71 files changed, 1279 insertions, 496 deletions

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b69bb728e..0ecde565c 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -47,7 +47,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5
+      uses: github/codeql-action/init@384cfc42b2131df01c009d3d2eed7b78d8e8556e
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@5f532563584d71fdef14ee64d17bafb34f751ce5
+      uses: github/codeql-action/autobuild@384cfc42b2131df01c009d3d2eed7b78d8e8556e
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@5f532563584d71fdef14ee64d17bafb34f751ce5
+      uses: github/codeql-action/analyze@384cfc42b2131df01c009d3d2eed7b78d8e8556e
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 03e18d269..d9fe768ff 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -67,8 +67,8 @@ debian_ci:
         - cd $CI_PROJECT_DIR/.. && (apt-get source --download-only -t experimental firejail || apt-get source --download-only firejail)
         - cd $CI_PROJECT_DIR && tar xf ../firejail_*.debian.tar.*
         - rm -rf debian/patches/
-        # next line is a temporary fix for dh_missing failure; remove it after next release
-        - echo "etc/firejail/*.config" >> debian/firejail.install
+        # /etc/firejail/hostnames is no longer installed
+        - sed '/etc\/firejail\/hostnames/d' -i debian/firejail.install
         - VERSION=$(grep ^PACKAGE_VERSION= configure | cut -d"'" -f2) && dch -v ${VERSION}-0.1~ci "Non-maintainer upload." && git archive -o ../firejail_${VERSION}.orig.tar.gz HEAD && pristine-tar commit ../firejail_${VERSION}.orig.tar.gz ci_build && git branch -m pristine-tar origin/pristine-tar
         - git add debian && git commit -m "add debian/"
         - export CI_COMMIT_SHA=$(git rev-parse HEAD)
diff --git a/Makefile.in b/Makefile.in
index ccd59170d..29bd53d21 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -123,6 +123,7 @@ endif
         # plugins w/o read permission (non-dumpable)
         install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
         install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
+        install -m 0644 -t $(DESTDIR)$(libdir)/firejail src/fnettrace/static-ip-map
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
         # contrib scripts
         install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
@@ -138,7 +139,6 @@ endif
         # profiles and settings
         install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
         install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/firecfg/firecfg.config
-        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail src/fnettrace/hostnames
         install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config etc/ids.config
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
 ifeq ($(BUSYBOX_WORKAROUND),yes)
diff --git a/README b/README
index 92703d677..34f62b538 100644
--- a/README
+++ b/README
@@ -134,6 +134,8 @@ announ (https://github.com/announ)
         - evince profile fix
 Anton Shestakov (https://github.com/antonv6)
         - add whitelist items for uim
+        - allow /etc/vulkan in steam profile
+        - allow ~/.cache/wine in lutris and wine profile
 Antonio Russo (https://github.com/aerusso)
         - enumerate root directories in apparmor profile
         - fix join-or-start
@@ -226,6 +228,8 @@ Carlo Abelli (https://github.com/carloabelli)
         - fixed udiskie profile
         - Allow mbind syscall for GIMP
         - fixed simple-scan
+Case_Of (https://github.com/CaseOf)
+        - added Seafile profile
 Cat (https://github.com/ecat3)
         - prevent tmux connecting to an existing session
 cayday (https://github.com/caydey)
@@ -838,6 +842,11 @@ Raphaël Droz (https://github.com/drzraf)
         - zoom profile fixes
 realaltffour (https://github.com/realaltffour)
         - add lynx support to newsboat profile
+Reed Riley (https://github.com/reedriley)
+        - cointop profile
+        - 1password profile
+        - blacklist rclone, 1Password, Ledger Live and cointop
+        - allow Signal to open links in Firefox
 Reiner Herrmann (https://github.com/reinerh)
         - a number of build patches
         - man page fixes
@@ -960,6 +969,8 @@ SkewedZeppelin (https://github.com/SkewedZeppelin)
         - hardern /var
         - profile standard layout
         - Spotify and itch.io profile fixes
+Spacewalker2 (https://github.com/Spacewalker2)
+        - fix  MediathekView profile
 sshirokov (https://sourceforge.net/u/yshirokov/profile/)
         - Patch to output "Reading profile" to stderr instead of stdout
 SYN-cook (https://github.com/SYN-cook)
@@ -1093,6 +1104,7 @@ Vincent Blillault (https://github.com/Feandil)
         - fix mumble profile
 Vincent Lefèvre (https://github.com/vinc17fr)
         - blacklist rxvt after the blacklist of Perl
+        - Noblacklist rxvt in allow-perl.inc
 vismir2 (https://github.com/vismir2)
         - feh, ranger, 7z, keepass, keepassx and zathura profiles
         - claws-mail, mutt, git, emacs, vim profiles
diff --git a/README.md b/README.md
index ab5719522..72e8cac31 100644
--- a/README.md
+++ b/README.md
@@ -283,6 +283,25 @@ INTRUSION DETECTION SYSTEM (IDS)
 
 `````
 
+### File descriptors
+`````
+       --keep-fd=all
+              Inherit all open file descriptors to  the  sandbox.  By  default
+              only  file  descriptors 0, 1 and 2 are inherited to the sandbox,
+              and all other file descriptors are closed.
+
+              Example:
+              $ firejail --keep-fd=all
+
+       --keep-fd=file_descriptor
+              Don't close specified open file  descriptors.  By  default  only
+              file  descriptors  0,  1 and 2 are inherited to the sandbox, and
+              all other file descriptors are closed.
+
+              Example:
+              $ firejail --keep-fd=3,4,5
+`````
+
 ### Deteministic Shutdown
 `````
       --deterministic-exit-code
@@ -298,7 +317,7 @@ INTRUSION DETECTION SYSTEM (IDS)
 
 ### Network Monitor
 `````
-        --nettrace=name|pid
+       --nettrace=name|pid
               Monitor TCP and UDP traffic coming into the sandbox specified by
               name or pid. Only networked sandboxes  created  with  --net  are
               supported.
@@ -357,4 +376,5 @@ Stats:
 ### New profiles:
 
 clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle,
-cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser, CachyBrowser, notable, RPCS3
+cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser, CachyBrowser, notable, RPCS3, wget2, raincat,
+cointop, 1password, Seafile
diff --git a/RELNOTES b/RELNOTES
index 9624b7ef6..043107d6c 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,12 +1,15 @@
-firejail (0.9.67) baseline; urgency=low
+firejail (0.9.68rc2) baseline; urgency=low
   * work in progress
   * exit code: distinguish fatal signals by adding 128 (#4533)
+  * close file descriptors greater than 2 (--keep-fd) (#4845)
   * intrusion detection system (--ids-init, --ids-check)
   * deterministic shutdown (--deterministic-exit-code,
      --deterministic-shutdown) (#4635)
-  * noprinters command (#4607)
+  * noprinters command (#4607 #4827)
   * network monitor (--nettrace)
+  * network locker (--netlock)
   * whitelist-ro profile command
+  * AppImage support in --build command
   * build: firecfg.config is now installed to /etc/firejail/ (#4669)
   * removed --disable-whitelist at compile time
   * removed whitelist=yes/no in /etc/firejail/firejail.config
@@ -19,8 +22,9 @@ firejail (0.9.67) baseline; urgency=low
   * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
   * new profiles: make, meson, pip, codium, telnet, ftp, OpenStego
   * new profiles: imv, retroarch, torbrowser, CachyBrowser,
-  * new profiles: notable, RPCS3
- -- netblue30 <netblue30@yahoo.com>  Thu, 29 Jul 2021 09:00:00 -0500
+  * new profiles: notable, RPCS3, wget2, raincat, conitop, 1passwd,
+  * new profiles: Seafile
+ -- netblue30 <netblue30@yahoo.com>  Tue, 18 Jan 2022 09:00:00 -0500
 
 firejail (0.9.66) baseline; urgency=low
   * deprecated --audit options, relpaced by jailcheck utility
diff --git a/configure b/configure
index a8c9a1d96..a52a70c9f 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.67.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.68rc2.
 #
 # Report bugs to <netblue30@protonmail.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.67'
-PACKAGE_STRING='firejail 0.9.67'
+PACKAGE_VERSION='0.9.68rc2'
+PACKAGE_STRING='firejail 0.9.68rc2'
 PACKAGE_BUGREPORT='netblue30@protonmail.com'
 PACKAGE_URL='https://firejail.wordpress.com'
 
@@ -1298,7 +1298,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.67 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.68rc2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1360,7 +1360,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.67:";;
+     short | recursive ) echo "Configuration of firejail 0.9.68rc2:";;
    esac
   cat <<\_ACEOF
 
@@ -1481,7 +1481,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.67
+firejail configure 0.9.68rc2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1737,7 +1737,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.67, which was
+It was created by firejail $as_me 0.9.68rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3434,8 +3434,8 @@ if test "x$enable_apparmor" = "xyes"; then :
         HAVE_APPARMOR="-DHAVE_APPARMOR"
 
 pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for AA" >&5
-$as_echo_n "checking for AA... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libapparmor" >&5
+$as_echo_n "checking for libapparmor... " >&6; }
 
 if test -n "$AA_CFLAGS"; then
     pkg_cv_AA_CFLAGS="$AA_CFLAGS"
@@ -3475,7 +3475,7 @@ fi
 
 
 if test $pkg_failed = yes; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
 if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
@@ -3502,7 +3502,7 @@ Alternatively, you may set the environment variables AA_CFLAGS
 and AA_LIBS to avoid the need to call pkg-config.
