail-$VERSION/usr/share/man/man1/.
+install -m 644 /usr/share/man/man1/firemon.1.gz firejail-$VERSION/usr/share/man/man1/.
+install -m 644 /usr/share/man/man1/firecfg.1.gz firejail-$VERSION/usr/share/man/man1/.
+
+mkdir -p firejail-$VERSION/usr/share/man/man5
+install -m 644 /usr/share/man/man5/firejail-profile.5.gz firejail-$VERSION/usr/share/man/man5/.
+install -m 644 /usr/share/man/man5/firejail-login.5.gz firejail-$VERSION/usr/share/man/man5/.
+
+mkdir -p firejail-$VERSION/usr/share/doc/packages/firejail
+install -m 644 /usr/share/doc/firejail/COPYING firejail-$VERSION/usr/share/doc/packages/firejail/.
+install -m 644 /usr/share/doc/firejail/README firejail-$VERSION/usr/share/doc/packages/firejail/.
+install -m 644 /usr/share/doc/firejail/RELNOTES firejail-$VERSION/usr/share/doc/packages/firejail/.
+
+mkdir -p firejail-$VERSION/etc/firejail
+install -m 644 /etc/firejail/0ad.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/abrowser.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/atom-beta.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/atom.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/atril.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/audacious.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/audacity.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/aweather.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/bitlbee.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/brave.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/cherrytree.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/chromium-browser.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/chromium.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/clementine.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/cmus.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/conkeror.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/corebird.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/cpio.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/cyberfox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/Cyberfox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/deadbeef.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/default.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/deluge.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dillo.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/disable-common.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/disable-devel.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/disable-passwdmgr.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/disable-programs.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dnscrypt-proxy.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dnsmasq.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dosbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/dropbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/empathy.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/eom.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/epiphany.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/evince.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/fbreader.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/file.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/filezilla.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/firefox-esr.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/firefox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/firejail.config firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/flashpeak-slimjet.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/franz.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gajim.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gitter.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gnome-chess.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gnome-mplayer.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-chrome-beta.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-chrome.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-chrome-stable.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-chrome-unstable.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/google-play-music-desktop-player.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gpredict.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gtar.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gthumb.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gwenview.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gzip.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/hedgewars.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/hexchat.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/icecat.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/icedove.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/iceweasel.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/inox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/jitsi.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/kmail.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/konversation.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/less.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/libreoffice.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/localc.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lodraw.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/loffice.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lofromtemplate.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/login.users firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/loimpress.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lomath.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/loweb.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lowriter.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/lxterminal.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mathematica.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/Mathematica.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mcabber.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/midori.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mpv.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mupen64plus.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/netsurf.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/nolocal.net firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/okular.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/openbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/opera-beta.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/opera.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/palemoon.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/parole.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/pidgin.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/pix.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/polari.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/psi-plus.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/qbittorrent.