65 files changed, 980 insertions, 157 deletions
diff --git a/README b/README
index fb8ccfb6a..d6cf5389b 100644
--- a/README
+++ b/README
@@ -97,6 +97,9 @@ announ (https://github.com/announ)
 Antonio Russo (https://github.com/aerusso)
        - enumerate root directories in apparmor profile
        - fix join-or-start
+Austin Morton
+        - deterministic-exit-code option
+        - private-cwd options
 Austin S. Hemmelgarn (https://github.com/Ferroin)
        - unbound profile update
 avoidr (https://github.com/avoidr)
@@ -176,6 +179,8 @@ curiosity-seeker (https://github.com/curiosity-seeker)
        - write-protection for thumbnailer dir
        - added gramps, newsboat, freeoffice-planmaker profiles
        - added freeoffice-textmaker, freeoffice-presentations profiles
+        - added cantata profile
+        - updated keypassxc profile
 da2x (https://github.com/da2x)
        - matched RPM license tag
 Daan Bakker (https://github.com/dbakker)
@@ -304,6 +309,8 @@ greigdp (https://github.com/greigdp)
        - fixed spotify profile
        - added Slack profile
        - add Spotify profile
+grizzlyuser (https://github.com/grizzlyuser)
+        - added support for youtube-dl in smplayer profile
 GSI (https://github.com/GSI)
        - added Uzbl browser profile
 hamzadis (https://github.com/hamzadis)
@@ -353,6 +360,7 @@ Jean Lucas (https://github.com/flacks)
        - fix wire profile
        - add Beaker profile
        - fixes for gnome-music
+        - allow reading of system-wide Flatpak locale in gajim profile
 Jericho (https://github.com/attritionorg)
        - spelling
 Jesse Smith (https://github.com/slicer69)
@@ -368,6 +376,8 @@ John Mullee (https://github.com/jmullee)
 Jonas Heinrich (https://github.com/onny)
        - added signal-desktop profile
        - fixed franz profile
+Jose Riha (https://github.com/jose1711)
+        - added meteo-qt profile
 jrabe (https://github.com/jrabe)
        - disallow access to kdbx files
        - Epiphany profile
@@ -513,6 +523,10 @@ pszxzsd (https://github.com/pszxzsd)
        -uGet profile
 pwnage-pineapple (https://github.com/pwnage-pineapple)
        - update Okular profile
+Quentin Minster (https://github.com/laomaiweng)
+        - propagate --quiet to children Firejail'ed processes
+        - nodbus enhancements/bugfixes
+        - added vim syntax and ftdetect files
 Rafael Cavalcanti (https://github.com/rccavalcanti)
        - chromium profile fixes for Arch Linux
 Rahiel Kasim (https://github.com/rahiel)
@@ -550,23 +564,11 @@ rusty-snake (https://github.com/rusty-snake)
        - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano
        - added profiles: gajim-history-manager, freemind, nomacs, kid3
        - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap
-        - added profiles: oggsplt, flacsplt, cheese
+        - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk
-        - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse
+        - added profiles: ktouch, yelp
-        - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool
+        - many profile fixing and hardening
-        - fixed profiles: gnome-logs, atom, brackets, gnome-builder, geany
-        - fixed profiles: vim, emacs, pycharm-community, gedit, klavaro
-        - fixed profiles: default, mpv, authenticator, gramps, webstorm
-        - fixed profiles: freeoffice-planmaker, freeoffice-presentations
-        - fixed profiles: freeoffice-textmaker, code, newsboat, aosp, clion
-        - fixed profiles: android-studio, git, gitg, github-desktop, idea.sh
-        - fixed profiles: ffmpeg, thunderbird, gnome-system-log, file-roller
-        - fixed profiles: eog, eom
-        - hardened profiles: disable-common.inc, disable-programs.inc
-        - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox
-        - hardened profiles: gnome-clocks, meld, minetest, youtube-dl
-        - hardened profiles: bibletime, whois, etr, display, feh, mpv
-        - gnome-mpv was renamed to celluloid
        - some typo fixes
+        - added profile templates
 Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
        - fixed ktorrent profile
 sarneaud (https://github.com/sarneaud)
@@ -750,6 +752,8 @@ veloute (https://github.com/veloute)
        - add anki profile
 Vincent43 (https://github.com/Vincent43)
        - apparmor enhancements
+Vincent Blillault (https://github.com/Feandil)
+        - fix mumble profile
 vismir2 (https://github.com/vismir2)
        - feh, ranger, 7z, keepass, keepassx and zathura profiles
        - claws-mail, mutt, git, emacs, vim profiles
diff --git a/README.md b/README.md
index dc02ac527..0f692006b 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,10 @@ FAQ: https://firejail.wordpress.com/support/
 Travis-CI status: https://travis-ci.org/netblue30/firejail
+## Security vulnerabilities
+We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com
 ## Compile and install
 `````
 $ git clone https://github.com/netblue30/firejail.git
@@ -95,18 +99,14 @@ If you keep additional Firejail security profiles in a public repository, please
 Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139)
-We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory .
+You can also use this tool to get a list of syscalls needed by a program: [https://github.com/avilum/syscalls](https://github.com/avilum/syscalls).
+We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
 `````
 `````
-## Current development version: 0.9.60-rc2
+## Latest released version: 0.9.60
-## 0.9.60-rc1 is out!
+## Current development version: 0.9.61
 ## New profiles:
-anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, cheese, code-oss, crawl, crawl-tiles, crow, d-feet, dconf,
-dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freeoffice-planmaker, freeoffice-presentations, freeoffice-textmaker, freemind,
-gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gramps, gsettings, kid3, kid3-cli, kid3-qt, lincity-ng, lugaru,
-Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, newsboat, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol,
-pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof,
-sysprof-cli, teeworlds, torcs, tremulous, transgui, utox, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer
diff --git a/RELNOTES b/RELNOTES
index 458f9a51e..f060e64a0 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,4 +1,19 @@
-firejail (0.9.60~rc2) baseline; urgency=low
+firejail (0.9.60) baseline; urgency=low
+  * work in progress
+  * profile templates
+ -- netblue30 <netblue30@yahoo.com>  Sun, 26 May 2019 08:00:00 -0500
+firejail (0.9.60) baseline; urgency=low
+  * security bug reported by Austin Morton:
+    Seccomp filters are copied into /run/firejail/mnt, and are writable
+    within the jail. A malicious process can modify files from inside the
+    jail. Processes that are later joined to the jail will not have seccomp
+    filters applied.