 See the pkg-config man page for more details." "$LINENO" 5
 elif test $pkg_failed = untried; then
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
         { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
@@ -4815,7 +4815,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.67, which was
+This file was extended by firejail $as_me 0.9.68rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4869,7 +4869,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.67
+firejail config.status 0.9.68rc2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 232d49e1e..8c541d886 100644
--- a/configure.ac
+++ b/configure.ac
@@ -12,7 +12,7 @@
 #
 
 AC_PREREQ([2.68])
-AC_INIT([firejail], [0.9.67], [netblue30@protonmail.com], [],
+AC_INIT([firejail], [0.9.68rc2], [netblue30@protonmail.com], [],
     [https://firejail.wordpress.com])
 
 AC_CONFIG_SRCDIR([src/firejail/main.c])
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index 57c7b371d..714ed8e6e 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -51,7 +51,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
 syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
+syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
 syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
 syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
diff --git a/etc/inc/allow-perl.inc b/etc/inc/allow-perl.inc
index 5a1952c94..a473900da 100644
--- a/etc/inc/allow-perl.inc
+++ b/etc/inc/allow-perl.inc
@@ -10,3 +10,6 @@ noblacklist ${PATH}/vendor_perl
 noblacklist /usr/lib/perl*
 noblacklist /usr/lib64/perl*
 noblacklist /usr/share/perl*
+
+# rxvt is also blacklisted in disable-interpreters.inc
+noblacklist ${PATH}/rxvt
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 625364cf6..43332b4d0 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -635,3 +635,6 @@ blacklist ${RUNUSER}/update-notifier.pid
 
 # tor-browser
 blacklist ${HOME}/.local/opt/tor-browser
+
+# pass utility (pass package in Debian etc.)
+blacklist ${HOME}/.password-store
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index ded5e4b46..5a189559a 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -191,6 +191,7 @@ blacklist ${HOME}/.cache/qBittorrent
 blacklist ${HOME}/.cache/quodlibet
 blacklist ${HOME}/.cache/qupzilla
 blacklist ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.cache/rclone
 blacklist ${HOME}/.cache/rednotebook
 blacklist ${HOME}/.cache/rhythmbox
 blacklist ${HOME}/.cache/rpcs3
@@ -216,6 +217,7 @@ blacklist ${HOME}/.cache/vmware
 blacklist ${HOME}/.cache/warsow-2.1
 blacklist ${HOME}/.cache/waterfox
 blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/wine
 blacklist ${HOME}/.cache/winetricks
 blacklist ${HOME}/.cache/xmms2
 blacklist ${HOME}/.cache/xournalpp
@@ -233,6 +235,7 @@ blacklist ${HOME}/.clion*
 blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clonk
 blacklist ${HOME}/.config/0ad
+blacklist ${HOME}/.config/1Password
 blacklist ${HOME}/.config/2048-qt
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
@@ -278,6 +281,7 @@ blacklist ${HOME}/.config/KeePass
 blacklist ${HOME}/.config/KeePassXCrc
 blacklist ${HOME}/.config/Kid3
 blacklist ${HOME}/.config/Kingsoft
+blacklist ${HOME}/.config/Ledger Live
 blacklist ${HOME}/.config/LibreCAD
 blacklist ${HOME}/.config/Loop_Hero
 blacklist ${HOME}/.config/Luminance
@@ -314,6 +318,7 @@ blacklist ${HOME}/.config/Riot
 blacklist ${HOME}/.config/Rocket.Chat
 blacklist ${HOME}/.config/RogueLegacy
 blacklist ${HOME}/.config/RogueLegacyStorageContainer
+blacklist ${HOME}/.config/Seafile
 blacklist ${HOME}/.config/Signal
 blacklist ${HOME}/.config/Sinew Software Systems
 blacklist ${HOME}/.config/Slack
@@ -378,6 +383,7 @@ blacklist ${HOME}/.config/chromium-flags.conf
 blacklist ${HOME}/.config/clipit
 blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/cointop
 blacklist ${HOME}/.config/com.github.bleakgrey.tootle
 blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/cower
@@ -572,6 +578,7 @@ blacklist ${HOME}/.config/quodlibet
 blacklist ${HOME}/.config/qupzilla
 blacklist ${HOME}/.config/qutebrowser
 blacklist ${HOME}/.config/ranger
+blacklist ${HOME}/.config/rclone
 blacklist ${HOME}/.config/redshift
 blacklist ${HOME}/.config/redshift.conf
 blacklist ${HOME}/.config/remmina
@@ -618,6 +625,7 @@ blacklist ${HOME}/.config/vivaldi
 blacklist ${HOME}/.config/vivaldi-snapshot
 blacklist ${HOME}/.config/vlc
 blacklist ${HOME}/.config/wesnoth
+blacklist ${HOME}/.config/wget
 blacklist ${HOME}/.config/wireshark
 blacklist ${HOME}/.config/wormux
 blacklist ${HOME}/.config/xchat
@@ -979,6 +987,7 @@ blacklist ${HOME}/.local/share/vlc
 blacklist ${HOME}/.local/share/vpltd
 blacklist ${HOME}/.local/share/vulkan
 blacklist ${HOME}/.local/share/warsow-2.1
+blacklist ${HOME}/.local/share/warzone2100-3.*
 blacklist ${HOME}/.local/share/wesnoth
 blacklist ${HOME}/.local/share/wormux
 blacklist ${HOME}/.local/share/xplayer
@@ -1032,7 +1041,6 @@ blacklist ${HOME}/.opera-beta
 blacklist ${HOME}/.ostrichriders
 blacklist ${HOME}/.paradoxinteractive
 blacklist ${HOME}/.parallelrealities/blobwars
-blacklist ${HOME}/.password-store
 blacklist ${HOME}/.pcsxr
 blacklist ${HOME}/.penguin-command
 blacklist ${HOME}/.pine-crash
@@ -1127,6 +1135,7 @@ blacklist ${HOME}/Arduino
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud
 blacklist ${HOME}/Nextcloud/Notes
+blacklist ${HOME}/Seafile/.seafile-data
 blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
 blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
@@ -1139,6 +1148,7 @@ blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/yt-dlp.conf
 blacklist ${HOME}/yt-dlp.conf.txt
 blacklist ${RUNUSER}/*firefox*
+blacklist ${RUNUSER}/akonadi
 blacklist /tmp/.wine-*
 blacklist /tmp/akonadi-*
 blacklist /var/games/nethack
diff --git a/etc/profile-a-l/1password.profile b/etc/profile-a-l/1password.profile
new file mode 100644
index 000000000..bc8bfae0d
--- /dev/null
+++ b/etc/profile-a-l/1password.profile
@@ -0,0 +1,20 @@
+# Firejail profile for 1password
+# Description: 1Password is a password manager developed by AgileBits Inc.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include 1password.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/1Password
+
+mkdir ${HOME}/.config/1Password
+whitelist ${HOME}/.config/1Password
+
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+
+# Needed for keychain things, talking to Firefox, possibly other things?  Not sure how to narrow down
+ignore dbus-user none
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index f3fb678d1..2f58d9146 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
+noblacklist ${RUNUSER}/akonadi
 noblacklist /sbin
 noblacklist /tmp/akonadi-*
 noblacklist /usr/sbin
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 075cac967..998ffd9da 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -57,6 +57,7 @@ private-cache
 
 blacklist ${PATH}/curl
 blacklist ${PATH}/wget
+blacklist ${PATH}/wget2
 
 #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
 dbus-system none
diff --git a/etc/profile-a-l/cointop.profile b/etc/profile-a-l/cointop.profile
new file mode 100644
index 000000000..4349f58fc
--- /dev/null
+++ b/etc/profile-a-l/cointop.profile
@@ -0,0 +1,63 @@
+# Firejail profile for cointop
+# Description: TUI for tracking cryptocurrency stats
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cointop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/cointop
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/cointop
+whitelist ${HOME}/.config/cointop
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin cointop
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 2fe12843e..373f41ffe 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -61,6 +61,7 @@ private-tmp
 
 blacklist ${PATH}/curl
 blacklist ${PATH}/wget
+blacklist ${PATH}/wget2
 