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/qtox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/quassel.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/quiterss.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/qutebrowser.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/rhythmbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/rtorrent.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/seamonkey-bin.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/seamonkey.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/server.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/skypeforlinux.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/skype.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/slack.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/snap.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/soffice.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/spotify.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/ssh.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/steam.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/stellarium.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/strings.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/tar.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/telegram.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/Telegram.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/thunderbird.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/totem.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/transmission-gtk.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/transmission-qt.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/uget-gtk.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/unbound.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/unrar.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/unzip.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/uudeview.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/vivaldi-beta.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/vivaldi.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/vlc.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/warzone2100.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/webserver.net firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/weechat-curses.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/weechat.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/wesnoth.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/whitelist-common.inc firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/wine.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xchat.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xplayer.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xreader.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xviewer.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xzdec.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xz.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/zathura.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/7z.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/keepass.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/keepassx.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/claws-mail.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mutt.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/git.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/emacs.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/vim.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/xpdf.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/virtualbox.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/openshot.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/flowblade.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/eog.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/evolution.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/feh.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/gimp.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/inkscape.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/luminance-hdr.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/mupdf.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/qpdfview.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/ranger.profile firejail-$VERSION/etc/firejail/.
+install -m 644 /etc/firejail/synfigstudio.profile firejail-$VERSION/etc/firejail/.
+
+
+mkdir -p firejail-$VERSION/usr/share/bash-completion/completions
+install -m 644 /usr/share/bash-completion/completions/firejail  firejail-$VERSION/usr/share/bash-completion/completions/.
+install -m 644 /usr/share/bash-completion/completions/firemon  firejail-$VERSION/usr/share/bash-completion/completions/.
+install -m 644 /usr/share/bash-completion/completions/firecfg  firejail-$VERSION/usr/share/bash-completion/completions/.
+
+echo "building tar.gz archive"
+tar -czvf firejail-$VERSION.tar.gz firejail-$VERSION
+
+cp firejail-$VERSION.tar.gz SOURCES/.
+
+echo "building config spec"
+cat <<EOF > SPECS/firejail.spec
+%define        __spec_install_post %{nil}
+%define          debug_package %{nil}
+%define        __os_install_post %{_dbpath}/brp-compress
+
+Summary: Linux namepaces sandbox program
+Name: firejail
+Version: $VERSION
+Release: 1
+License: GPL+
+Group: Development/Tools
+SOURCE0 : %{name}-%{version}.tar.gz
+URL: http://firejail.wordpress.com
+
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+
+%description
+Firejail  is  a  SUID sandbox program that reduces the risk of security
+breaches by restricting the running environment of untrusted applications
+using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
+
+%prep
+%setup -q
+
+%build
+
+%install
+rm -rf %{buildroot}
+mkdir -p  %{buildroot}
+
+cp -a * %{buildroot}
+
+
+%clean
+rm -rf %{buildroot}
+
+
+%files
+%defattr(-,root,root,-)
+%config(noreplace) %{_sysconfdir}/%{name}/0ad.profile
+%config(noreplace) %{_sysconfdir}/%{name}/abrowser.profile
+%config(noreplace) %{_sysconfdir}/%{name}/atom-beta.profile
+%config(noreplace) %{_sysconfdir}/%{name}/atom.profile
+%config(noreplace) %{_sysconfdir}/%{name}/atril.profile
+%config(noreplace) %{_sysconfdir}/%{name}/audacious.profile
+%config(noreplace) %{_sysconfdir}/%{name}/audacity.profile
+%config(noreplace) %{_sysconfdir}/%{name}/aweather.profile
+%config(noreplace) %{_sysconfdir}/%{name}/bitlbee.profile
+%config(noreplace) %{_sysconfdir}/%{name}/brave.profile
+%config(noreplace) %{_sysconfdir}/%{name}/cherrytree.profile
+%config(noreplace) %{_sysconfdir}/%{name}/chromium-browser.profile
+%config(noreplace) %{_sysconfdir}/%{name}/chromium.profile
+%config(noreplace) %{_sysconfdir}/%{name}/clementine.profile
+%config(noreplace) %{_sysconfdir}/%{name}/cmus.profile
+%config(noreplace) %{_sysconfdir}/%{name}/conkeror.profile
+%config(noreplace) %{_sysconfdir}/%{name}/corebird.profile
+%config(noreplace) %{_sysconfdir}/%{name}/cpio.profile
+%config(noreplace) %{_sysconfdir}/%{name}/cyberfox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/Cyberfox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/deadbeef.profile