+  * memory-deny-write-execute now also blocks memfd_create
+  * add private-cwd option to control working directory within jail
+  * blocking system D-Bus socket with --nodbus
+  * bringing back Centos 6 support
+  * drop support for flatpak/snap packages
  * new profiles: crow, nyx, mypaint, celluoid, nano, transgui, mpdris2
  * new profiles: sysprof, simplescreenrecorder, geekbench, xfce4-mixer
  * new profiles: pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring
@@ -15,9 +30,8 @@ firejail (0.9.60~rc2) baseline; urgency=low
  * new profiles: oggsplt, flacsplt, gramps, newsboat, freeoffice-planmaker
  * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell
  * new profiles: freeoffice-presentations, freeoffice-textmaker, mp3wrap
-  * memory-deny-write-execute now also blocks memfd_create
+  * new profiles: inkview, meteo-qt, mp3splt-gtk, ktouch, yelp, cantata
-  * drop support for flatpak/snap packages
+ -- netblue30 <netblue30@yahoo.com>  Sun, 26 May 2019 08:00:00 -0500
- -- netblue30 <netblue30@yahoo.com>  Sun, 21 Apr 2019 08:00:00 -0500
 firejail (0.9.58,2) baseline; urgency=low
  * cgroup flag in /etc/firejail/firejail.config file
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..96da4aff7
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+## Supported Versions
+| Version | Supported by us    | EOL  | Supported by distribution |
+| ------- | ------------------ | ---- | ---------------------------
+| 0.9.60  | :heavy_check_mark: |      | :white_check_mark: Debian experimental
+| 0.9.58  |:heavy_check_mark:  |      | :white_check_mark: Ubuntu 19.04 & 19.10; Debian 9 (**backports**), 10, & Sid
+| 0.9.56  | :x:                | 27 Jan 2019 |
+| 0.9.54  | :x:                |      | :white_check_mark: Ubuntu 18.10
+| 0.9.52  | :x:                |      | :white_check_mark: Ubuntu 18.04 LTS
+| 0.9.50  | :x:                | 12 Dec 2017 |
+| 0.9.48  | :x:                | 09 Sep 2017 |
+| 0.9.46  | :x:                | 12 Jun 2017 |
+| 0.9.44  | :x:                |      | :white_check_mark: Debian 9
+| 0.9.42  | :x:                | 22 Oct 2016     |
+| 0.9.40  | :x:                | 09 Sep 2016     |
+| 0.9.38  | :x:                |      | :white_check_mark: Ubuntu 16.04 LTS
+| <0.9.38 | :x:                | Before 05 Feb 2016 |
+## Security vulnerabilities
+We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com
diff --git a/configure b/configure
index 0eece5428..d47e0cbb0 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.60~rc2.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.61.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.60~rc2'
+PACKAGE_VERSION='0.9.61'
-PACKAGE_STRING='firejail 0.9.60~rc2'
+PACKAGE_STRING='firejail 0.9.61'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='https://firejail.wordpress.com'
@@ -1275,7 +1275,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures firejail 0.9.60~rc2 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.61 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1337,7 +1337,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.60~rc2:";;
+     short | recursive ) echo "Configuration of firejail 0.9.61:";;
   esac
  cat <<\_ACEOF
@@ -1442,7 +1442,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-firejail configure 0.9.60~rc2
+firejail configure 0.9.61
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1744,7 +1744,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by firejail $as_me 0.9.60~rc2, which was
+It was created by firejail $as_me 0.9.61, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@@ -4379,7 +4379,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.60~rc2, which was
+This file was extended by firejail $as_me 0.9.61, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@@ -4433,7 +4433,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.60~rc2
+firejail config.status 0.9.61
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
diff --git a/configure.ac b/configure.ac
index 4d0b847f5..40ead1604 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.60~rc2, netblue30@yahoo.com, , https://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.61, netblue30@yahoo.com, , https://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README
new file mode 100644
index 000000000..9f85a0e00
--- /dev/null
+++ b/etc-fixes/seccomp-join-bug/README
@@ -0,0 +1,11 @@
+These are patches for various Firejail versions for the security bug reported by Austin Morton
+on May 21, 2019:
+    Seccomp filters are copied into /run/firejail/mnt, and are writable
+    within the jail. A malicious process can modify files from inside the
+    jail. Processes that are later joined to the jail will not have seccomp
+    filters applied.
+The original discussion thread: https://github.com/netblue30/firejail/issues/2718
+The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
diff --git a/etc-fixes/seccomp-join-bug/eecf35c-backports.zip b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip
new file mode 100644
index 000000000..59782461e
--- /dev/null
+++ b/etc-fixes/seccomp-join-bug/eecf35c-backports.zip
Binary files differ
diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index a9960ebea..b4325cd74 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -40,4 +40,4 @@ private
 # private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
 private-dev
 # private-etc alternatives,ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
-private-tmp
+#private-tmp
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 2c2f88ed5..287e5f52e 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -33,6 +33,6 @@ private
 private-cache
 private-dev
 private-tmp
-read-write /var/lib/bitlbee
 noexec /tmp
+read-write /var/lib/bitlbee
diff --git a/etc/cantata.profile b/etc/cantata.profile
new file mode 100644
index 000000000..e4a4de9c1
--- /dev/null
+++ b/etc/cantata.profile
@@ -0,0 +1,40 @@
+# Firejail profile for Cantata
+# Description: Multimedia player - Qt5 client for the music Player daemon (MPD)
+# This file is overwritten during software install.
+# Persistent local customizations
+include cantata.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/cantata
+noblacklist ${HOME}/.config/cantata
+noblacklist ${HOME}/.local/share/cantata
+noblacklist ${MUSIC}
+noblacklist ${PATH}/perl
+noblacklist /usr/lib/perl*
+noblacklist /usr/share/perl*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+# apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nonewprivs
+noroot
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+# private-etc samba,gcrypt,drirc,fonts,mpd.conf,kde5rc,passwd,xdg,hosts,ssl
+private-bin cantata,mpd,perl
+private-dev
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 7de2a620f..5481f976f 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -94,6 +94,7 @@ blacklist ${HOME}/.config/Nathan Osman
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/PBE
 blacklist ${HOME}/.config/Qlipper
+blacklist ${HOME}/.config/QGIS
 blacklist ${HOME}/.config/QMediathekView
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
@@ -128,6 +129,7 @@ blacklist ${HOME}/.config/brasero
 blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/caja
 blacklist ${HOME}/.config/calibre
+blacklist ${HOME}/.config/cantata
 blacklist ${HOME}/.config/catfish
 blacklist ${HOME}/.config/celluloid
 blacklist ${HOME}/.config/cherrytree
@@ -208,6 +210,7 @@ blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/knotesrc
 blacklist ${HOME}/.config/konversationrc
 blacklist ${HOME}/.config/ktorrentrc
+blacklist ${HOME}/.config/ktouch2rc
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
@@ -218,6 +221,7 @@ blacklist ${HOME}/.config/mana
 blacklist ${HOME}/.config/mate-calc
 blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.config/mate/mate-dictionary
+blacklist ${HOME}/.config/meteo-qt
 blacklist ${HOME}/.config/mfusion
 blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mono
@@ -305,6 +309,7 @@ blacklist ${HOME}/.config/xreader
 blacklist ${HOME}/.config/xviewer
 blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
+blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
@@ -436,6 +441,7 @@ blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/Mendeley Ltd.