 # 'dbus-user none' breaks various desktop integration features like global menus, native notifications,
 # Gnome connector, KDE connect and power management on KDE Plasma.
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 0796e6876..1bbc141e8 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -29,6 +29,7 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail
 noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
+noblacklist ${RUNUSER}/akonadi
 noblacklist /tmp/akonadi-*
 
 include disable-common.inc
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index bf8ab9e64..71309b48f 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${PATH}/llvm*
 noblacklist ${HOME}/Games
 noblacklist ${HOME}/.cache/lutris
+noblacklist ${HOME}/.cache/wine
 noblacklist ${HOME}/.cache/winetricks
 noblacklist ${HOME}/.config/lutris
 noblacklist ${HOME}/.local/share/lutris
@@ -34,6 +35,7 @@ include disable-xdg.inc
 
 mkdir ${HOME}/Games
 mkdir ${HOME}/.cache/lutris
+mkdir ${HOME}/.cache/wine
 mkdir ${HOME}/.cache/winetricks
 mkdir ${HOME}/.config/lutris
 mkdir ${HOME}/.local/share/lutris
@@ -41,6 +43,7 @@ mkdir ${HOME}/.local/share/lutris
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/Games
 whitelist ${HOME}/.cache/lutris
+whitelist ${HOME}/.cache/wine
 whitelist ${HOME}/.cache/winetricks
 whitelist ${HOME}/.config/lutris
 whitelist ${HOME}/.local/share/lutris
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
index f73ef0935..f0ef7d010 100644
--- a/etc/profile-m-z/mediathekview.profile
+++ b/etc/profile-m-z/mediathekview.profile
@@ -17,6 +17,8 @@ noblacklist ${HOME}/.mediathek3
 noblacklist ${HOME}/.mplayer
 noblacklist ${VIDEOS}
 
+ignore noexec /tmp
+
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
 
@@ -27,6 +29,8 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.mediathek3
+whitelist ${HOME}/.mediathek3
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/raincat.profile b/etc/profile-m-z/raincat.profile
new file mode 100644
index 000000000..104577bdb
--- /dev/null
+++ b/etc/profile-m-z/raincat.profile
@@ -0,0 +1,49 @@
+# Firejail profile for raincat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include raincat.local
+# Persistent global definitions
+include globals.local
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/games
+whitelist /usr/share/timidity
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+net none
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin raincat
+private-cache
+private-dev
+private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,timidity,timidity.cfg
+#private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
diff --git a/etc/profile-m-z/seafile-applet.profile b/etc/profile-m-z/seafile-applet.profile
new file mode 100644
index 000000000..79e072475
--- /dev/null
+++ b/etc/profile-m-z/seafile-applet.profile
@@ -0,0 +1,62 @@
+# Firejail profile for Seafile
+# Description: Seafile desktop client.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seafile-applet.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Seafile
+noblacklist ${HOME}/Seafile/.seafile-data
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.ccnet
+mkdir ${HOME}/.config/Seafile
+mkdir ${HOME}/Seafile
+whitelist ${HOME}/.ccnet
+whitelist ${HOME}/.config/Seafile
+whitelist ${HOME}/Seafile
+
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin seaf-cli,seaf-daemon,seafile-applet
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+#private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 77a7f5b38..1166f378b 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -21,9 +21,15 @@ whitelist ${HOME}/.config/Signal
 
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 
-# allow D-Bus notifications
 dbus-user filter
+
+# allow D-Bus notifications
 dbus-user.talk org.freedesktop.Notifications
+
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.Firefox.*
+dbus-user.talk org.mozilla.firefox.*
+
 ignore dbus-user none
 
 # Redirect
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 9295013e7..4da0db517 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -50,4 +50,5 @@ writable-run-user
 dbus-user none
 dbus-system none
 
+deterministic-shutdown
 memory-deny-write-execute
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index bcf94de51..b31818274 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -147,7 +147,7 @@ shell none
 
 # private-bin is disabled while in testing, but is known to work with multiple games.
 # Add the next line to your steam.local to enable private-bin.
-#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity
+#private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,wget2,which,whoami,xterm,xz,zenity
 # Extra programs are available which might be needed for select games.
 # Add the next line to your steam.local to enable support for these programs.
 #private-bin java,java-config,mono
@@ -157,7 +157,7 @@ shell none
 private-dev
 # private-etc breaks a small selection of games on some systems. Add 'ignore private-etc'
 # to your steam.local to support those.
-private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl,vulkan
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 473472251..23c8a6c58 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -43,7 +43,7 @@ noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6,bluetooth
+protocol unix,inet,inet6,netlink,bluetooth
 seccomp
 seccomp.block-secondary
 shell none
diff --git a/etc/profile-m-z/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile
index 41487a8f2..dcdae279f 100644
--- a/etc/profile-m-z/uzbl-browser.profile
+++ b/etc/profile-m-z/uzbl-browser.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.config/uzbl
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/uzbl
+noblacklist ${HOME}/.password-store
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 46dca0547..5519c3c1e 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -7,19 +7,22 @@ include warzone2100.local
 include globals.local
 
 noblacklist ${HOME}/.warzone2100-3.*
+noblacklist ${HOME}/.local/share/warzone2100-3.*
 
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
-include disable-shell.inc
+#include disable-shell.inc - problems on Debian 11
 
 mkdir ${HOME}/.warzone2100-3.1
 mkdir ${HOME}/.warzone2100-3.2
+whitelist ${HOME}/.local/share/warzone2100-3.3.0 # config dir moved under .local/share
 whitelist ${HOME}/.warzone2100-3.1
 whitelist ${HOME}/.warzone2100-3.2
 whitelist /usr/share/games
+whitelist /usr/share/gdm
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -42,6 +45,6 @@ shell none
 tracelog
 
 disable-mnt
-private-bin warzone2100
+private-bin bash,dash,sh,warzone2100,which
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/wget2.profile b/etc/profile-m-z/wget2.profile
new file mode 100644
index 000000000..18918c6af
--- /dev/null
+++ b/etc/profile-m-z/wget2.profile
@@ -0,0 +1,19 @@
+# Firejail profile for wget2
+# Description: Updated version of the popular wget URL retrieval tool
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include wget2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/wget
+ignore noblacklist ${HOME}/.wgetrc
+
+private-bin wget2
+# Depending on workflow you can add the next line to your wget2.local.
+#private-etc wget2rc
+
+# Redirect
+include wget.profile
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 1e9b9341b..f30fc971f 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -6,6 +6,7 @@ include wine.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.cache/wine
 noblacklist ${HOME}/.cache/winetricks
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.local/share/Steam
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index 80d551038..f212a6721 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -50,7 +50,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp
+private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,xterm,youtube-dl,yt-dlp
 private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 2e6b46e77..3a7a12fb3 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -22,7 +22,6 @@
 #include <sys/wait.h>
 
 #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX"
-#define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX"
 
 void build_profile(int argc, char **argv, int index, FILE *fp) {
         // next index is the application name
@@ -41,36 +40,33 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
         if(asprintf(&output,"--trace=%s",trace_output) == -1)
                 errExit("asprintf");
 
-        char *cmdlist[] = {
-          BINDIR "/firejail",
-          "--quiet",
-          "--noprofile",
-          "--caps.drop=all",
-          "--seccomp",
-          output,
-          "--shell=none",
-        };
-
         // calculate command length
-        unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1;
-        if (arg_debug)
-                printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index);
-        char *cmd[len];
-        cmd[0] = cmdlist[0];    // explicit assignment to clean scan-build error
+        unsigned len = 64;      // plenty of space for firejail command line
+        len += argc - index;    // program command line
+        len += 1;               // NULL
 
         // build command
-        unsigned i = 0;
-        for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++)
-                cmd[i] = cmdlist[i];
-
-        int i2 = index;
-        for (; i < (len - 1); i++, i2++)
-                cmd[i] = argv[i2];
-        assert(i < len);
-        cmd[i] = NULL;
+        char *cmd[len];
+        unsigned curr_len = 0;
+        cmd[curr_len++] = BINDIR "/firejail";
+        cmd[curr_len++] = "--quiet";
+        cmd[curr_len++] = "--noprofile";
+        cmd[curr_len++] = "--caps.drop=all";
+        cmd[curr_len++] = "--seccomp";
+        cmd[curr_len++] = "--shell=none";
+        cmd[curr_len++] = output;
+        if (arg_appimage)
+                cmd[curr_len++] = "--appimage";
+
+        int i;
+        for (i = index; i < argc; i++)
+                cmd[curr_len++] = argv[i];
+
+        assert(curr_len < len);
+        cmd[curr_len] = NULL;
 
         if (arg_debug) {
-                for (i = 0; i < len; i++)
+                for (i = 0; cmd[i]; i++)
                         printf("%s%s\n", (i)?"\t":"", cmd[i]);
         }
 
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h
index 12dfdb8be..3e23d7854 100644
--- a/src/fbuilder/fbuilder.h
+++ b/src/fbuilder/fbuilder.h
@@ -31,6 +31,7 @@
 #define MAX_BUF 4096
 // main.c
 extern int arg_debug;
+extern int arg_appimage;
 
 // build_profile.c
 void build_profile(int argc, char **argv, int index, FILE *fp);
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c
index 9e30ec539..aa49b2489 100644
--- a/src/fbuilder/main.c
+++ b/src/fbuilder/main.c
@@ -19,6 +19,7 @@
 */
 #include "fbuilder.h"
 int arg_debug = 0;
+int arg_appimage = 0;
 
 static void usage(void) {
         printf("Firejail profile builder\n");
@@ -49,6 +50,8 @@ printf("\n");
                 }
                 else if (strcmp(argv[i], "--debug") == 0)
                         arg_debug = 1;
+                else if (strcmp(argv[i], "--appimage") == 0)
+                        arg_appimage = 1;
                 else if (strcmp(argv[i], "--build") == 0)
                         ; // do nothing, this is passed down from firejail
                 else if (strncmp(argv[i], "--build=", 8) == 0) {
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index a9443a764..c64d20127 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -200,7 +200,8 @@ static char *proc_pid_to_self(const char *target) {
 
         // check where /proc/self points to
         static const char proc_self[] = "/proc/self";
-        if (!(proc_pid = realpath(proc_self, NULL)))
+        proc_pid = realpath(proc_self, NULL);
+        if (proc_pid == NULL)
                 goto done;
 
         // redirect /proc/PID/xxx -> /proc/self/XXX
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e68c04b4c..77f233bce 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -2,6 +2,7 @@
 # This is the list of programs in alphabetical order handled by firecfg utility
 #
 0ad
+1password
 2048-qt
 Books
 Builder
@@ -152,6 +153,7 @@ cmus
 code
 code-oss
 codium
+cointop
 cola
 colorful
 com.github.bleakgrey.tootle
@@ -687,6 +689,7 @@ quaternion
 quiterss
 qupzilla
 qutebrowser
+raincat
 rambox
 redeclipse
 rednotebook
@@ -711,6 +714,7 @@ scorched3d
 scorchwentbonkers
 scribus
 sdat2img
+seafile-applet
 seahorse
 seahorse-adventures
 seahorse-daemon
@@ -874,6 +878,7 @@ weechat
 weechat-curses
 wesnoth
 wget
+wget2
 whalebird
 whois
 widelands
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index bd4e8d2df..f1e16187f 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/wait.h>
 #include <errno.h>
 
@@ -122,6 +123,9 @@ void set_cgroup(const char *fname, pid_t pid) {
                 drop_privs(0);
 
                 do_set_cgroup(fname, pid);
+
+                __gcov_flush();
+
                 _exit(0);
         }
         waitpid(child, NULL, 0);
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index e1475870c..66738bd4b 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -297,11 +297,12 @@ void dbus_proxy_start(void) {
         if (dbus_proxy_pid == -1)
                 errExit("fork");
         if (dbus_proxy_pid == 0) {
-                int i;
-                for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) {
-                        if (i != status_pipe[1] && i != args_pipe[0])
-                                close(i); // close open files