+%config(noreplace) %{_sysconfdir}/%{name}/default.profile
+%config(noreplace) %{_sysconfdir}/%{name}/deluge.profile
+%config(noreplace) %{_sysconfdir}/%{name}/dillo.profile
+%config(noreplace) %{_sysconfdir}/%{name}/disable-common.inc
+%config(noreplace) %{_sysconfdir}/%{name}/disable-devel.inc
+%config(noreplace) %{_sysconfdir}/%{name}/disable-passwdmgr.inc
+%config(noreplace) %{_sysconfdir}/%{name}/disable-programs.inc
+%config(noreplace) %{_sysconfdir}/%{name}/dnscrypt-proxy.profile
+%config(noreplace) %{_sysconfdir}/%{name}/dnsmasq.profile
+%config(noreplace) %{_sysconfdir}/%{name}/dosbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/dropbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/empathy.profile
+%config(noreplace) %{_sysconfdir}/%{name}/eom.profile
+%config(noreplace) %{_sysconfdir}/%{name}/epiphany.profile
+%config(noreplace) %{_sysconfdir}/%{name}/evince.profile
+%config(noreplace) %{_sysconfdir}/%{name}/fbreader.profile
+%config(noreplace) %{_sysconfdir}/%{name}/file.profile
+%config(noreplace) %{_sysconfdir}/%{name}/filezilla.profile
+%config(noreplace) %{_sysconfdir}/%{name}/firefox-esr.profile
+%config(noreplace) %{_sysconfdir}/%{name}/firefox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/firejail.config
+%config(noreplace) %{_sysconfdir}/%{name}/flashpeak-slimjet.profile
+%config(noreplace) %{_sysconfdir}/%{name}/franz.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gajim.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gitter.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gnome-chess.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gnome-mplayer.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-beta.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-chrome.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-stable.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-chrome-unstable.profile
+%config(noreplace) %{_sysconfdir}/%{name}/google-play-music-desktop-player.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gpredict.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gtar.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gthumb.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gwenview.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gzip.profile
+%config(noreplace) %{_sysconfdir}/%{name}/hedgewars.profile
+%config(noreplace) %{_sysconfdir}/%{name}/hexchat.profile
+%config(noreplace) %{_sysconfdir}/%{name}/icecat.profile
+%config(noreplace) %{_sysconfdir}/%{name}/icedove.profile
+%config(noreplace) %{_sysconfdir}/%{name}/iceweasel.profile
+%config(noreplace) %{_sysconfdir}/%{name}/inox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/jitsi.profile
+%config(noreplace) %{_sysconfdir}/%{name}/kmail.profile
+%config(noreplace) %{_sysconfdir}/%{name}/konversation.profile
+%config(noreplace) %{_sysconfdir}/%{name}/less.profile
+%config(noreplace) %{_sysconfdir}/%{name}/libreoffice.profile
+%config(noreplace) %{_sysconfdir}/%{name}/localc.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lodraw.profile
+%config(noreplace) %{_sysconfdir}/%{name}/loffice.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lofromtemplate.profile
+%config(noreplace) %{_sysconfdir}/%{name}/login.users
+%config(noreplace) %{_sysconfdir}/%{name}/loimpress.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lomath.profile
+%config(noreplace) %{_sysconfdir}/%{name}/loweb.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lowriter.profile
+%config(noreplace) %{_sysconfdir}/%{name}/lxterminal.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mathematica.profile
+%config(noreplace) %{_sysconfdir}/%{name}/Mathematica.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mcabber.profile
+%config(noreplace) %{_sysconfdir}/%{name}/midori.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mpv.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mupen64plus.profile
+%config(noreplace) %{_sysconfdir}/%{name}/netsurf.profile
+%config(noreplace) %{_sysconfdir}/%{name}/nolocal.net
+%config(noreplace) %{_sysconfdir}/%{name}/okular.profile
+%config(noreplace) %{_sysconfdir}/%{name}/openbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/opera-beta.profile
+%config(noreplace) %{_sysconfdir}/%{name}/opera.profile
+%config(noreplace) %{_sysconfdir}/%{name}/palemoon.profile
+%config(noreplace) %{_sysconfdir}/%{name}/parole.profile
+%config(noreplace) %{_sysconfdir}/%{name}/pidgin.profile
+%config(noreplace) %{_sysconfdir}/%{name}/pix.profile
+%config(noreplace) %{_sysconfdir}/%{name}/polari.profile
+%config(noreplace) %{_sysconfdir}/%{name}/psi-plus.profile
+%config(noreplace) %{_sysconfdir}/%{name}/qbittorrent.profile
+%config(noreplace) %{_sysconfdir}/%{name}/qtox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/quassel.profile
+%config(noreplace) %{_sysconfdir}/%{name}/quiterss.profile
+%config(noreplace) %{_sysconfdir}/%{name}/qutebrowser.profile
+%config(noreplace) %{_sysconfdir}/%{name}/rhythmbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/rtorrent.profile
+%config(noreplace) %{_sysconfdir}/%{name}/seamonkey-bin.profile
+%config(noreplace) %{_sysconfdir}/%{name}/seamonkey.profile
+%config(noreplace) %{_sysconfdir}/%{name}/server.profile
+%config(noreplace) %{_sysconfdir}/%{name}/skypeforlinux.profile
+%config(noreplace) %{_sysconfdir}/%{name}/skype.profile
+%config(noreplace) %{_sysconfdir}/%{name}/slack.profile
+%config(noreplace) %{_sysconfdir}/%{name}/snap.profile
+%config(noreplace) %{_sysconfdir}/%{name}/soffice.profile
+%config(noreplace) %{_sysconfdir}/%{name}/spotify.profile
+%config(noreplace) %{_sysconfdir}/%{name}/ssh.profile
+%config(noreplace) %{_sysconfdir}/%{name}/steam.profile
+%config(noreplace) %{_sysconfdir}/%{name}/stellarium.profile
+%config(noreplace) %{_sysconfdir}/%{name}/strings.profile
+%config(noreplace) %{_sysconfdir}/%{name}/tar.profile
+%config(noreplace) %{_sysconfdir}/%{name}/telegram.profile
+%config(noreplace) %{_sysconfdir}/%{name}/Telegram.profile
+%config(noreplace) %{_sysconfdir}/%{name}/thunderbird.profile
+%config(noreplace) %{_sysconfdir}/%{name}/totem.profile
+%config(noreplace) %{_sysconfdir}/%{name}/transmission-gtk.profile
+%config(noreplace) %{_sysconfdir}/%{name}/transmission-qt.profile
+%config(noreplace) %{_sysconfdir}/%{name}/uget-gtk.profile
+%config(noreplace) %{_sysconfdir}/%{name}/unbound.profile
+%config(noreplace) %{_sysconfdir}/%{name}/unrar.profile
+%config(noreplace) %{_sysconfdir}/%{name}/unzip.profile
+%config(noreplace) %{_sysconfdir}/%{name}/uudeview.profile
+%config(noreplace) %{_sysconfdir}/%{name}/vivaldi-beta.profile
+%config(noreplace) %{_sysconfdir}/%{name}/vivaldi.profile
+%config(noreplace) %{_sysconfdir}/%{name}/vlc.profile
+%config(noreplace) %{_sysconfdir}/%{name}/warzone2100.profile
+%config(noreplace) %{_sysconfdir}/%{name}/webserver.net
+%config(noreplace) %{_sysconfdir}/%{name}/weechat-curses.profile
+%config(noreplace) %{_sysconfdir}/%{name}/weechat.profile
+%config(noreplace) %{_sysconfdir}/%{name}/wesnoth.profile
+%config(noreplace) %{_sysconfdir}/%{name}/whitelist-common.inc