 blacklist ${HOME}/.local/share/Mumble
 blacklist ${HOME}/.local/share/PBE
+blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
@@ -451,6 +457,7 @@ blacklist ${HOME}/.local/share/aspyr-media
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/bibletime
 blacklist ${HOME}/.local/share/caja-python
+blacklist ${HOME}/.local/share/cantata
 blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/contacts
@@ -491,6 +498,7 @@ blacklist ${HOME}/.local/share/knotes
 blacklist ${HOME}/.local/share/krita
 blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktorrent
+blacklist ${HOME}/.local/share/ktouch
 blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/liferea
 blacklist ${HOME}/.local/share/local-mail
@@ -549,6 +557,7 @@ blacklist ${HOME}/.minetest
 blacklist ${HOME}/.moonchild productions/basilisk
 blacklist ${HOME}/.moonchild productions/pale moon
 blacklist ${HOME}/.mozilla
+blacklist ${HOME}/.mp3splt-gtk
 blacklist ${HOME}/.mpd
 blacklist ${HOME}/.mpdconf
 blacklist ${HOME}/.mplayer
@@ -572,6 +581,7 @@ blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
+blacklist ${HOME}/.qgis2
 blacklist ${HOME}/.qmmp
 blacklist ${HOME}/.quodlibet
 blacklist ${HOME}/.redeclipse
@@ -648,6 +658,7 @@ blacklist ${HOME}/.cache/attic
 blacklist ${HOME}/.cache/bnox
 blacklist ${HOME}/.cache/borg
 blacklist ${HOME}/.cache/calibre
+blacklist ${HOME}/.cache/cantata
 blacklist ${HOME}/.cache/champlain
 blacklist ${HOME}/.cache/chromium
 blacklist ${HOME}/.cache/chromium-dev
diff --git a/etc/eo-common.profile b/etc/eo-common.profile
new file mode 100644
index 000000000..ad18e10c4
--- /dev/null
+++ b/etc/eo-common.profile
@@ -0,0 +1,47 @@
+# Firejail profile for eo-common
+# Description: Common profile for Eye of GNOME/MATE graphics viewer program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include eo-common.local
+# Persistent global definitions
+# already included by caller profile
+#include globals.local
+noblacklist ${HOME}/.local/share/Trash
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.steam
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0
+private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
+private-tmp
+#memory-deny-write-execute - breaks on Arch
diff --git a/etc/eog.profile b/etc/eog.profile
index 1dcc687fc..8e3aa42fe 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -6,46 +6,12 @@ include eog.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.config/eog
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.steam
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include whitelist-var-common.inc
-apparmor
-caps.drop all
-ipc-namespace
-machine-id
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
 # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'
 # comment those if you need that functionality
 # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local
 private-bin eog
-private-cache
-private-dev
-private-etc alternatives,fonts
-private-lib eog,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
-private-tmp
-# memory-deny-write-execute
+# Redirect
+include eo-common.profile
diff --git a/etc/eom.profile b/etc/eom.profile
index 7cb3f98cd..437326d38 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -6,42 +6,12 @@ include eom.local
 # Persistent global definitions
 include globals.local
-noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.config/mate/eom
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.steam
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include whitelist-var-common.inc
-caps.drop all
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
 # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'
 # comment those if you need that functionality
 # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eom.local
 private-bin eom
-private-dev
-private-etc alternatives,fonts
-private-lib
-private-tmp
-#memory-deny-write-execute - breaks on Arch
+# Redirect
+include eo-common.profile
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index 2ee4aae6f..f694ea212 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -41,7 +41,7 @@ shell none
 tracelog
 # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below.
-# Users on non-Arch Linux distributions can safely uncomment the below to enable extra hardening.
+# Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening.
 #private-bin exiftool,perl
 private-cache
 private-dev
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 080d9e81a..bccbb3412 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -9,7 +9,7 @@ include firefox-common.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
-# Uncomment the following line to allow access to common programs/addons/plugins.
+# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins.
 #include firefox-common-addons.inc
 noblacklist ${HOME}/.pki
diff --git a/etc/firejail.config b/etc/firejail.config
index 497d9633e..92df8ad1a 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -32,7 +32,7 @@
 # Disable /mnt, /media, /run/mount and /run/media access. By default access
 # to these directories is enabled. Unlike --disable-mnt profile option this
-# cannot be overridden by --noblacklist.
+# cannot be overridden by --noblacklist or --ignore.
 # disable-mnt no
 # Enable or disable file transfer support, default enabled.
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index 2f4626891..04409a5e4 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -18,7 +18,10 @@ include disable-xdg.inc
 include whitelist-var-common.inc
+apparmor
 caps.drop all
+machine-id
+net none
 no3d
 nodvd
 nogroups
@@ -35,6 +38,7 @@ tracelog
 disable-mnt
 private-bin fairymax,gnome-chess,hoichess,gnuchess
+private-cache
 private-dev
-private-etc alternatives,fonts,gnome-chess
+private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0
 private-tmp
diff --git a/etc/gpg.profile b/etc/gpg.profile
index 47e6e5265..51662b59c 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -29,8 +29,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# Causes gpg to hang
+shell none
-#shell none
 tracelog
 # private-bin gpg,gpg-agent
diff --git a/etc/inkview.profile b/etc/inkview.profile
new file mode 100644
index 000000000..6c0127f37
--- /dev/null
+++ b/etc/inkview.profile
@@ -0,0 +1,8 @@
+# Firejail profile for inkview
+# Description: an SVG slideshow program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include inkview.local
+# Redirect
+include inkscape.profile
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index 33b4509b7..c1adfd516 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -41,7 +41,7 @@ protocol netlink,unix
 seccomp
 shell none
-private-bin keepassxc
+private-bin keepassxc,keepassxc-proxy
 private-dev
 private-etc alternatives,fonts,ld.so.cache,machine-id
 private-tmp
diff --git a/etc/ktouch.profile b/etc/ktouch.profile