-                }
+                // close open files
+                int keep[2];
+                keep[0] = status_pipe[1];
+                keep[1] = args_pipe[0];
+                close_all(keep, ARRAY_SIZE(keep));
+
                 if (arg_dbus_log_file != NULL) {
                         int output_fd = creat(arg_dbus_log_file, 0666);
                         if (output_fd < 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7529256d0..f1fa66707 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -161,6 +161,7 @@ typedef struct config_t {
 
 #define MAX_PROFILE_IGNORE 32
         char *profile_ignore[MAX_PROFILE_IGNORE];
+        char *keep_fd;          // inherit file descriptors to sandbox
         char *chrootdir;        // chroot directory
         char *home_private;     // private home directory
         char *home_private_keep;        // keep list for private home directory
@@ -352,6 +353,7 @@ extern int arg_nou2f;	// --nou2f
 extern int arg_noinput; // --noinput
 extern int arg_deterministic_exit_code; // always exit with first child's exit status
 extern int arg_deterministic_shutdown;  // shut down the sandbox if first child dies
+extern int arg_keep_fd_all;     // inherit all file descriptors to sandbox
 
 typedef enum {
         DBUS_POLICY_ALLOW,      // Allow unrestricted access to the bus
@@ -551,6 +553,7 @@ int remount_by_fd(int dst, unsigned long mountflags);
 int bind_mount_by_fd(int src, int dst);
 int bind_mount_path_to_fd(const char *srcname, int dst);
 int bind_mount_fd_to_path(int src, const char *destname);
+void close_all(int *keep_list, size_t sz);
 int has_handler(pid_t pid, int signal);
 void enter_network_namespace(pid_t pid);
 int read_pid(const char *name, pid_t *pid);
@@ -707,6 +710,7 @@ void env_ibus_load(void);
 void fs_whitelist(void);
 
 // pulseaudio.c
+void pipewire_disable(void);
 void pulseaudio_init(void);
 void pulseaudio_disable(void);
 
@@ -881,7 +885,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define SBOX_CAPS_HIDEPID (1 << 7)      // hidepid caps filter for running firemon
 #define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services
 #define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open
-#define FIREJAIL_MAX_FD 20 // getdtablesize() is overkill for a firejail process
 
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index baa707741..786e0d360 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -142,7 +142,7 @@ errexit:
 static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
         assert(fname);
 
-        if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) {
+        if (*fname == '~' || *fname == '/' || strstr(fname, "..")) {
                 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
                 exit(1);
         }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index bdc0e277d..c515b59f5 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -337,21 +337,34 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
                         // fix pam-tmpdir (#2685)
                         const char *env = env_get("TMP");
                         if (env) {
-                                char *pamtmpdir;
-                                if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1)
+                                // we allow TMP env set as /tmp/user/$UID and /tmp/$UID - see #4151
+                                char *pamtmpdir1;
+                                if (asprintf(&pamtmpdir1, "/tmp/user/%u", getuid()) == -1)
                                         errExit("asprintf");
-                                if (strcmp(env, pamtmpdir) == 0) {
+                                char *pamtmpdir2;
+                                if (asprintf(&pamtmpdir2, "/tmp/%u", getuid()) == -1)
+                                        errExit("asprintf");
+                                if (strcmp(env, pamtmpdir1) == 0) {
                                         // create empty user-owned /tmp/user/$UID directory
                                         EUID_ROOT();
-                                        mkdir_attr("/tmp/user", 0711, 0, 0);
+                                        mkdir_attr("/tmp/user", 0755, 0, 0);
                                         selinux_relabel_path("/tmp/user", "/tmp/user");
                                         fs_logger("mkdir /tmp/user");
-                                        mkdir_attr(pamtmpdir, 0700, getuid(), 0);
-                                        selinux_relabel_path(pamtmpdir, pamtmpdir);
-                                        fs_logger2("mkdir", pamtmpdir);
+                                        mkdir_attr(pamtmpdir1, 0700, getuid(), 0);
+                                        selinux_relabel_path(pamtmpdir1, pamtmpdir1);
+                                        fs_logger2("mkdir", pamtmpdir1);
+                                        EUID_USER();
+                                }
+                                else if (strcmp(env, pamtmpdir2) == 0) {
+                                        // create empty user-owned /tmp/$UID directory
+                                        EUID_ROOT();
+                                        mkdir_attr(pamtmpdir2, 0700, getuid(), 0);
+                                        selinux_relabel_path(pamtmpdir2, pamtmpdir2);
+                                        fs_logger2("mkdir", pamtmpdir2);
                                         EUID_USER();
                                 }
-                                free(pamtmpdir);
+                                free(pamtmpdir1);
+                                free(pamtmpdir2);
                         }
                 }
 
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 9fc80d85b..b62a1ca9d 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -569,11 +569,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         dbus_set_system_bus_env();
 #endif
 
-                // set nice and rlimits
-                if (arg_nice)
-                        set_nice(cfg.nice);
-                set_rlimits();
-
                 start_application(0, shfd, NULL);
 
                 __builtin_unreachable();
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
index 6d67fecbd..11385143a 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
@@ -314,9 +314,9 @@ void invalid_filename(const char *fname, int globbing) {
 
         char *reject;
         if (globbing)
-                reject = "\\&!\"'<>%^{};,"; // file globbing ('*?[]') is allowed
+                reject = "\\&!\"<>%^{};,"; // file globbing ('*?[]') is allowed
         else
-                reject = "\\&!?\"'<>%^{};,*[]";
+                reject = "\\&!?\"<>%^{};,*[]";
         char *c = strpbrk(ptr, reject);
         if (c) {
                 fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, *c);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 09e1a1071..d614ae1ac 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -149,6 +149,7 @@ int arg_nou2f = 0; // --nou2f
 int arg_noinput = 0; // --noinput
 int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
 int arg_deterministic_shutdown = 0;     // shut down the sandbox if first child dies
+int arg_keep_fd_all = 0;                // inherit all file descriptors to sandbox
 DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW;   // --dbus-user
 DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system
 const char *arg_dbus_log_file = NULL;
@@ -408,9 +409,22 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         }
 #endif
 #ifdef HAVE_NETWORK
+        else if (strcmp(argv[i], "--nettrace") == 0) {
+                if (checkcfg(CFG_NETWORK)) {
+                        netfilter_trace(0);
+                }
+                else
+                        exit_err_feature("networking");
+                exit(0);
+        }
         else if (strncmp(argv[i], "--nettrace=", 11) == 0) {
-                pid_t pid = require_pid(argv[i] + 11);
-                netfilter_trace(pid);
+                if (checkcfg(CFG_NETWORK)) {
+                        pid_t pid = require_pid(argv[i] + 11);
+                        netfilter_trace(pid);
+                }
+                else
+                        exit_err_feature("networking");
+                exit(0);
         }
         else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
                 if (checkcfg(CFG_NETWORK)) {
@@ -1862,6 +1876,14 @@ int main(int argc, char **argv, char **envp) {
                         }
                         profile_add_ignore(argv[i] + 9);
                 }
+                else if (strncmp(argv[i], "--keep-fd=", 10) == 0) {
+                        if (strcmp(argv[i] + 10, "all") == 0)
+                                arg_keep_fd_all = 1;
+                        else {
+                                const char *add = argv[i] + 10;
+                                profile_list_augment(&cfg.keep_fd, add);
+                        }
+                }
 #ifdef HAVE_CHROOT
                 else if (strncmp(argv[i], "--chroot=", 9) == 0) {
                         if (checkcfg(CFG_CHROOT)) {
@@ -2307,11 +2329,20 @@ int main(int argc, char **argv, char **envp) {
                         continue;
                 }
 #ifdef HAVE_NETWORK
-                else if (strcmp(argv[i], "--netlock") == 0)
-                        arg_netlock = 1;
+                else if (strcmp(argv[i], "--netlock") == 0) {
+                        if (checkcfg(CFG_NETWORK))
+                                arg_netlock = 1;
+                        else
+                                exit_err_feature("networking");
+                }
                 else if (strncmp(argv[i], "--netlock=", 10) == 0) {
-                        pid_t pid = require_pid(argv[i] + 10);
-                        netfilter_netlock(pid);
+                        if (checkcfg(CFG_NETWORK)) {
+                                pid_t pid = require_pid(argv[i] + 10);
+                                netfilter_netlock(pid);
+                        }
+                        else
+                                exit_err_feature("networking");
+                        exit(0);
                 }
                 else if (strncmp(argv[i], "--interface=", 12) == 0) {
                         if (checkcfg(CFG_NETWORK)) {
@@ -3150,13 +3181,18 @@ int main(int argc, char **argv, char **envp) {
                                 }
                         }
 
-                        // add render group
+                        // add render/vglusers group
                         if (!arg_no3d) {
                                 g = get_group_id("render");
                                 if (g) {
                                         sprintf(ptr, "%d %d 1\n", g, g);
                                         ptr += strlen(ptr);
                                 }
+                                g = get_group_id("vglusers");
+                                if (g) {
+                                        sprintf(ptr, "%d %d 1\n", g, g);
+                                        ptr += strlen(ptr);
+                                }
                         }
 
                         // add lp group
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 61164d740..939ab29fa 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -93,7 +93,10 @@ void netfilter_netlock(pid_t pid) {
 void netfilter_trace(pid_t pid) {
         EUID_ASSERT();
 
-        enter_network_namespace(pid);
+        // a pid of 0 means the main system network namespace
+        if (pid)
+                enter_network_namespace(pid);
+
         char *cmd;
         if (asprintf(&cmd, "%s/firejail/fnettrace", LIBDIR) == -1)
                 errExit("asprintf");
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5725100e4..794668dc6 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -290,6 +290,15 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        if (strncmp(ptr, "keep-fd ", 8) == 0) {
+                if (strcmp(ptr + 8, "all") == 0)
+                        arg_keep_fd_all = 1;
+                else {
+                        const char *add = ptr + 8;
+                        profile_list_augment(&cfg.keep_fd, add);
+                }
+                return 0;
+        }
         if (strncmp(ptr, "xephyr-screen ", 14) == 0) {
 #ifdef HAVE_X11
                 if (checkcfg(CFG_X11)) {
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 2af00e37b..320668bf9 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -25,6 +25,7 @@
 #include <dirent.h>
 #include <errno.h>
 #include <sys/wait.h>
+#include <glob.h>
 
 #include <fcntl.h>
 #ifndef O_PATH
@@ -33,6 +34,59 @@
 
 #define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf"
 
+
+
+static void disable_rundir_pipewire(const char *path) {
+        assert(path);
+
+        // globbing for path/pipewire-*
+        char *pattern;
+        if (asprintf(&pattern, "%s/pipewire-*", path) == -1)
+                errExit("asprintf");
+
+        glob_t globbuf;
+        int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf);
+        if (globerr) {
+                fprintf(stderr, "Error: failed to glob pattern %s\n", pattern);
+                exit(1);
+        }
+
+        size_t i;
+        for (i = 0; i < globbuf.gl_pathc; i++) {
+                char *dir = globbuf.gl_pathv[i];
+                assert(dir);
+
+                // don't disable symlinks - disable_file_or_dir will bind-mount an empty directory on top of it!