+%config(noreplace) %{_sysconfdir}/%{name}/wine.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xchat.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xplayer.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xreader.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xviewer.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xzdec.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xz.profile
+%config(noreplace) %{_sysconfdir}/%{name}/zathura.profile
+%config(noreplace) %{_sysconfdir}/%{name}/7z.profile
+%config(noreplace) %{_sysconfdir}/%{name}/keepass.profile
+%config(noreplace) %{_sysconfdir}/%{name}/keepassx.profile
+%config(noreplace) %{_sysconfdir}/%{name}/claws-mail.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mutt.profile
+%config(noreplace) %{_sysconfdir}/%{name}/git.profile
+%config(noreplace) %{_sysconfdir}/%{name}/emacs.profile
+%config(noreplace) %{_sysconfdir}/%{name}/vim.profile
+%config(noreplace) %{_sysconfdir}/%{name}/xpdf.profile
+%config(noreplace) %{_sysconfdir}/%{name}/virtualbox.profile
+%config(noreplace) %{_sysconfdir}/%{name}/openshot.profile
+%config(noreplace) %{_sysconfdir}/%{name}/flowblade.profile
+%config(noreplace) %{_sysconfdir}/%{name}/eog.profile
+%config(noreplace) %{_sysconfdir}/%{name}/evolution.profile
+%config(noreplace) %{_sysconfdir}/%{name}/feh.profile
+%config(noreplace) %{_sysconfdir}/%{name}/inkscape.profile
+%config(noreplace) %{_sysconfdir}/%{name}/gimp.profile
+%config(noreplace) %{_sysconfdir}/%{name}/luminance-hdr.profile
+%config(noreplace) %{_sysconfdir}/%{name}/mupdf.profile
+%config(noreplace) %{_sysconfdir}/%{name}/qpdfview.profile
+%config(noreplace) %{_sysconfdir}/%{name}/ranger.profile
+%config(noreplace) %{_sysconfdir}/%{name}/synfigstudio.profile
+
+/usr/bin/firejail
+/usr/bin/firemon
+/usr/bin/firecfg
+
+/usr/lib/firejail/libtrace.so
+/usr/lib/firejail/libtracelog.so
+/usr/lib/firejail/libconnect.so
+/usr/lib/firejail/faudit
+/usr/lib/firejail/ftee
+/usr/lib/firejail/firecfg.config
+/usr/lib/firejail/fshaper.sh
+
+/usr/share/doc/packages/firejail/COPYING
+/usr/share/doc/packages/firejail/README
+/usr/share/doc/packages/firejail/RELNOTES
+/usr/share/man/man1/firejail.1.gz
+/usr/share/man/man1/firemon.1.gz
+/usr/share/man/man1/firecfg.1.gz
+/usr/share/man/man5/firejail-profile.5.gz
+/usr/share/man/man5/firejail-login.5.gz
+/usr/share/bash-completion/completions/firejail
+/usr/share/bash-completion/completions/firemon
+/usr/share/bash-completion/completions/firecfg
+ 
+%post
+chmod u+s /usr/bin/firejail
+
+%changelog
+* Fri Oct 21 2016  netblue30 <netblue30@yahoo.com> 0.9.44-1
+  - CVE-2016-7545 submitted by Aleksey Manevich
+  - modifs: removed man firejail-config
+  - modifs: --private-tmp whitelists /tmp/.X11-unix directory
+  - modifs: Nvidia drivers added to --private-dev
+  - modifs: /srv supported by --whitelist
+  - feature: allow user access to /sys/fs (--noblacklist=/sys/fs)
+  - feature: support starting/joining sandbox is a single command
+    (--join-or-start)
+  - feature: X11 detection support for --audit
+  - feature: assign a name to the interface connected to the bridge 
+    (--veth-name)
+  - feature: all user home directories are visible (--allusers)
+  - feature: add files to sandbox container (--put)
+  - feature: blocking x11 (--x11=block)
+  - feature: X11 security extension (--x11=xorg)
+  - feature: disable 3D hardware acceleration (--no3d)
+  - feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
+  - feature: move files in sandbox (--put)
+  - feature: accept wildcard patterns in user  name field of restricted
+    shell login feature
+  - new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
+  - new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
+  - new profiles: claws-mail, mutt, git, emacs, vim, xpdf, VirtualBox, OpenShot
+  - new profiles: Flowblade, Eye of GNOME (eog), Evolution
+  - bugfixes
+
+* Thu Sep 8 2016 netblue30 <netblue30@yahoo.com> 0.9.42-1
+  - security: --whitelist deleted files, submitted by Vasya Novikov
+  - security: disable x32 ABI in seccomp, submitted by Jann Horn
+  - security: tighten --chroot, submitted by Jann Horn
+  - security: terminal sandbox escape, submitted by Stephan Sokolow
+  - security: several TOCTOU fixes submitted by Aleksey Manevich
+  - modifs: bringing back --private-home option
+  - modifs: deprecated --user option, please use "sudo -u username firejail"
+  - modifs: allow symlinks in home directory for --whitelist option
+  - modifs: Firejail prompt is enabled by env variable FIREJAIL_PROMPT="yes"
+  - modifs: recursive mkdir
+  - modifs: include /dev/snd in --private-dev
+  - modifs: seccomp filter update
+  - modifs: release archives moved to .xz format
+  - feature: AppImage support (--appimage)
+  - feature: AppArmor support (--apparmor)
+  - feature: Ubuntu snap support (/etc/firejail/snap.profile)
+  - feature: Sandbox auditing support (--audit)
+  - feature: remove environment variable (--rmenv)
+  - feature: noexec support (--noexec)
+  - feature: clean local overlay storage directory (--overlay-clean)
+  - feature: store and reuse overlay (--overlay-named)
+  - feature: allow debugging inside the sandbox with gdb and strace
+         (--allow-debuggers)
+  - feature: mkfile profile command
+  - feature: quiet profile command
+  - feature: x11 profile command
+  - feature: option to fix desktop files (firecfg --fix)
+  - compile time: Busybox support (--enable-busybox-workaround)
+  - compile time: disable overlayfs (--disable-overlayfs)
+  - compile time: disable whitlisting (--disable-whitelist)
+  - compile time: disable global config (--disable-globalcfg)
+  - run time: enable/disable overlayfs (overlayfs yes/no)
+  - run time: enable/disable  quiet as default (quiet-by-default yes/no)
+  - run time: user-defined network filter (netfilter-default)
+  - run time: enable/disable whitelisting (whitelist yes/no)
+  - run time: enable/disable remounting of /proc and /sys
+          (remount-proc-sys yes/no)
+  - run time: enable/disable chroot desktop features (chroot-desktop yes/no)
+  - profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
+  - profiles: pix, audacity, xz, xzdec, gzip, cpio, less
+  - profiles: Atom Beta, Atom, jitsi, eom, uudeview
+  - profiles: tar (gtar), unzip, unrar, file, skypeforlinux,
+  - profiles: inox, Slack, gnome-chess. Gajim IM client, DOSBox
+  - bugfixes
+
+EOF
+
+echo "building rpm"
+rpmbuild -ba SPECS/firejail.spec
+rpm -qpl RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm
+cd ..
+rm -f firejail-$VERSION-1.x86_64.rpm
+cp rpmbuild/RPMS/x86_64/firejail-$VERSION-1.x86_64.rpm .
+
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
index 9924be00f..3c87305df 100644
--- a/src/faudit/syscall.c
+++ b/src/faudit/syscall.c
@@ -92,7 +92,8 @@ void syscall_run(const char *name) {
                 errExit("fork");
         if (child == 0) {
                 execl(prog, prog, "syscall", name, NULL);
-                exit(1);
+                perror("execl");
+                _exit(1);
         }
                 