new file mode 100644
index 000000000..446bc50ee
--- /dev/null
+++ b/etc/ktouch.profile
@@ -0,0 +1,50 @@
+# Firejail profile for KTouch
+# Description: a typing tutor by KDE
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ktouch.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/ktouch2rc
+noblacklist ${HOME}/.local/share/ktouch
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkfile ${HOME}/.config/ktouch2rc
+mkdir ${HOME}/.local/share/ktouch
+whitelist ${HOME}/.config/ktouch2rc
+whitelist ${HOME}/.local/share/ktouch
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin ktouch
+private-cache
+private-dev
+private-etc alternatives,fonts,kde5rc,machine-id
+private-tmp
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 6e77cd741..5bb943323 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -29,9 +29,7 @@ include whitelist-var-common.inc
 # comment the next line to use the ubuntu profile instead of firejail's apparmor profile
 apparmor
 caps.drop all
-#machine-id
 netfilter
-#nodbus
 nodvd
 nogroups
 # comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile
@@ -50,5 +48,4 @@ tracelog
 private-dev
 private-tmp
 join-or-start libreoffice
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile
index ce6486115..e4da0c66a 100644
--- a/etc/masterpdfeditor.profile
+++ b/etc/masterpdfeditor.profile
@@ -20,9 +20,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-ipc-namespace
 machine-id
-no3d
 nodvd
 nogroups
 nonewprivs
@@ -36,7 +34,6 @@ seccomp
 shell none
 tracelog
-private-bin masterpdfedito*
 private-cache
 private-dev
 private-etc alternatives,fonts
diff --git a/etc/meteo-qt.profile b/etc/meteo-qt.profile
new file mode 100644
index 000000000..a769a97ec
--- /dev/null
+++ b/etc/meteo-qt.profile
@@ -0,0 +1,53 @@
+# Firejail profile for meteo-qt
+# Description: System tray application for weather status information
+# This file is overwritten after every install/update
+# Persistent local customizations
+include meteo-qt.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/autostart
+noblacklist ${HOME}/.config/meteo-qt
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python3*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+whitelist ${HOME}/.config/autostart
+mkdir ${HOME}/.config/meteo-qt
+whitelist ${HOME}/.config/meteo-qt
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin meteo-qt,python*
+private-cache
+private-dev
+private-tmp
+memory-deny-write-execute
diff --git a/etc/mp3splt-gtk.profile b/etc/mp3splt-gtk.profile
new file mode 100644
index 000000000..d14006112
--- /dev/null
+++ b/etc/mp3splt-gtk.profile
@@ -0,0 +1,41 @@
+# Firejail profile for mp3splt-gtk
+# Description: Gtk utility for mp3/ogg splitting without decoding
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mp3splt-gtk.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.mp3splt-gtk
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin mp3splt-gtk
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,fonts,gtk-3.0,dconf,machine-id,openal,pulse
+private-tmp
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile
index ceeb59384..b2249f63b 100644
--- a/etc/ocenaudio.profile
+++ b/etc/ocenaudio.profile
@@ -24,7 +24,7 @@ ipc-namespace
 # net none breaks AppArmor on Ubuntu systems
 netfilter
 no3d
-# nodbus - breaks preferences, comment when needed
+# nodbus - breaks preferences, comment (or put 'ignore nodbus' in your oceanaudio.local) when needed
 nodbus
 nodvd
 nogroups
@@ -39,12 +39,10 @@ shell none
 tracelog
 # disable-mnt
-# private
 private-bin ocenaudio
 private-cache
 private-dev
 private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
-# private-lib
 private-tmp
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/orage.profile b/etc/orage.profile
index 2c55ab909..4e12892d6 100644
--- a/etc/orage.profile
+++ b/etc/orage.profile
@@ -24,7 +24,7 @@ nodvd
 nogroups
 nonewprivs
 noroot
-nosound
+# nosound - calendar application, It must be able to play sound to wake you up.
 notv
 nou2f
 novideo
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index 444478149..bdd5404f5 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -6,9 +6,7 @@ include pidgin.local
 # Persistent global definitions
 include globals.local
-mkdir ${HOME}/.purple
 noblacklist ${HOME}/.purple
-whitelist ${HOME}/.purple
 ignore noexec ${RUNUSER}
 ignore noexec /dev/shm
@@ -20,6 +18,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.purple
+whitelist ${HOME}/.purple
 include whitelist-common.inc
 include whitelist-var-common.inc
diff --git a/etc/qgis.profile b/etc/qgis.profile
new file mode 100644
index 000000000..45fe59cf7
--- /dev/null
+++ b/etc/qgis.profile
@@ -0,0 +1,60 @@
+# Firejail profile for qgis
+# Description: GIS application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qgis.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/QtProject.conf
+noblacklist ${HOME}/.config/QGIS
+noblacklist ${HOME}/.local/share/QGIS
+noblacklist ${HOME}/.qgis2
+noblacklist ${DOCUMENTS}
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python3*
+noblacklist /usr/local/lib/python3*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/QGIS
+mkdir ${HOME}/.qgis2
+mkdir ${HOME}/.config/QGIS
+whitelist ${HOME}/.local/share/QGIS
+whitelist ${HOME}/.qgis2
+whitelist ${HOME}/.config/QGIS
+whitelist ${DOCUMENTS}
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+machine-id
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# blacklisting of mbind system calls breaks old version
+seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,set_mempolicy,migrate_pages,move_pages,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore
+protocol unix,inet,inet6,netlink
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl,QGIS,QGIS.conf,Trolltech.conf
+private-tmp
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index cd9f6c767..fc54a0716 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -50,7 +50,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
-# shell none - causes gpg to hang
+shell none
 tracelog
 disable-mnt
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 6f7f6ec85..00c2aabe2 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -6,9 +6,6 @@ include spotify.local
 include globals.local
 blacklist ${HOME}/.bashrc
-blacklist /lost+found
-blacklist /sbin
-blacklist /srv
 noblacklist ${HOME}/.cache/spotify
 noblacklist ${HOME}/.config/spotify
@@ -49,5 +46,6 @@ private-bin spotify,bash,sh,zenity
 private-dev
 private-etc alternatives,fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
 private-opt spotify
+private-srv none
 private-tmp
diff --git a/etc/sysprof.profile b/etc/sysprof.profile
index 3cfea5c5e..e978e03f2 100644
--- a/etc/sysprof.profile
+++ b/etc/sysprof.profile
@@ -24,7 +24,7 @@ no3d
 nodvd
 nogroups
 nonewprivs
-# Ubuntu 16.04 version needs root privileges - uncomment if you don't use that