+                if (is_link(dir))
+                        continue;
+                disable_file_or_dir(dir);
+        }
+        globfree(&globbuf);
+        free(pattern);
+}
+
+
+
+// disable pipewire socket
+void pipewire_disable(void) {
+        if (arg_debug)
+                printf("disable pipewire\n");
+        // blacklist user config directory
+        disable_file_path(cfg.homedir, ".config/pipewire");
+
+        // blacklist pipewire in XDG_RUNTIME_DIR
+        const char *name = env_get("XDG_RUNTIME_DIR");
+        if (name)
+                disable_rundir_pipewire(name);
+
+        // try the default location anyway
+        char *path;
+        if (asprintf(&path, "/run/user/%d", getuid()) == -1)
+                errExit("asprintf");
+        disable_rundir_pipewire(path);
+        free(path);
+}
+
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
         if (arg_debug)
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 61d6578a0..96407d081 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -404,7 +404,6 @@ static void print_time(void) {
         fmessage("Child process initialized in %.02f ms\n", delta);
 }
 
-
 // check execute permissions for the program
 // this is done typically by the shell
 // we are here because of --shell=none
@@ -461,10 +460,42 @@ static int ok_to_run(const char *program) {
         return 0;
 }
 
+static void close_file_descriptors(void) {
+        if (arg_keep_fd_all)
+                return;
+
+        if (arg_debug)
+                printf("Closing non-standard file descriptors\n");
+
+        if (!cfg.keep_fd) {
+                close_all(NULL, 0);
+                return;
+        }
+
+        size_t sz = 0;
+        int *keep = str_to_int_array(cfg.keep_fd, &sz);
+        if (!keep) {
+                fprintf(stderr, "Error: invalid keep-fd option\n");
+                exit(1);
+        }
+        close_all(keep, sz);
+        free(keep);
+}
+
+
 void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
-        // set environment
-        if (no_sandbox == 0)
+        if (no_sandbox == 0) {
+                close_file_descriptors();
+
+                // set nice and rlimits
+                if (arg_nice)
+                        set_nice(cfg.nice);
+                set_rlimits();
+
                 env_defaults();
+        }
+
+        // set environment
         env_apply_all();
 
         // restore original umask
@@ -1018,6 +1049,9 @@ int sandbox(void* sandbox_arg) {
                 // disable pulseaudio
                 pulseaudio_disable();
 
+                // disable pipewire
+                pipewire_disable();
+
                 // disable /dev/snd
                 fs_dev_disable_sound();
         }
@@ -1252,12 +1286,6 @@ int sandbox(void* sandbox_arg) {
 #ifdef HAVE_APPARMOR
                 set_apparmor();
 #endif
-
-                // set nice and rlimits
-                if (arg_nice)
-                        set_nice(cfg.nice);
-                set_rlimits();
-
                 start_application(0, -1, set_sandbox_status);
         }
 
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index e5e67c09d..a37943940 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -23,6 +23,7 @@
 #include <unistd.h>
 #include <net/if.h>
 #include <stdarg.h>
+#include <sys/resource.h>
 #include <sys/wait.h>
 #include "../include/seccomp.h"
 
@@ -72,11 +73,8 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
         }
 
         // close all other file descriptors
-        if ((filtermask & SBOX_KEEP_FDS) == 0) {
-                int i;
-                for (i = 3; i < FIREJAIL_MAX_FD; i++)
-                        close(i); // close open files
-        }
+        if ((filtermask & SBOX_KEEP_FDS) == 0)
+                close_all(NULL, 0);
 
         umask(027);
 
@@ -206,6 +204,11 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
         if (filtermask & SBOX_USER)
                 drop_privs(1);
         else if (filtermask & SBOX_ROOT) {
+                // https://seclists.org/oss-sec/2021/q4/43
+                struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 };
+                if (setrlimit(RLIMIT_CORE, &tozero))
+                        errExit("setrlimit");
+
                 // elevate privileges in order to get grsecurity working
                 if (setreuid(0, 0))
                         errExit("setreuid");
@@ -292,7 +295,8 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
         if (waitpid(child, &status, 0) == -1 ) {
                 errExit("waitpid");
         }
-        if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
+        if (WIFSIGNALED(status) ||
+           (WIFEXITED(status) && WEXITSTATUS(status) != 0)) {
                 fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]);
                 exit(1);
         }
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 24c8e3194..c903841c5 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -119,6 +119,7 @@ static char *usage_str =
         "    --join-or-start=name|pid - join the sandbox or start a new one.\n"
         "    --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
         "    --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
+        "    --keep-fd - inherit open file descriptors to sandbox.\n"
         "    --keep-var-tmp - /var/tmp directory is untouched.\n"
         "    --list - list all sandboxes.\n"
 #ifdef HAVE_FILE_TRANSFER
diff --git a/src/firejail/util.c b/src/firejail/util.c
index dbbc1ea28..79ebfa1dd 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -209,6 +209,8 @@ static void clean_supplementary_groups(gid_t gid) {
         if (!arg_no3d) {
                 copy_group_ifcont("render", groups, ngroups,
                                   new_groups, &new_ngroups, MAX_GROUPS);
+                copy_group_ifcont("vglusers", groups, ngroups,
+                                  new_groups, &new_ngroups, MAX_GROUPS);
         }
 
         if (!arg_noprinters) {
@@ -1398,6 +1400,52 @@ int bind_mount_path_to_fd(const char *srcname, int dst) {
         return rv;
 }
 
+void close_all(int *keep_list, size_t sz) {
+        DIR *dir;
+        if (!(dir = opendir("/proc/self/fd"))) {
+                // sleep 2 seconds and try again
+                sleep(2);
+                if (!(dir = opendir("/proc/self/fd"))) {
+                        fprintf(stderr, "Error: cannot open /proc/self/fd directory\n");
+                        exit(1);
+                }
+        }
+        struct dirent *entry;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 ||
+                    strcmp(entry->d_name, "..") == 0)
+                        continue;
+
+                int fd = atoi(entry->d_name);
+
+                // don't close standard streams
+                if (fd == STDIN_FILENO ||
+                    fd == STDOUT_FILENO ||
+                    fd == STDERR_FILENO)
+                        continue;
+
+                if (fd == dirfd(dir))
+                        continue; // just postponed
+
+                // dont't close file descriptors in keep list
+                int keep = 0;
+                if (keep_list) {
+                        size_t i;
+                        for (i = 0; i < sz; i++) {
+                                if (keep_list[i] == fd) {
+                                        keep = 1;
+                                        break;
+                                }
+                        }
+                }
+                if (keep)
+                        continue;
+
+                close(fd);
+        }
+        closedir(dir);
+}
+
 int has_handler(pid_t pid, int signal) {
         if (signal > 0 && signal <= SIGRTMAX) {
                 char *fname;
diff --git a/src/fnettrace/fnettrace.h b/src/fnettrace/fnettrace.h
index c2f76f3a6..66b7378da 100644
--- a/src/fnettrace/fnettrace.h
+++ b/src/fnettrace/fnettrace.h
@@ -29,11 +29,10 @@
 #include <stdarg.h>
 //#define DEBUG 1
 
-//#define NETLOCK_INTERVAL 15
-#define NETLOCK_INTERVAL 60
-#define DISPLAY_INTERVAL 2
-#define DISPLAY_TTL 4
-#define DISPLAY_BW_UNITS 20
+#define NETLOCK_INTERVAL 60     // seconds
+#define DISPLAY_INTERVAL 2      // seconds
+#define DISPLAY_TTL 4           // display intervals (4 * 2 seconds)
+#define DISPLAY_BW_UNITS 20     // length of the bandwidth bar
 
 
 static inline void ansi_topleft(void) {
@@ -59,8 +58,8 @@ static inline uint8_t hash(uint32_t ip) {
 void logprintf(char* fmt, ...);
 
 // hostnames.c
+extern int geoip_calls;
 void load_hostnames(const char *fname);
 char* retrieve_hostname(uint32_t ip);
-void build_list(const char *fname);
 
 #endif
\ No newline at end of file
diff --git a/src/fnettrace/hostnames.c b/src/fnettrace/hostnames.c
index e1ad45f81..dd92070bf 100644
--- a/src/fnettrace/hostnames.c
+++ b/src/fnettrace/hostnames.c
@@ -21,8 +21,15 @@
 #include "radix.h"
 #define MAXBUF 1024
 
+int geoip_calls = 0;
+static int geoip_not_found = 0;
+static char buf[MAXBUF];
 
 char *retrieve_hostname(uint32_t ip) {
+        if (geoip_not_found)
+                return NULL;
+        geoip_calls++;
+
         char *rv = NULL;
         char *cmd;
         if (asprintf(&cmd, "/usr/bin/geoiplookup %d.%d.%d.%d", PRINT_IP(ip)) == -1)
@@ -31,7 +38,6 @@ char *retrieve_hostname(uint32_t ip) {
         FILE *fp = popen(cmd, "r");