         // wait for the child to finish
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 31f6b2fd5..e3e333497 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -42,11 +42,13 @@ opera-beta
 opera
 palemoon
 qutebrowser
+start-tor-browser
 seamonkey
 seamonkey-bin
 thunderbird
 vivaldi-beta
 vivaldi
+evolution
 
 # chat/messaging
 bitlbee
@@ -76,6 +78,7 @@ unbound
 mupen64plus
 wine
 dosbox
+virtualbox
 
 # games
 0ad
@@ -137,6 +140,9 @@ pix
 xpdf
 xreader
 zathura
+openshot
+flowblade
+eog
 
 # other
 ssh
@@ -145,6 +151,7 @@ atom
 ranger
 keepass
 keepassx
+xiphos
 
 # weather/climate
 aweather
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 375d6be24..09b242964 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -39,7 +39,7 @@ void appimage_set(const char *appimage_path) {
         assert(appimage_path);
         assert(devloop == NULL);        // don't call this twice!
         EUID_ASSERT();
-
+        
 #ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
         // check appimage_path
         if (access(appimage_path, R_OK) == -1) {
@@ -47,6 +47,12 @@ void appimage_set(const char *appimage_path) {
                 exit(1);
         }
 
+        // get appimage type and ELF size
+        // a value of 0 means we are dealing with a type1 appimage
+        long unsigned int size = appimage2_size(appimage_path);
+        if (arg_debug)
+                printf("AppImage ELF size %lu\n", size);
+
         // open as user to prevent race condition
         int ffd = open(appimage_path, O_RDONLY|O_CLOEXEC);
         if (ffd == -1) {
@@ -76,12 +82,21 @@ void appimage_set(const char *appimage_path) {
                 fprintf(stderr, "Error: cannot configure the loopback device\n");
                 exit(1);
         }
+        
+        if (size) {
+                struct loop_info64 info;
+                memset(&info, 0, sizeof(struct loop_info64));
+                info.lo_offset = size;
+                if (ioctl(lfd,  LOOP_SET_STATUS64, &info) == -1)
+                        errExit("configure appimage offset");
+        }
+        
         close(lfd);
         close(ffd);
         EUID_USER();
 