+# Ubuntu 16.04 version needs root privileges - uncomment or put in sysprof.local if you don't use that
 #noroot
 nosound
 notv
diff --git a/etc/templates/Notes b/etc/templates/Notes
new file mode 100644
index 000000000..a4170207b
--- /dev/null
+++ b/etc/templates/Notes
@@ -0,0 +1,7 @@
+Notes
+=====
+ * Lines with one # are often used
+ * Lines with two ## are only in special situation needed
+ * Add programs specific paths like .config/program to disable-programs.inc
+ * Add the name of the profile/program to src/firecfg/firecfg.config
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
new file mode 100644
index 000000000..d7da0ed20
--- /dev/null
+++ b/etc/templates/profile.template
@@ -0,0 +1,82 @@
+# Firejail profile for PROGRAM_NAME
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+##quiet
+# Persistent local customizations
+#include PROFILE.local
+# Persistent global definitions
+#include globals.local
+##ignore noexec ${HOME}
+##blacklist PATH
+#noblacklist PATH
+# Allow python (blacklisted by disable-interpreters.inc)
+#noblacklist ${PATH}/python2*
+#noblacklist ${PATH}/python3*
+#noblacklist /usr/lib/python2*
+#noblacklist /usr/lib/python3*
+#noblacklist /usr/local/lib/python2*
+#noblacklist /usr/local/lib/python3*
+#include disable-common.inc
+#include disable-devel.inc
+#include disable-exec.inc
+#include disable-interpreters.inc
+#include disable-passwdmgr.inc
+#include disable-programs.inc
+#include disable-xdg.inc
+#mkdir PATH
+#mkfile PATH
+#whitelist PATH
+#include whitelist-common.inc
+#include whitelist-var-common.inc
+#apparmor
+#caps.drop all
+# CLI only
+##ipc-namespace
+#machine-id
+# 'net none' or 'netfilter'
+#net none
+#netfilter
+#no3d
+#nodbus
+#nodvd
+#nogroups
+#nonewprivs
+#noroot
+#nosound
+#notv
+#nou2f
+#novideo
+#protocol unix,inet,inet6,netlink
+#seccomp
+##seccomp.drop SYSCALLS
+#shell none
+#tracelog
+#disable-mnt
+##private
+#private-bin PROGRAMS
+#private-cache
+#private-dev
+#private-etc FILES
+# private-etc templates (see also #1734)
+#  Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+#  Sound: alsa,asound.conf,machine-id,openal,pulse
+#  GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg
+#  KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg
+#  GUIs: fonts
+#  Alternatives: alternatives
+##private-lib LIBS
+##private-opt NAME
+#private-tmp
+##env VAR=VALUE
+#memory-deny-write-execute
+##read-only ${HOME}
+##join-or-start NAME
diff --git a/etc/templates/redirect_alias-profile.template b/etc/templates/redirect_alias-profile.template
new file mode 100644
index 000000000..56dd43ca4
--- /dev/null
+++ b/etc/templates/redirect_alias-profile.template
@@ -0,0 +1,36 @@
+# Firejail profile for PRGOGRAM_NAME
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PROFILE.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+#NOTE: let include globals.local commented
+# Additional blacklisting (if needed)
+#blacklist PATH
+# Additional noblacklisting (if needed)
+#noblacklist PATH
+# Additional whitelisting (if needed)
+#mkdir PATH
+#mkfile PATH
+#whitelist PATH
+# Additional options if needed (see firejail-profile.example)
+# Add programs to private-bin (if needed)
+#private-bin PROGRAMS
+# Add files to private-etc (if needed)
+#private-etc FILES
+# Ignore something that is in the included profile
+#ignore net none
+#ignore private-bin
+#ignore seccomp
+#...
+# Redirect
+include PROFILE.profile
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
new file mode 100644
index 000000000..ec8247517
--- /dev/null
+++ b/etc/templates/syscalls.txt
@@ -0,0 +1,43 @@
+Hints for writing seccomp.drop lines
+====================================
+@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
+@module=delete_module,finit_module,init_module
+@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
+@reboot=kexec_load,kexec_file_load,reboot,
+@swap=swapon,swapoff
+@privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
+@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
+@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
+@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
+@resources=set_mempolicy,migrate_pages,move_pages,mbind
+@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore
+@default-nodebuggers=@default,ptrace,personality,process_vm_readv
+@default-keep=execve,prctl
+---------+----------------+---------------+
+| @clock  | @cpu-emulation | @default-keep |
+| @module | @debug         |               |
+| @raw-io | @obsolete      |               |
+| @reboot | @resources     |               |
+| @swap   |                |               |
+---------+----------------+---------------+
+     :              :
+-------------+     :
+| @privileged |     :
+-------------+     :
+     :              :
+----------+        :
+| @default |........:
+----------+
+    :
+----------------------+
+| @default-nodebuggers |
+----------------------+
diff --git a/etc/transgui.profile b/etc/transgui.profile
index 8043bfa01..0d09cef87 100644
--- a/etc/transgui.profile
+++ b/etc/transgui.profile
@@ -2,7 +2,7 @@
 # Description: Cross-platform Transmission BitTorrent client
 # This file is overwritten after every install/update
 # Persistent local customizations
-include /etc/firejail/transgui.local
+include transgui.local
 # Persistent global definitions
 include globals.local
diff --git a/etc/xiphos.profile b/etc/xiphos.profile
index 3ad03e2c6..33056395e 100644
--- a/etc/xiphos.profile
+++ b/etc/xiphos.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.xiphos
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -20,8 +21,11 @@ include disable-programs.inc
 whitelist ${HOME}/.sword
 whitelist ${HOME}/.xiphos
 include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
+machine-id
 netfilter
 nodvd
 nogroups
@@ -36,7 +40,9 @@ seccomp
 shell none
 tracelog
+disable-mnt
 private-bin xiphos
+private-cache
 private-dev
-private-etc alternatives,fonts,resolv.conf,sword,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,resolv.conf,sword,ca-certificates,ssli,sword.conf,pki,crypto-policies
 private-tmp
diff --git a/etc/yelp.profile b/etc/yelp.profile
new file mode 100644
index 000000000..66f094e1d
--- /dev/null
+++ b/etc/yelp.profile
@@ -0,0 +1,51 @@
+# Firejail profile for yelp
+# Description: Help browser for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include yelp.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/yelp
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/yelp
+whitelist ${HOME}/.config/yelp
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin yelp
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
+private-tmp
+# read-only ${HOME} breaks some not necesarry featrues, comment it if
+# you need them or put 'ignore read-only ${HOME}' into your yelp.local.