         if (fp) {
                 char *ptr;
-                char buf[MAXBUF];
                  if (fgets(buf, MAXBUF, fp)) {
                         ptr = strchr(buf, '\n');
                         if (ptr)
@@ -40,13 +46,17 @@ char *retrieve_hostname(uint32_t ip) {
                                 ptr = buf + 22;
                                 if (*ptr == ' ' && *(ptr + 3) == ',' &&  *(ptr + 4) == ' ') {
                                         rv = ptr + 5;
-                                        radix_add(ip, 0xffffffff, ptr + 5);
+                                        rv = radix_add(ip, 0xffffffff, rv);
                                 }
                         }
                 }
                 fclose(fp);
                 return rv;
         }
+        else
+                geoip_not_found = 1;
+
+        free(cmd);
 
         return NULL;
 }
@@ -112,9 +122,3 @@ errexit:
         exit(1);
 }
 
-void build_list(const char *fname) {
-        assert(fname);
-        load_hostnames(fname);
-        radix_build_list();
-}
-
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
index 804a9cd80..e58cc79b3 100644
--- a/src/fnettrace/main.c
+++ b/src/fnettrace/main.c
@@ -26,10 +26,9 @@ static int arg_netfilter = 0;
 static char *arg_log = NULL;
 
 typedef struct hnode_t {
-        struct hnode_t *hnext;  // used for hash table
+        struct hnode_t *hnext;  // used for hash table and unused linked list
         struct hnode_t *dnext;  // used to display stremas on the screen
         uint32_t ip_src;
-        uint32_t ip_dst;
         uint32_t  bytes;        // number of bytes received in the last display interval
         uint16_t port_src;
         uint8_t protocol;
@@ -46,9 +45,36 @@ HNode *htable[HMAX] = {NULL};
 // display linked list
 HNode *dlist = NULL;
 
-static unsigned bwmax = 0; // max bytes received in a display interval
 
-static void hnode_add(uint32_t ip_src, uint32_t ip_dst, uint8_t protocol, uint16_t port_src, uint32_t bytes) {
+// speed up malloc/free
+#define HNODE_MAX_MALLOC 16
+static HNode *hnode_unused = NULL;
+HNode *hmalloc(void) {
+        if (hnode_unused == NULL) {
+                hnode_unused = malloc(sizeof(HNode) * HNODE_MAX_MALLOC);
+                if (!hnode_unused)
+                        errExit("malloc");
+                memset(hnode_unused, 0, sizeof(HNode) * HNODE_MAX_MALLOC);
+                HNode *ptr = hnode_unused;
+                int i;
+                for ( i = 1; i < HNODE_MAX_MALLOC; i++, ptr++)
+                        ptr->hnext = hnode_unused + i;
+        }
+
+        HNode *rv = hnode_unused;
+        hnode_unused = hnode_unused->hnext;
+        return rv;
+}
+
+void hfree(HNode *ptr) {
+        assert(ptr);
+        memset(ptr, 0, sizeof(HNode));
+        ptr->hnext = hnode_unused;
+        hnode_unused = ptr;
+}
+
+
+static void hnode_add(uint32_t ip_src, uint8_t protocol, uint16_t port_src, uint32_t bytes) {
         uint8_t h = hash(ip_src);
 
         // find
@@ -57,7 +83,7 @@ static void hnode_add(uint32_t ip_src, uint32_t ip_dst, uint8_t protocol, uint16
         while (ptr) {
                 if (ptr->ip_src == ip_src) {
                         ip_instance++;
-                        if (ptr->ip_dst == ip_dst && ptr->port_src == port_src && ptr->protocol == protocol) {
+                        if (ptr->port_src == port_src && ptr->protocol == protocol) {
                                 ptr->bytes += bytes;
                                 return;
                         }
@@ -68,12 +94,10 @@ static void hnode_add(uint32_t ip_src, uint32_t ip_dst, uint8_t protocol, uint16
 #ifdef DEBUG
         printf("malloc %d.%d.%d.%d\n", PRINT_IP(ip_src));
 #endif
-        HNode *hnew = malloc(sizeof(HNode));
-        if (!hnew)
-                errExit("malloc");
+        HNode *hnew = hmalloc();
+        assert(hnew);
         hnew->hostname = NULL;
         hnew->ip_src = ip_src;
-        hnew->ip_dst = ip_dst;
         hnew->port_src = port_src;
         hnew->protocol = protocol;
         hnew->hnext = NULL;
@@ -121,7 +145,7 @@ static void hnode_free(HNode *elem) {
                 htable[h] = elem->hnext;
         else
                 prev->hnext = elem->hnext;
-        free(elem);
+        hfree(elem);
 }
 
 #ifdef DEBUG
@@ -151,7 +175,7 @@ static char *print_bw(unsigned units) {
                 units = DISPLAY_BW_UNITS ;
 
         if (bw_line[units] == NULL) {
-                char *ptr = malloc(DISPLAY_BW_UNITS + 1);
+                char *ptr = malloc(DISPLAY_BW_UNITS + 2);
                 if (!ptr)
                         errExit("malloc");
                 bw_line[units] = ptr;
@@ -159,34 +183,77 @@ static char *print_bw(unsigned units) {
                 unsigned i;
                 for (i = 0; i < DISPLAY_BW_UNITS; i++, ptr++)
                         sprintf(ptr, "%s", (i < units)? "*": " ");
+                sprintf(ptr, "%s", " ");
         }
 
         return bw_line[units];
 }
 
-static void hnode_print(void) {
-        assert(!arg_netfilter);
-        ansi_clrscr();
+#define LINE_MAX 200
+static inline void adjust_line(char *str, int len, int cols) {
+        if (len > LINE_MAX) // functions such as snprintf truncate the string, and return the length of the untruncated string
+                len = LINE_MAX;
+        if (cols > 4 && len > cols) {
+                str[cols] = '\0';
+                str[cols- 1] = '\n';
+        }
+}
 
+#define BWMAX_CNT 8
+static unsigned adjust_bandwidth(unsigned bw) {
+        static unsigned array[BWMAX_CNT] = {0};
+        static int instance = 0;
+
+        array[instance] = bw;
+        int i;
+        unsigned sum = 0;
+        unsigned max = 0;
+        for ( i = 0; i < BWMAX_CNT; i++) {
+                sum += array[i];
+                max = (max > array[i])? max: array[i];
+        }
+        sum /= BWMAX_CNT;
+
+        if (++instance >= BWMAX_CNT)
+                instance = 0;
+
+        return (max < (sum / 2))? sum: max;
+}
+
+static void hnode_print(unsigned bw) {
+        assert(!arg_netfilter);
+        bw = (bw < 1024 * DISPLAY_INTERVAL)? 1024 * DISPLAY_INTERVAL: bw;
 #ifdef DEBUG
         printf("*********************\n");
         debug_dlist();
         printf("-----------------------------\n");
         debug_hnode();
         printf("*********************\n");
+#else
+        ansi_clrscr();
 #endif
 
         // get terminal size
         struct winsize sz;
-        int col = 80;
+        int cols = 80;
         if (isatty(STDIN_FILENO)) {
                 if (!ioctl(0, TIOCGWINSZ, &sz))
-                        col  = sz.ws_col;
+                        cols  = sz.ws_col;
         }
-#define LINE_MAX 200
+        if (cols > LINE_MAX)
+                cols = LINE_MAX;
         char line[LINE_MAX + 1];
-        if (col > LINE_MAX)
-                col = LINE_MAX;
+
+        // print stats line
+        bw = adjust_bandwidth(bw);
+        char stats[31];
+        if (bw > (1024 * 1024 * DISPLAY_INTERVAL))
+                sprintf(stats, "%u MB/s ", bw / (1024 * 1024 * DISPLAY_INTERVAL));
+        else
+                sprintf(stats, "%u KB/s ", bw / (1024 * DISPLAY_INTERVAL));
+        int len = snprintf(line, LINE_MAX, "%32s geoip %d, IP database %d\n", stats, geoip_calls, radix_nodes);
+        adjust_line(line, len, cols);
+        printf("%s", line);
 
         HNode *ptr = dlist;
         HNode *prev = NULL;
@@ -195,39 +262,45 @@ static void hnode_print(void) {
                 if (--ptr->ttl > 0) {
                         char bytes[11];
                         if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 1024 * 2)) // > 2 MB/second
-                                sprintf(bytes, "%u MB/s",
+                                snprintf(bytes, 11, "%u MB/s",
                                         (unsigned) (ptr->bytes / (DISPLAY_INTERVAL * 1024* 1024)));
                         else if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 2)) // > 2 KB/second
-                                sprintf(bytes, "%u KB/s",
+                                snprintf(bytes, 11, "%u KB/s",
                                         (unsigned) (ptr->bytes / (DISPLAY_INTERVAL * 1024)));
                         else
-                                sprintf(bytes, "%u B/s", (unsigned) (ptr->bytes / DISPLAY_INTERVAL));
-
-                        char *hostname = ptr->hostname;
-                        if (!hostname)
-                                hostname = radix_find_last(ptr->ip_src);
-
-                        if (!hostname)
-                                hostname = retrieve_hostname(ptr->ip_src);
-
-                        if (!hostname)
-                                hostname = " ";
-                        else {
-                                ptr->hostname = strdup(hostname);
-                                if (!ptr->hostname)
-                                        errExit("strdup");
-                        }
-
-                        unsigned bwunit = bwmax / DISPLAY_BW_UNITS;
-                        unsigned units = ptr->bytes / bwunit;
-                        char *bwline = print_bw(units);
+                                snprintf(bytes, 11, "%u B/s ", (unsigned) (ptr->bytes / DISPLAY_INTERVAL));
+
+                        if (!ptr->hostname)