         // creates appimage mount point perms 0700
-        if (asprintf(&mntdir, "%s/appimage-%u",  RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1)
+        if (asprintf(&mntdir, "%s/.appimage-%u",  RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1)
                 errExit("asprintf");
         EUID_ROOT();
         if (mkdir(mntdir, 0700) == -1) {
@@ -100,8 +115,16 @@ void appimage_set(const char *appimage_path) {
         if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1)
                 errExit("asprintf");
         EUID_ROOT();
-        if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
-                errExit("mounting appimage");
+        
+        if (size == 0) {
+                if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
+                        errExit("mounting appimage");
+        }
+        else {
+                if (mount(devloop, mntdir, "squashfs",MS_MGC_VAL|MS_RDONLY,  mode) < 0)
+                        errExit("mounting appimage");
+        }
+
         if (arg_debug)
                 printf("appimage mounted on %s\n", mntdir);
         EUID_USER();
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c
new file mode 100644
index 000000000..c8b3d28c5
--- /dev/null
+++ b/src/firejail/appimage_size.c
@@ -0,0 +1,143 @@
+/*
+Compile with:
+gcc elfsize.c -o elfsize
+Example:
+ls -l                                           126584
+Calculation using the values also reported by readelf -h:
+Start of section headers        e_shoff         124728
+Size of section headers         e_shentsize     64
+Number of section headers       e_shnum         29
+e_shoff + ( e_shentsize * e_shnum ) =           126584
+*/
+
+#include <elf.h>
+#include <byteswap.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <fcntl.h>
+
+typedef Elf32_Nhdr Elf_Nhdr;
+
+static Elf64_Ehdr ehdr;
+static Elf64_Phdr *phdr;
+
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+#define ELFDATANATIVE ELFDATA2LSB
+#elif __BYTE_ORDER == __BIG_ENDIAN
+#define ELFDATANATIVE ELFDATA2MSB
+#else
+#error "Unknown machine endian"
+#endif
+
+static uint16_t file16_to_cpu(uint16_t val) {
+        if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE)
+                val = bswap_16(val);
+        return val;
+}
+
+
+static uint32_t file32_to_cpu(uint32_t val) {
+        if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE)
+                val = bswap_32(val);
+        return val;
+}
+
+
+static uint64_t file64_to_cpu(uint64_t val) {
+        if (ehdr.e_ident[EI_DATA] != ELFDATANATIVE)
+                val = bswap_64(val);
+        return val;
+}
+
+
+// return 0 if error
+static long unsigned int read_elf32(int fd) {
+        Elf32_Ehdr ehdr32;
+        ssize_t ret, i;
+
+        ret = pread(fd, &ehdr32, sizeof(ehdr32), 0);
+        if (ret < 0 || (size_t)ret != sizeof(ehdr))
+                return 0;
+
+        ehdr.e_shoff            = file32_to_cpu(ehdr32.e_shoff);
+        ehdr.e_shentsize        = file16_to_cpu(ehdr32.e_shentsize);
+        ehdr.e_shnum            = file16_to_cpu(ehdr32.e_shnum);
+
+        return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum));
+}
+
+
+// return 0 if error
+static long unsigned int read_elf64(int fd) {
+        Elf64_Ehdr ehdr64;
+        ssize_t ret, i;
+
+        ret = pread(fd, &ehdr64, sizeof(ehdr64), 0);
+        if (ret < 0 || (size_t)ret != sizeof(ehdr))
+                return 0;
+
+        ehdr.e_shoff            = file64_to_cpu(ehdr64.e_shoff);
+        ehdr.e_shentsize        = file16_to_cpu(ehdr64.e_shentsize);
+        ehdr.e_shnum            = file16_to_cpu(ehdr64.e_shnum);
+
+        return(ehdr.e_shoff + (ehdr.e_shentsize * ehdr.e_shnum));
+}
+
+
+// return 0 if error
+// return 0 if this is not an appimgage2 file
+long unsigned int appimage2_size(const char *fname) {
+/* TODO, FIXME: This assumes that the section header table (SHT) is
+the last part of the ELF. This is usually the case but
+it could also be that the last section is the last part
+of the ELF. This should be checked for.
+*/
+        ssize_t ret;
+        int fd;
+        long unsigned int size = 0;
+
+        fd = open(fname, O_RDONLY);
+        if (fd < 0)
+                return 0;
+
+        ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0);
+        if (ret != EI_NIDENT)
+                goto getout;
+
+        if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) &&
+             (ehdr.e_ident[EI_DATA] != ELFDATA2MSB))
+                goto getout;
+
+        if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) {
+                size = read_elf32(fd);
+        }
+        else if(ehdr.e_ident[EI_CLASS] == ELFCLASS64) {
+                size = read_elf64(fd);
+        }
+        else {
+                goto getout;
+        }
+        if (size == 0)
+                goto getout;
+
+
+        // look for a LZMA header at this location
+        unsigned char buf[4];
+        ret = pread(fd, buf, 4, size);
+        if (ret != 4) {
+                size = 0;
+                goto getout;
+        }
+        if (memcmp(buf, "hsqs", 4) != 0)
+                size = 0;
+
+getout:
+        close(fd);
+        return size;
+}
+
+
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index dafa5919c..9a9bb1ae7 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -681,8 +681,12 @@ void appimage_set(const char *appimage_path);
 void appimage_clear(void);
 const char *appimage_getdir(void);
 
+// appimage_size.c
+long unsigned int appimage2_size(const char *fname);
+
 // cmdline.c
 void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
 
+
 #endif
 
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index a5f12c7df..6c566bd90 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -649,7 +649,11 @@ void fs_proc_sys_dev_boot(void) {
                 
         disable_file(BLACKLIST_FILE, "/sys/firmware");
         disable_file(BLACKLIST_FILE, "/sys/hypervisor");
-        disable_file(BLACKLIST_FILE, "/sys/fs");
+        { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line
+                EUID_USER();    
+                profile_add("blacklist /sys/fs");
+                EUID_ROOT();
+        }
         disable_file(BLACKLIST_FILE, "/sys/module");
         disable_file(BLACKLIST_FILE, "/sys/power");
         disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index e65474f44..ba0633649 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -192,6 +192,8 @@ static void duplicate(char *fname) {
                                 if (asprintf(&f, "%s/%s", RUN_BIN_DIR, fname) == -1)
                                         errExit("asprintf");
                                 execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", actual_path, f, NULL);
+                                perror("execlp");
+                                _exit(1);
                         }
                         // wait for the child to finish
                         waitpid(child, NULL, 0);
@@ -245,7 +247,7 @@ void fs_private_bin_list(void) {
                         duplicate(ptr);
                 free(dlist);    
                 fs_logger_print();
-                exit(0);
+                _exit(0);
         }
         // wait for the child to finish
         waitpid(child, NULL, 0);
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index fc9e40ca0..de29c312e 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -106,6 +106,8 @@ static void duplicate(char *fname) {
                 if (asprintf(&f, "/etc/%s", fname) == -1)
                         errExit("asprintf");
                 execlp(RUN_CP_COMMAND, RUN_CP_COMMAND, "-a", "--parents", f, RUN_MNT_DIR, NULL);
+                perror("execlp");
+                _exit(1);
         }
         // wait for the child to finish
         waitpid(child, NULL, 0);
@@ -169,7 +171,7 @@ void fs_private_etc_list(void) {
                                 duplicate(ptr);
                         free(dlist);    
                         fs_logger_print();
-                        exit(0);
+                        _exit(0);
                 }
                 // wait for the child to finish
                 waitpid(child, NULL, 0);
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index bd3c404e9..75cc3e732 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -641,7 +641,7 @@ void fs_private_home_list(void) {
 
                 fs_logger_print();      // save the current log
                 free(dlist);
-                exit(0);
+                _exit(0);
         }
         // wait for the child to finish
         waitpid(child, NULL, 0);
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index b2a5927e6..cffe32a7a 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -81,7 +81,7 @@ void fs_mkdir(const char *name) {
 