+# broken features:
+#  1. yelp --editor-mode
+#  2. saving the window geometry
+read-only ${HOME}
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 2d4902b91..48789359d 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -92,6 +92,7 @@ calligraplanwork
 calligrasheets
 calligrastage
 calligrawords
+cantata
 catfish
 celluloid
 checkbashisms
@@ -131,7 +132,6 @@ deluge
 devhelp
 dex2jar
 dia
-dig
 digikam
 dillo
 dino
@@ -281,6 +281,7 @@ idea.sh
 imagej
 img2txt
 inkscape
+inkview
 inox
 iridium
 iridium-browser
@@ -313,6 +314,7 @@ kopete
 krita
 # krunner
 ktorrent
+ktouch
 # kwin_x11
 kwrite
 leafpad
@@ -360,11 +362,13 @@ megaglest_editor
 meld
 mencoder
 mendeleydesktop
+meteo-qt
 midori
 min
 minetest
 mousepad
 mp3splt
+mp3splt-gtk
 mp3wrap
 mpDris2
 mplayer
@@ -446,6 +450,7 @@ pybitmessage
 # pycharm-professional
 qbittorrent
 qemu-launcher
+qgis
 qlipper
 qmmp
 qpdfview
@@ -632,6 +637,7 @@ xreader-previewer
 xreader-thumbnailer
 xviewer
 yandex-browser
+yelp
 youtube-dl
 zaproxy
 zart
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h
index e847719cf..71e5d625d 100644
--- a/src/firecfg/firecfg.h
+++ b/src/firecfg/firecfg.h
@@ -17,6 +17,8 @@
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#ifndef FIRECFG_H
+#define FIRECFG_H
 #define _GNU_SOURCE
 #include <stdio.h>
 #include <sys/types.h>
@@ -48,3 +50,5 @@ void sound(void);
 // desktop_files.c
 void fix_desktop_files(char *homedir);
+#endif
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index baa41e85e..b856ff809 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -19,7 +19,7 @@
 */
 #include "firejail.h"
-void dbus_session_disable(void) {
+void dbus_disable(void) {
        if (!checkcfg(CFG_DBUS)) {
                fwarning("D-Bus handling is disabled in Firejail configuration file\n");
                return;
@@ -29,7 +29,7 @@ void dbus_session_disable(void) {
        if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1)
                errExit("asprintf");
        char *env_var;
-        if (asprintf(&env_var, "DBUS_SESSION_BUS_ADDRESS=unix:path=%s", path) == -1)
+        if (asprintf(&env_var, "unix:path=%s", path) == -1)
                errExit("asprintf");
        // set a new environment variable: DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/<UID>/bus
@@ -43,6 +43,17 @@ void dbus_session_disable(void) {
        free(path);
        free(env_var);
+        // blacklist the dbus-launch user directory
+        if (asprintf(&path, "%s/.dbus", cfg.homedir) == -1)
+                errExit("asprintf");
+        disable_file_or_dir(path);
+        free(path);
+        // blacklist also system D-Bus socket
+        disable_file_or_dir("/run/dbus/system_bus_socket");
        // look for a possible abstract unix socket
        // --net=none
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 2e9f516ba..f15e1362f 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -160,6 +160,11 @@ void env_defaults(void) {
        // set the window title
        if (!arg_quiet)
                printf("\033]0;firejail %s\007", cfg.window_title);
+        // pass --quiet as an environment variable, in case the command calls further firejailed commands
+        if (arg_quiet)
+                setenv("FIREJAIL_QUIET", "yes", 1);
        fflush(0);
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2e04084e3..fd6cb9ff2 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -283,6 +283,7 @@ extern int arg_private_srv;	// private srv directory
 extern int arg_private_bin;     // private bin directory
 extern int arg_private_tmp;     // private tmp directory
 extern int arg_private_lib;     // private lib directory
+extern int arg_private_cwd;     // private working directory
 extern int arg_scan;            // arp-scan all interfaces
 extern int arg_whitelist;       // whitelist command
 extern int arg_nosound; // disable sound
@@ -315,6 +316,7 @@ extern int arg_notv;	// --notv
 extern int arg_nodvd;   // --nodvd
 extern int arg_nou2f;   // --nou2f
 extern int arg_nodbus; // -nodbus
+extern int arg_deterministic_exit_code; // always exit with first child's exit status
 extern int login_shell;
 extern int parent_to_child_fds[2];
@@ -521,6 +523,8 @@ void fs_private(void);
 void fs_private_homedir(void);
 // check new private home directory (--private= option) - exit if it fails
 void fs_check_private_dir(void);
+// check new private working directory (--private-cwd= option) - exit if it fails
+void fs_check_private_cwd(const char *dir);
 void fs_private_home_list(void);
@@ -782,6 +786,6 @@ void set_x11_run_file(pid_t pid, int display);
 void set_profile_run_file(pid_t pid, const char *fname);
 // dbus.c
-void dbus_session_disable(void);
+void dbus_disable(void);
 #endif
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index f9d968427..f3ef97aeb 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -27,7 +27,11 @@
 #include <glob.h>
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 #define MAX_BUF 4096
 #define EMPTY_STRING ("")
@@ -1515,6 +1519,8 @@ void fs_private_tmp(void) {
        // whitelist x11 directory
        profile_add("whitelist /tmp/.X11-unix");
+        // read-only x11 directory
+        profile_add("read-only /tmp/.X11-unix");
        // whitelist any pulse* file in /tmp directory
        // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index e35bf073d..3f6d78db4 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -22,7 +22,6 @@
 #include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -31,6 +30,11 @@
 #include <grp.h>
 //#include <ftw.h>
+#include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 static void skel(const char *homedir, uid_t u, gid_t g) {
        char *fname;
@@ -366,6 +370,21 @@ void fs_check_private_dir(void) {
        }
 }
+// check new private working directory (--private-cwd= option) - exit if it fails
+void fs_check_private_cwd(const char *dir) {
+        EUID_ASSERT();
+        invalid_filename(dir, 0); // no globbing
+        // Expand the working directory
+        cfg.cwd = expand_macros(dir);
+        // realpath/is_dir not used because path may not exist outside of jail
+        if (strstr(cfg.cwd, "..")) {
+                fprintf(stderr, "Error: invalid private working directory\n");
+                exit(1);
+        }
+}
 //***********************************************************************************
 // --private-home
 //***********************************************************************************
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index d128065d3..bce44b9e5 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -24,9 +24,13 @@
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
-#include <fcntl.h>
 #include <errno.h>
+#include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 // mountinfo functionality test;
 // 1. enable TEST_MOUNTINFO definition
 // 2. run firejail --whitelist=/any/directory
diff --git a/src/firejail/main.c b/src/firejail/main.c
index ece4c2cb5..c50ed4dc4 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -92,6 +92,7 @@ int arg_private_srv = 0;			// private srv directory
 int arg_private_bin = 0;                        // private bin directory
 int arg_private_tmp = 0;                        // private tmp directory
 int arg_private_lib = 0;                        // private lib directory
+int arg_private_cwd = 0;                        // private working directory
 int arg_scan = 0;                               // arp-scan all interfaces
 int arg_whitelist = 0;                          // whitelist command
 int arg_nosound = 0;                            // disable sound
@@ -125,6 +126,7 @@ int arg_notv = 0;	// --notv
 int arg_nodvd = 0; // --nodvd
 int arg_nodbus = 0; // -nodbus
 int arg_nou2f = 0; // --nou2f
+int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
 int login_shell = 0;
@@ -630,6 +632,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        else if (strncmp(argv[i], "--get=", 6) == 0) {
                if (checkcfg(CFG_FILE_TRANSFER)) {
                        logargs(argc, argv);
+                        if (arg_private_cwd) {
+                                fprintf(stderr, "Error: --get and --private-cwd options are mutually exclusive\n");
+                                exit(1);
+                        }