+                                ptr->hostname = radix_longest_prefix_match(ptr->ip_src);
+                        if (!ptr->hostname)
+                                ptr->hostname = retrieve_hostname(ptr->ip_src);
+                        if (!ptr->hostname)
+                                ptr->hostname = " ";
+
+                        unsigned bwunit = bw / DISPLAY_BW_UNITS;
+                        char *bwline;
+                        if (bwunit == 0)
+                                bwline = print_bw(0);
+                        else
+                                bwline = print_bw(ptr->bytes / bwunit);
+
+                        char *protocol = "";
+                        if (ptr->port_src == 80)
+                                protocol = "(HTTP)";
+                        else if (ptr->port_src == 853)
+                                protocol = "(DoT)";
+                        else if (ptr->protocol == 0x11)
+                                protocol = "(UDP)";
+/*
+                        else (ptr->port_src == 443)
+                                protocol = "TLS";
+                        else if (ptr->port_src == 53)
+                                protocol = "DNS";
+*/
 
-                        sprintf(line, "%10s %s %d.%d.%d.%d:%u %s\n", bytes, bwline, PRINT_IP(ptr->ip_src), ptr->port_src, hostname);
-                        int len = strlen(line);
-                        if (col > 4 && len > col) {
-                                line[col] = '\0';
-                                line[col - 1] = '\n';
-                        }
+                        len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d:%u%s %s\n",
+                                bytes, bwline, PRINT_IP(ptr->ip_src), ptr->port_src, protocol, ptr->hostname);
+                        adjust_line(line, len, cols);
                         printf("%s", line);
 
                         if (ptr->bytes)
@@ -246,6 +319,18 @@ static void hnode_print(void) {
 
                 ptr = next;
         }
+
+#ifdef DEBUG
+        {
+                int cnt = 0;
+                HNode *ptr = hnode_unused;
+                while (ptr) {
+                        cnt++;
+                        ptr = ptr->hnext;
+                }
+                printf("hnode unused %d\n", cnt);
+        }
+#endif
 }
 
 static void run_trace(void) {
@@ -262,18 +347,16 @@ static void run_trace(void) {
         unsigned last_print_traces = 0;
         unsigned last_print_remaining = 0;
         unsigned char buf[MAX_BUF_SIZE];
-        unsigned bwcurrent = 0;
+        unsigned bw = 0; // bandwidth calculations
         while (1) {
                 unsigned end = time(NULL);
                 if (arg_netfilter && end - start >= NETLOCK_INTERVAL)
                         break;
                 if (end % DISPLAY_INTERVAL == 1 && last_print_traces != end) { // first print after 1 second
-                        if (bwcurrent > bwmax)
-                                bwmax = bwcurrent;
                         if (!arg_netfilter)
-                                hnode_print();
+                                hnode_print(bw);
                         last_print_traces = end;
-                        bwcurrent = 0;
+                        bw = 0;
                 }
                 if (arg_netfilter && last_print_remaining != end) {
                         logprintf(".");
@@ -300,9 +383,8 @@ static void run_trace(void) {
 
                 unsigned bytes = recvfrom(sock, buf, MAX_BUF_SIZE, 0, NULL, NULL);
                 if (bytes >= 20) { // size of IP header
-                        bwcurrent += bytes + 14; // assume a 14 byte Ethernet layer
-                        // filter out loopback traffic
-                        if (buf[12] != 127) {
+#ifdef DEBUG
+                        {
                                 uint32_t ip_src;
                                 memcpy(&ip_src, buf + 12, 4);
                                 ip_src = ntohl(ip_src);
@@ -310,13 +392,23 @@ static void run_trace(void) {
                                 uint32_t ip_dst;
                                 memcpy(&ip_dst, buf + 16, 4);
                                 ip_dst = ntohl(ip_dst);
+                                printf("%d.%d.%d.%d -> %d.%d.%d.%d, %u bytes\n", PRINT_IP(ip_src), PRINT_IP(ip_dst), bytes);
+                        }
+#endif
+                        // filter out loopback traffic
+                        if (buf[12] != 127 && buf[16] != 127) {
+                                bw += bytes + 14; // assume a 14 byte Ethernet layer
+
+                                uint32_t ip_src;
+                                memcpy(&ip_src, buf + 12, 4);
+                                ip_src = ntohl(ip_src);
 
                                 uint8_t hlen = (buf[0] & 0x0f) * 4;
                                 uint16_t port_src;
                                 memcpy(&port_src, buf + hlen, 2);
                                 port_src = ntohs(port_src);
 
-                                hnode_add(ip_src, ip_dst, buf[9], port_src, bytes + 14);
+                                hnode_add(ip_src, buf[9], port_src, bytes + 14);
                         }
                 }
         }
@@ -484,10 +576,9 @@ void logprintf(char* fmt, ...) {
 static void usage(void) {
         printf("Usage: fnetlock [OPTIONS]\n");
         printf("Options:\n");
-        printf("   --build=filename - compact list of addresses\n");
         printf("   --help, -? - this help screen\n");
+        printf("   --log=filename - netlocker logfile\n");
         printf("   --netfilter - build the firewall rules and commit them.\n");
-        printf("   --log=filename - logfile\n");
         printf("\n");
 }
 
@@ -499,21 +590,15 @@ int main(int argc, char **argv) {
         radix_add(0x09000000, 0xff000000, "IBM");
         radix_add(0x09090909, 0xffffffff, "Quad9 DNS");
         radix_add(0x09000000, 0xff000000, "IBM");
-        radix_print();
         printf("This test should print \"IBM, Quad9 DNS, IBM\"\n");
-        char *name = radix_find_first(0x09090909);
+        char *name = radix_longest_prefix_match(0x09040404);
         printf("%s, ", name);
-        name = radix_find_last(0x09090909);
+        name = radix_longest_prefix_match(0x09090909);
         printf("%s, ", name);
-        name = radix_find_last(0x09322209);
+        name = radix_longest_prefix_match(0x09322209);
         printf("%s\n", name);
 #endif
 
-        if (argc == 2 && strncmp(argv[1], "--build=", 8) == 0) {
-                build_list(argv[1] + 8);
-                return 0;
-        }
-
         if (getuid() != 0) {
                 fprintf(stderr, "Error: you need to be root to run this program\n");
                 return 1;
@@ -538,11 +623,8 @@ int main(int argc, char **argv) {
         if (arg_netfilter)
                 logprintf("starting network lockdown\n");
         else  {
-                char *fname;
-                if (asprintf(&fname, "%s/hostnames", SYSCONFDIR) == -1)
-                        errExit("asprintf");
+                char *fname = LIBDIR "/firejail/static-ip-map";
                 load_hostnames(fname);
-                free(fname);
         }
 
         run_trace();
diff --git a/src/fnettrace/radix.c b/src/fnettrace/radix.c
index a1f44dd31..c9493717d 100644
--- a/src/fnettrace/radix.c
+++ b/src/fnettrace/radix.c
@@ -25,57 +25,79 @@
 #include "radix.h"
 #include "fnettrace.h"
 
+typedef struct rnode_t {
+        struct rnode_t *zero;
+        struct rnode_t *one;
+        char *name;
+} RNode;
+
 RNode *head = 0;
+int radix_nodes = 0;
+
+// get rid of the malloc overhead
+#define RNODE_MAX_MALLOC 128
+static RNode *rnode_unused = NULL;
+static int rnode_malloc_cnt = 0;
+static RNode *rmalloc(void) {
+        if (rnode_unused == NULL || rnode_malloc_cnt >= RNODE_MAX_MALLOC) {
+                rnode_unused = malloc(sizeof(RNode) * RNODE_MAX_MALLOC);
+                if (!rnode_unused)
+                        errExit("malloc");
+                memset(rnode_unused, 0, sizeof(RNode) * RNODE_MAX_MALLOC);
+                rnode_malloc_cnt = 0;
+        }
+
+        rnode_malloc_cnt++;
+        return rnode_unused + rnode_malloc_cnt - 1;
+}
+
+
+static inline char *duplicate_name(const char *name) {
+        assert(name);
 
-static inline RNode *addOne(RNode *ptr, uint32_t ip, uint32_t mask, char *name) {
+        if (strcmp(name, "United States") == 0)
+                return "United States";
+        else if (strcmp(name, "Amazon") == 0)
+                return "Amazon";
+        return strdup(name);
+}
+
+static inline RNode *addOne(RNode *ptr, char *name) {
         assert(ptr);
         if (ptr->one)
                 return ptr->one;
-        RNode *node = malloc(sizeof(RNode));
-        if (!node)
-                errExit("malloc");
-        memset(node, 0, sizeof(RNode));
-        node->ip = ip;
-        node->mask = mask;
+        RNode *node = rmalloc();
+        assert(node);
         if (name) {
-                node->name = strdup(name);
+                node->name = duplicate_name(name);
                 if (!node->name)
-                        errExit("strdup");
+                        errExit("duplicate name");
         }
-        
+
         ptr->one = node;
         return node;
 }
 