                 // create directory
                 mkdir_recursive(expanded);
-                exit(0);
+                _exit(0);
         }
         // wait for the child to finish
         waitpid(child, NULL, 0);
@@ -126,7 +126,7 @@ void fs_mkfile(const char *name) {
                         (void) rv;
                         fclose(fp);
                 }
-                exit(0);
+                _exit(0);
         }
         // wait for the child to finish
         waitpid(child, NULL, 0);
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index b1c2774e2..8bbdbe5d3 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -822,6 +822,7 @@ void fs_whitelist(void) {
                 if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                         errExit("mount tmpfs");
                 fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR);
+        }
 
         if (new_name)
                 free(new_name);
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 39efaa0a6..dba82be0b 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -358,7 +358,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                                 fprintf(stderr, "Error: Cannot read %s\n", fname1);
                                 exit(1);
                         }
-                        exit(0);
+                        _exit(0);
                 }
 
                 // wait for the child to finish
@@ -391,7 +391,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                                         exit(1);
                                 }
                                 fclose(fp);
-                                exit(0);
+                                _exit(0);
                         }
 
                         // wait for the child to finish
@@ -445,7 +445,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                                 fprintf(stderr, "Error: Cannot read %s\n", src_fname);
                                 exit(1);
                         }
-                        exit(0);
+                        _exit(0);
                 }
 
                 // wait for the child to finish
@@ -494,7 +494,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                                 }
                         }
 
-                        exit(0);
+                        _exit(0);
                 }
 
                 // wait for the child to finish
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 987a79d1c..b5a97c71e 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2506,7 +2506,7 @@ int main(int argc, char **argv) {
                         network_main(child);
                         if (arg_debug)
                                 printf("Host network configured\n");                    
-                        exit(0);                        
+                        _exit(0);                       
                 }
 
                 // wait for the child to finish
@@ -2579,7 +2579,6 @@ int main(int argc, char **argv) {
                 g = get_group_id("games");
                 if (g) {
                         sprintf(ptr, "%d %d 1\n", g, g);
-                        ptr += strlen(ptr);
                 }
                 
                 EUID_ROOT();
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index b50d61039..c1f9a2c37 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -145,7 +145,8 @@ void netfilter(const char *fname) {
                 // wipe out environment variables
                 environ = NULL;
                 execl(iptables_restore, iptables_restore, NULL);
-                // it will never get here!!!
+                perror("execl");
+                _exit(1);
         }
         // wait for the child to finish
         waitpid(child, NULL, 0);
@@ -163,7 +164,8 @@ void netfilter(const char *fname) {
                                 errExit("setregid");
                         environ = NULL;
                         execl(iptables, iptables, "-vL", NULL);
-                        // it will never get here!!!
+                        perror("execl");
+                        _exit(1);
                 }
                 // wait for the child to finish
                 waitpid(child, NULL, 0);
@@ -256,7 +258,8 @@ void netfilter6(const char *fname) {
                 // wipe out environment variables
                 environ = NULL;
                 execl(ip6tables_restore, ip6tables_restore, NULL);
-                // it will never get here!!!
+                perror("execl");
+                _exit(1);
         }
         // wait for the child to finish
         waitpid(child, NULL, 0);
@@ -269,7 +272,8 @@ void netfilter6(const char *fname) {
                 if (child == 0) {
                         environ = NULL;
                         execl(ip6tables, ip6tables, "-vL", NULL);
-                        // it will never get here!!!
+                        perror("execl");
+                        _exit(1);
                 }
                 // wait for the child to finish
                 waitpid(child, NULL, 0);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 8021ce9a3..f5cca7494 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -488,6 +488,13 @@ int sandbox(void* sandbox_arg) {
 #ifdef HAVE_SECCOMP
         int enforce_seccomp = 0;
 #endif
+        if (arg_appimage) {
+                enforce_filters();
+#ifdef HAVE_SECCOMP
+                enforce_seccomp = 1;
+#endif          
+        }
+        
 #ifdef HAVE_CHROOT              
         if (cfg.chrootdir) {
                 fs_chroot(cfg.chrootdir);
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index d40d349e1..c79f1a74e 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -314,7 +314,7 @@ void x11_start_xephyr(int argc, char **argv) {
         
                 execvp(server_argv[0], server_argv);
                 perror("execvp");
-                exit(1);
+                _exit(1);
         }
 
         if (arg_debug)
@@ -355,7 +355,7 @@ void x11_start_xephyr(int argc, char **argv) {
 
                 execvp(jail_argv[0], jail_argv);
                 perror("execvp");
-                exit(1);
+                _exit(1);
         }
 
         // cleanup
@@ -434,7 +434,7 @@ void x11_start_xpra(int argc, char **argv) {
         
                 execvp(server_argv[0], server_argv);
                 perror("execvp");
-                exit(1);
+                _exit(1);
         }
 
         // check X11 socket
@@ -480,7 +480,7 @@ void x11_start_xpra(int argc, char **argv) {
 
                 execvp(attach_argv[0], attach_argv);
                 perror("execvp");
-                exit(1);
+                _exit(1);
         }
 
         setenv("DISPLAY", display_str, 1);
@@ -536,7 +536,7 @@ void x11_start_xpra(int argc, char **argv) {
                                 }
                                 execvp(stop_argv[0], stop_argv);
                                 perror("execvp");
-                                exit(1);
+                                _exit(1);
                         }
 