                        // verify path
                        if ((i + 2) != argc) {
@@ -654,6 +660,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        else if (strncmp(argv[i], "--put=", 6) == 0) {
                if (checkcfg(CFG_FILE_TRANSFER)) {
                        logargs(argc, argv);
+                        if (arg_private_cwd) {
+                                fprintf(stderr, "Error: --put and --private-cwd options are mutually exclusive\n");
+                                exit(1);
+                        }
                        // verify path
                        if ((i + 3) != argc) {
@@ -684,6 +694,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
        else if (strncmp(argv[i], "--ls=", 5) == 0) {
                if (checkcfg(CFG_FILE_TRANSFER)) {
                        logargs(argc, argv);
+                        if (arg_private_cwd) {
+                                fprintf(stderr, "Error: --ls and --private-cwd options are mutually exclusive\n");
+                                exit(1);
+                        }
                        // verify path
                        if ((i + 2) != argc) {
@@ -907,7 +921,8 @@ int main(int argc, char **argv) {
        // get starting timestamp, process --quiet
        start_timestamp = getticks();
-        if (check_arg(argc, argv, "--quiet", 1))
+        char *env_quiet = getenv("FIREJAIL_QUIET");
+        if (check_arg(argc, argv, "--quiet", 1) || (env_quiet && strcmp(env_quiet, "yes") == 0))
                arg_quiet = 1;
        // cleanup at exit
@@ -1772,6 +1787,19 @@ int main(int argc, char **argv) {
                        else
                                exit_err_feature("private-cache");
                }
+                else if (strcmp(argv[i], "--private-cwd") == 0) {
+                        cfg.cwd = NULL;
+                        arg_private_cwd = 1;
+                }
+                else if (strncmp(argv[i], "--private-cwd=", 14) == 0) {
+                        if (*(argv[i] + 14) == '\0') {
+                                fprintf(stderr, "Error: invalid private-cwd option\n");
+                                exit(1);
+                        }
+                        fs_check_private_cwd(argv[i] + 14);
+                        arg_private_cwd = 1;
+                }
                //*************************************
                // hostname, etc
@@ -2274,6 +2302,9 @@ int main(int argc, char **argv) {
                                return 1;
                        }
                }
+                else if (strcmp(argv[i], "--deterministic-exit-code") == 0) {
+                        arg_deterministic_exit_code = 1;
+                }
                else {
                        // double dash - positional params to follow
                        if (strcmp(argv[i], "--") == 0) {
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index 0717b2044..7369ad247 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -19,7 +19,11 @@
 */
 #include "firejail.h"
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 #define MAX_BUF 4096
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index c8619f7e2..99d83c16a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -338,7 +338,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_private = 1;
                return 0;
        }
-        if (strncmp(ptr, "private-home ", 13) == 0) {
+        else if (strncmp(ptr, "private-home ", 13) == 0) {
 #ifdef HAVE_PRIVATE_HOME
                if (checkcfg(CFG_PRIVATE_HOME)) {
                        if (cfg.home_private_keep) {
@@ -353,6 +353,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                return 0;
        }
+        else if (strcmp(ptr, "private-cwd") == 0) {
+                cfg.cwd = NULL;
+                arg_private_cwd = 1;
+                return 0;
+        }
+        else if (strncmp(ptr, "private-cwd ", 12) == 0) {
+                fs_check_private_cwd(ptr + 12);
+                arg_private_cwd = 1;
+                return 0;
+        }
        else if (strcmp(ptr, "allusers") == 0) {
                arg_allusers = 1;
                return 0;
@@ -1301,6 +1311,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
+        if (strcmp(ptr, "deterministic-exit-code") == 0) {
+                arg_deterministic_exit_code = 1;
+                return 0;
+        }
        // rest of filesystem
        if (strncmp(ptr, "blacklist ", 10) == 0)
                ptr += 10;
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 26beaf35a..e3f237b8e 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -24,7 +24,11 @@
 #include <sys/mount.h>
 #include <dirent.h>
 #include <sys/wait.h>
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 101a16d00..2c5c5fc12 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -271,6 +271,7 @@ static int monitor_application(pid_t app_pid) {
        }
        int status = 0;
+        int app_status = 0;
        while (monitored_pid) {
                usleep(20000);
                char *msg;
@@ -295,6 +296,8 @@ static int monitor_application(pid_t app_pid) {
                                sleep(1);
                                break;
                        }
+                        else if (rv == app_pid)
+                                app_status = status;
                        // handle --timeout
                        if (options) {
@@ -352,8 +355,8 @@ static int monitor_application(pid_t app_pid) {
                        printf("Sandbox monitor: monitoring %d\n", monitored_pid);
        }
-        // return the latest exit status.
+        // return the appropriate exit status.
-        return status;
+        return arg_deterministic_exit_code ? app_status : status;
 }
 static void print_time(void) {
@@ -923,7 +926,7 @@ int sandbox(void* sandbox_arg) {
        // Session D-BUS
        //****************************
        if (arg_nodbus)
-                dbus_session_disable();
+                dbus_disable();
        //****************************
@@ -1016,6 +1019,10 @@ int sandbox(void* sandbox_arg) {
        if (cfg.cwd) {
                if (chdir(cfg.cwd) == 0)
                        cwd = 1;
+                else if (arg_private_cwd) {
+                        fprintf(stderr, "Error: unable to enter private working directory: %s: %s\n", cfg.cwd, strerror(errno));
+                        exit(1);
+                }
        }
        if (!cwd) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 7620bba82..fbace7374 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -66,6 +66,7 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
        "    --defaultgw=address - configure default gateway.\n"
 #endif
+        "    --deterministic-exit-code - always exit with first child's status code.\n"
        "    --dns=address - set DNS server.\n"
        "    --dns.print=name|pid - print DNS configuration.\n"
        "    --env=name=value - set environment variable.\n"
@@ -162,6 +163,8 @@ static char *usage_str =
        "    --private-etc=file,directory - build a new /etc in a temporary\n"
        "\tfilesystem, and copy the files and directories in the list.\n"
        "    --private-tmp - mount a tmpfs on top of /tmp directory.\n"
+        "    --private-cwd - do not inherit working directory inside jail.\n"
+        "    --private-cwd=directory - set working directory inside jail.\n"
        "    --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"
        "    --private-srv=file,directory - build a new /srv in a temporary filesystem.\n"
        "    --profile=filename|profile_name - use a custom profile.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3e2cd13d5..fff0bbf2f 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -29,7 +29,11 @@
 #include <sys/ioctl.h>
 #include <termios.h>
 #include <sys/wait.h>
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 #define MAX_GROUPS 1024
 #define MAXBUF 4098
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index b0ed10b30..9d821d980 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -31,7 +31,11 @@
 #include <sys/wait.h>
 #include <errno.h>
 #include <limits.h>
 #include <fcntl.h>
+#ifndef O_PATH
+# define O_PATH 010000000
+#endif
 // Parse the DISPLAY environment variable and return a display number.
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 67d7cfa4f..67c693dce 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -51,13 +51,13 @@
 #define RUN_DNS_ETC     "/run/firejail/mnt/dns-etc"
 #define RUN_SECCOMP_DIR "/run/firejail/mnt/seccomp"
-#define RUN_SECCOMP_LIST        "/run/firejail/mnt/seccomp/seccomp.list"        // list of seccomp files installed
+#define RUN_SECCOMP_LIST        (RUN_SECCOMP_DIR "/seccomp.list")       // list of seccomp files installed
-#define RUN_SECCOMP_PROTOCOL    "/run/firejail/mnt/seccomp/seccomp.protocol"    // protocol filter
+#define RUN_SECCOMP_PROTOCOL    (RUN_SECCOMP_DIR "/seccomp.protocol")   // protocol filter
-#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp/seccomp"                     // configured filter
+#define RUN_SECCOMP_CFG (RUN_SECCOMP_DIR "/seccomp")                    // configured filter
-#define RUN_SECCOMP_32          "/run/firejail/mnt/seccomp/seccomp.32"          // 32bit arch filter installed on 64bit architectures
+#define RUN_SECCOMP_32          (RUN_SECCOMP_DIR "/seccomp.32")         // 32bit arch filter installed on 64bit architectures
-#define RUN_SECCOMP_MDWX        "/run/firejail/mnt/seccomp/seccomp.mdwx"                // filter for memory-deny-write-execute
+#define RUN_SECCOMP_MDWX        (RUN_SECCOMP_DIR "/seccomp.mdwx")               // filter for memory-deny-write-execute
-#define RUN_SECCOMP_BLOCK_SECONDARY     "/run/firejail/mnt/seccomp/seccomp.block_secondary"     // secondary arch blocking filter
+#define RUN_SECCOMP_BLOCK_SECONDARY     (RUN_SECCOMP_DIR "/seccomp.block_secondary")    // secondary arch blocking filter
-#define RUN_SECCOMP_POSTEXEC    "/run/firejail/mnt/seccomp/seccomp.postexec"            // filter for post-exec library
+#define RUN_SECCOMP_POSTEXEC    (RUN_SECCOMP_DIR "/seccomp.postexec")           // filter for post-exec library
 #define PATH_SECCOMP_DEFAULT (LIBDIR "/firejail/seccomp")                       // default filter built during make
 #define PATH_SECCOMP_DEFAULT_DEBUG (LIBDIR "/firejail/seccomp.debug")   // default filter built during make
 #define PATH_SECCOMP_32 (LIBDIR "/firejail/seccomp.32")                 // 32bit arch filter built during make
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 703fac30f..8c9989970 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -288,6 +288,12 @@ All modifications are discarded when the sandbox is closed.
 \fBprivate-tmp
 Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .TP
+\fBprivate-cwd
+Set working directory inside jail to the home directory, and failing that, the root directory.
+.TP
+\fBprivate-cwd directory
+Set working directory inside the jail.
+.TP
 \fBread-only file_or_directory
 Make directory or file read-only.
 .TP
@@ -661,6 +667,10 @@ instead of the default one.
 Join the sandbox identified by name or start a new one.
 Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
+.TP
+\fBdeterministic-exit-code
+Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 .SH FILES
 /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1b56dedcd..67b84de0e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -410,6 +410,10 @@ Example:
 $ firejail \-\-disable-mnt firefox
 .TP
+\fB\-\-deterministic-exit-code
+Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
+.TP
 \fB\-\-dns=address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 Use this option if you don't trust the DNS setup on your network.
@@ -1107,9 +1111,11 @@ $ nc dict.org 2628
 .br
 .TP
 \fB\-\-nodbus
-Disable D-Bus access. Only the regular UNIX socket is handled by this command. To
+Disable D-Bus access (both system and session buses). Only the regular
-disable the abstract socket you would need to request a new network namespace using
+UNIX sockets are handled by this command. To disable the abstract
-\-\-net command. Another option is to remove unix from \-\-protocol set.
+sockets you would need to request a new network namespace using
+\-\-net command. Another option is to remove unix from \-\-protocol
+set.
 .br
 .br
@@ -1566,6 +1572,48 @@ drwx------  2 nobody nogroup 4096 Apr 30 10:52 pulse-PKdhtXMmr18n
 drwxrwxrwt  2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
 .br
+.TP
+\fB\-\-private-cwd
+Set working directory inside jail to the home directory, and failing that, the root directory.
+.br
+Does not impact working directory of profile include paths.
+.br
+.br
+Example:
+.br
+$ pwd
+.br
+/tmp
+.br
+$ firejail \-\-private-cwd
+.br
+$ pwd
+.br
+/home/user
+.br
+.TP
+\fB\-\-private-cwd=directory
+Set working directory inside the jail.
+.br
+Does not impact working directory of profile include paths.
+.br
+.br
+Example:
+.br
+$ pwd
+.br
+/tmp
+.br
+$ firejail \-\-private-cwd=/opt
+.br
+$ pwd
+.br
+/opt
+.br
 .TP
 \fB\-\-profile=filename_or_profilename
@@ -1631,6 +1679,10 @@ Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more detail
 .TP
 \fB\-\-quiet
 Turn off Firejail's output.
+.br
+.br
+The same effect can be obtained by setting an environment variable FIREJAIL_QUIET to yes.
 .TP
 \fB\-\-read-only=dirname_or_filename
 Set directory or file read-only. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
diff --git a/test/environment/deterministic-exit-code.exp b/test/environment/deterministic-exit-code.exp
new file mode 100755
index 000000000..165b9ebe0
--- /dev/null
+++ b/test/environment/deterministic-exit-code.exp
@@ -0,0 +1,55 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2019 Firejail Authors
+# License GPL v2
+set timeout 4
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r"
+send -- "exit 35\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Parent is shutting down"
+}
+after 300
+send -- "echo $?\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "53"
+}
+after 100
+send -- "firejail --deterministic-exit-code\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "({ nohup bash -c \"sleep 0.2; exit 53\" &> /dev/null & } &)\r"
+send -- "exit 35\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Parent is shutting down"
+}
+after 300
+send -- "echo $?\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "35"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index 85d6c0873..5b4aa32f4 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -116,3 +116,6 @@ echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)"
 echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)"
 ./rlimit-bad-profile.exp
+echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp"
+./deterministic-exit-code.exp
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index 0fc216b20..7e1d46f0a 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -69,6 +69,9 @@ echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)"
 echo "TESTING: private-bin (test/fs/private-bin.exp)"
 ./private-bin.exp
+echo "TESTING: private-cwd (test/fs/private-cwd.exp)"
+./private-cwd.exp
 echo "TESTING: macros (test/fs/macro.exp)"
 ./macro.exp
diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp
new file mode 100755
index 000000000..0fa87a92f
--- /dev/null
+++ b/test/fs/private-cwd.exp
@@ -0,0 +1,52 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2019 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "cd /tmp\r"
+after 100
+# testing profile and private
+send -- "firejail --private-cwd\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "$env(HOME)"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "cd /\r"
+after 100
+# testing profile and private
+send -- "firejail --private-cwd=/tmp\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "/tmp"
+}
+after 100
+send -- "exit\r"
+sleep 1
+puts "all done\n"
diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh
index 5e9d75379..79913fed6 100755
--- a/test/private-lib/private-lib.sh
+++ b/test/private-lib/private-lib.sh
@@ -5,7 +5,7 @@
 export MALLOC_CHECK_=3g
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
-LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig whois evince galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog"
+LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig evince whois galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog"
 for app in $LIST; do