                         // wait for xpra server to stop, 10 seconds limit
@@ -672,7 +672,7 @@ void x11_xorg(void) {
                 execlp("/usr/bin/xauth", "/usr/bin/xauth", "-f", RUN_XAUTHORITY_SEC_FILE,
                         "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); 
                 
-                exit(0);
+                _exit(0);
         }
         // wait for the child to finish
         waitpid(child, NULL, 0);
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index 5a89e1491..bceed93d3 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -146,7 +146,7 @@ static void print_sandbox(pid_t pid) {
                         return;
                 net_ifprint();
                 printf("\n");
-                exit(0);
+                _exit(0);
         }
         
         // wait for the child to finish
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 188c10183..78a3a4fb2 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -28,6 +28,8 @@
 #include <arpa/inet.h>
 #include <time.h>
 #include <fcntl.h>
+#include <sys/uio.h>
+
 #define PIDS_BUFLEN 4096
 #define SERVER_PORT 889 // 889-899 is left unassigned by IANA
 
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 691217253..796179d0b 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -13,6 +13,10 @@ Example:
 
         netblue:--net=none --protocol=unix
 
+Wildcard patterns are accepted in the user name field:
+
+        user*: --private
+
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
 /etc/passwd file for each user that needs to be restricted. Alternatively,
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp
index 2a7cb7975..b011f2bf9 100755
--- a/test/filters/noroot.exp
+++ b/test/filters/noroot.exp
@@ -46,20 +46,20 @@ expect {
 }
 send -- "sudo -s\r"
 expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
         "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
         "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
         "Bad system call" { puts "OK\n";}
 }
 send -- "cat /proc/self/uid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
+        timeout {puts "TESTING ERROR 8\n";exit}
         "1"
 }
 send -- "cat /proc/self/gid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "3"
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "5"
 }
 
 puts "\n"
@@ -70,59 +70,59 @@ sleep 2
 
 send -- "firejail --name=test --noroot --noprofile\r"
 expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
+        timeout {puts "TESTING ERROR 10\n";exit}
         "Child process initialized"
 }
 sleep 1
 
 send -- "cat /proc/self/status\r"
 expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
+        timeout {puts "TESTING ERROR 11\n";exit}
         "CapBnd:"
 }
 expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
+        timeout {puts "TESTING ERROR 12\n";exit}
         "ffffffff"
 }
 expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
+        timeout {puts "TESTING ERROR 13\n";exit}
         "Seccomp:"
 }
 expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
+        timeout {puts "TESTING ERROR 14\n";exit}
         "0"
 }
 expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
+        timeout {puts "TESTING ERROR 15\n";exit}
         "Cpus_allowed:"
 }
 puts "\n"
 
 send -- "whoami\r"
 expect {
-        timeout {puts "TESTING ERROR 15\n";exit}
+        timeout {puts "TESTING ERROR 16\n";exit}
         $env(USER)
 }
 send -- "sudo -s\r"
 expect {
-        timeout {puts "TESTING ERROR 16\n";exit}
+        timeout {puts "TESTING ERROR 17\n";exit}
         "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
         "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
 }
 send -- "ping 0\r"
 expect {
-        timeout {puts "TESTING ERROR 17\n";exit}
+        timeout {puts "TESTING ERROR 18\n";exit}
         "Operation not permitted"
 }
 send -- "cat /proc/self/uid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 18\n";exit}
+        timeout {puts "TESTING ERROR 19\n";exit}
         "1"
 }
 send -- "cat /proc/self/gid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 19\n";exit}
-        "3"
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "5"
 }
 
 
@@ -130,31 +130,31 @@ expect {
 spawn $env(SHELL)
 send -- "firejail --debug --join=test\r"
 expect {
-        timeout {puts "TESTING ERROR 20\n";exit}
+        timeout {puts "TESTING ERROR 21\n";exit}
         "User namespace detected"
 }
 expect {
-        timeout {puts "TESTING ERROR 21\n";exit}
+        timeout {puts "TESTING ERROR 22\n";exit}
         "Joining user namespace"
 }
 sleep 1
 
 send -- "sudo -s\r"
 expect {
-        timeout {puts "TESTING ERROR 22\n";exit}
+        timeout {puts "TESTING ERROR 23\n";exit}
         "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
         "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
         "Permission denied" { puts "OK\n";}
 }
 send -- "cat /proc/self/uid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 23\n";exit}
+        timeout {puts "TESTING ERROR 24\n";exit}
         "1"
 }
 send -- "cat /proc/self/gid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 24\n";exit}
-        "3"
+        timeout {puts "TESTING ERROR 25\n";exit}
+        "5"
 }
 after 100
 puts "\nall done\n"
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index d45ef48bd..3139b8eae 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -6,6 +6,9 @@
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 
+echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)"
+./sys_fs.exp
+
 echo "TESTING: kmsg access (test/fs/kmsg.exp)"
 ./kmsg.exp
 
diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp
new file mode 100755
index 000000000..f512776d9
--- /dev/null
+++ b/test/fs/sys_fs.exp
@@ -0,0 +1,44 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls /sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Permission denied"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --noblacklist=/sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls /sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "cgroup"
+}
+after 100
+send -- "exit\r"
+after 100
+
+puts "\nall done\n"
+