-static inline RNode *addZero(RNode *ptr, uint32_t ip, uint32_t mask, char *name) {
+static inline RNode *addZero(RNode *ptr, char *name) {
         assert(ptr);
         if (ptr->zero)
                 return ptr->zero;
-        RNode *node = malloc(sizeof(RNode));
-        if (!node)
-                errExit("malloc");
-        memset(node, 0, sizeof(RNode));
-        node->ip = ip;
-        node->mask = mask;
+        RNode *node = rmalloc();
+        assert(node);
         if (name) {
-                node->name = strdup(name);
+                node->name = duplicate_name(name);
                 if (!node->name)
-                        errExit("strdup");
+                        errExit("duplicate name");
         }
-        
+
         ptr->zero = node;
         return node;
 }
 
 
 // add to radix tree
-void radix_add(uint32_t ip, uint32_t mask, char *name) {
+char *radix_add(uint32_t ip, uint32_t mask, char *name) {
         assert(name);
-        char *tmp =  strdup(name);
-        if (!tmp)
-                errExit("strdup");
-        name = tmp;
-
         uint32_t m = 0x80000000;
         uint32_t lastm = 0;
         if (head == 0) {
@@ -83,6 +105,7 @@ void radix_add(uint32_t ip, uint32_t mask, char *name) {
                 memset(head, 0, sizeof(RNode));
         }
         RNode *ptr = head;
+        radix_nodes++;
 
         int i;
         for (i = 0; i < 32; i++, m >>= 1) {
@@ -92,42 +115,22 @@ void radix_add(uint32_t ip, uint32_t mask, char *name) {
                 lastm |= m;
                 int valid = (lastm == mask)? 1: 0;
                 if (m & ip)
-                        ptr = addOne(ptr, ip & lastm, mask & lastm, (valid)? name: NULL);
+                        ptr = addOne(ptr, (valid)? name: NULL);
                 else
-                        ptr = addZero(ptr, ip & lastm, mask & lastm, (valid)? name: NULL);
+                        ptr = addZero(ptr, (valid)? name: NULL);
         }
         assert(ptr);
         if (!ptr->name) {
-                ptr->name = strdup(name);
+                ptr->name = duplicate_name(name);
                 if (!ptr->name)
-                        errExit("strdup");
+                        errExit("duplicate_name");
         }
-}
 
-// find first match
-char *radix_find_first(uint32_t ip) {
-        if (!head)
-                return NULL;
-
-        uint32_t m = 0x80000000;
-        RNode *ptr = head;
-
-        int i;
-        for (i = 0; i < 32; i++, m >>= 1) {
-                if (m & ip)
-                        ptr = ptr->one;
-                else
-                        ptr = ptr->zero;
-                if (!ptr)
-                        return NULL;
-                if (ptr->name)
-                        return ptr->name;
-        }
-        return NULL;
+        return ptr->name;
 }
 
 // find last match
-char *radix_find_last(uint32_t ip) {
+char *radix_longest_prefix_match(uint32_t ip) {
         if (!head)
                 return NULL;
 
@@ -146,73 +149,7 @@ char *radix_find_last(uint32_t ip) {
                 if (ptr->name)
                         rv = ptr;
         }
-        
-        return (rv)? rv->name: NULL;
-}
-
-static void radix_print_node(RNode *ptr, int level) {
-        assert(ptr);
-        
-        int i;
-        for (i = 0; i < level; i++)
-                printf(" ");
-        printf("%08x %08x", ptr->ip, ptr->mask);
-        if (ptr->name)
-                printf(" (%s)\n", ptr->name);
-        else
-                printf(" (NULL)\n");
-
-        if (ptr->zero)
-                radix_print_node(ptr->zero, level + 1);
-        if (ptr->one)
-                radix_print_node(ptr->one, level + 1);
-}
-
-void radix_print(void) {
-        if (!head) {
-                printf("radix tree is empty\n");
-                return;
-        }
-        
-        printf("radix IPv4 tree\n");
-        radix_print_node(head, 0);
-}
-
 
-static inline int mask2cidr(uint32_t mask) {
-        uint32_t m = 0x80000000;
-        int i;
-        int cnt = 0;
-        for (i = 0; i < 32; i++, m = m >> 1) {
-                if (mask & m)
-                        cnt++;
-        }
-        
-        return cnt;
-}
-
-static void radix_build_list_node(RNode *ptr) {
-        assert(ptr);
-        
-        
-        if (ptr->name) {
-                printf("%d.%d.%d.%d/%d %s\n", PRINT_IP(ptr->ip), mask2cidr(ptr->mask), ptr->name);
-                return;
-        }
-        else {
-                if (ptr->zero)
-                        radix_build_list_node(ptr->zero);
-                if (ptr->one)
-                        radix_build_list_node(ptr->one);
-        }
-}
-
-void radix_build_list(void) {
-        if (!head) {
-                printf("radix tree is empty\n");
-                return;
-        }
-
-        radix_build_list_node(head);    
+        return (rv)? rv->name: NULL;
 }
 
diff --git a/src/fnettrace/radix.h b/src/fnettrace/radix.h
index b77c24216..c22c5c547 100644
--- a/src/fnettrace/radix.h
+++ b/src/fnettrace/radix.h
@@ -20,18 +20,8 @@
 #ifndef RADIX_H
 #define RADIX_H
 
-typedef struct rnode_t {
-        struct rnode_t *zero;
-        struct rnode_t *one;
-        uint32_t ip;
-        uint32_t mask;
-        char *name;
-} RNode;
-
-char *radix_find_first(uint32_t ip);
-char *radix_find_last(uint32_t ip);
-void radix_add(uint32_t ip, uint32_t mask, char *name);
-void radix_print(void);
-void radix_build_list(void);
+extern int radix_nodes;
+char *radix_longest_prefix_match(uint32_t ip);
+char *radix_add(uint32_t ip, uint32_t mask, char *name);
 
 #endif
\ No newline at end of file
diff --git a/src/fnettrace/hostnames b/src/fnettrace/static-ip-map
index b10d9a13d..e24ecf218 100644
--- a/src/fnettrace/hostnames
+++ b/src/fnettrace/static-ip-map
@@ -20,7 +20,7 @@
 #
 # Static Internet Map
 #
-# Unfortunately, we cannot do a hostname lookup. This will leak a lot of
+# Unfortunately we cannot do a hostname lookup. This will leak a lot of
 # information about what network resources we access.
 # A static map, helped out by geoip package available on all Linux distros,
 # will have to do it for now!
@@ -160,6 +160,21 @@
 108.46.0.0/16 MCI
 192.229.128.0/17 MCI
 
+# Microsoft
+40.76.0.0/14 Microsoft
+40.96.0.0/12 Microsoft
+40.112.0.0/13 Microsoft
+40.124.0.0/16 Microsoft
+40.74.0.0/15 Microsoft
+40.80.0.0/12 Microsoft
+40.120.0.0/14 Microsoft
+40.125.0.0/17 Microsoft
+52.145.0.0/16 Microsoft
+52.148.0.0/14 Microsoft
+52.152.0.0/13 Microsoft
+52.146.0.0/15 Microsoft
+52.160.0.0/11 Microsoft
+
 # Yahoo
 63.250.192.0/19 Yahoo
 66.196.64.0/18 Yahoo
diff --git a/src/include/common.h b/src/include/common.h
index 24feab02a..f72ec9738 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -142,4 +142,5 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
 int pid_hidepid(void);
 void warn_dumpable(void);
 const char *gnu_basename(const char *path);
+int *str_to_int_array(const char *str, size_t *sz);
 #endif
diff --git a/src/lib/common.c b/src/lib/common.c
index f46e7db1c..91d5125b1 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -31,6 +31,7 @@
 #include <dirent.h>
 #include <string.h>
 #include <time.h>
+#include <limits.h>
 #include "../include/common.h"
 #define BUFLEN 4096
 
@@ -320,6 +321,55 @@ const char *gnu_basename(const char *path) {
         return last_slash+1;
 }
 
+// takes string with comma separated int values, returns int array
+int *str_to_int_array(const char *str, size_t *sz) {
+        assert(str && sz);
+
+        size_t curr_sz = 0;
+        size_t arr_sz = 16;
+        int *rv = malloc(arr_sz * sizeof(int));
+        if (!rv)
+                errExit("malloc");
+
+        char *dup = strdup(str);
+        if (!dup)
+                errExit("strdup");
+        char *tok = strtok(dup, ",");
+        if (!tok) {
+                free(dup);
+                free(rv);
+                goto errout;
+        }
+
+        while (tok) {
+                char *end;
+                long val = strtol(tok, &end, 10);
+                if (end == tok || *end != '\0' || val < INT_MIN || val > INT_MAX) {
+                        free(dup);
+                        free(rv);
+                        goto errout;
+                }
+
+                if (curr_sz == arr_sz) {
+                        arr_sz *= 2;
+                        rv = realloc(rv, arr_sz * sizeof(int));
+                        if (!rv)
+                                errExit("realloc");
+                }
+                rv[curr_sz++] = val;
+
+                tok = strtok(NULL, ",");
+        }
+        free(dup);
+
+        *sz = curr_sz;
+        return rv;
+
+errout:
+        *sz = 0;
+        return NULL;
+}
+
 //**************************
 // time trace based on getticks function
 //**************************
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index 668f7fcc7..a17f6423a 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -1678,14 +1678,14 @@ void syscalls_in_list(const char *list, const char *slist, int fd, char **prelis
         sl.postlist = NULL;
         syscall_check_list(list, syscall_in_list, 0, 0, &sl, native);
         if (!arg_quiet) {
-                printf("Seccomp list in: %s,", list);
+                fprintf(stderr, "Seccomp list in: %s,", list);
                 if (sl.slist)
-                        printf(" check list: %s,", sl.slist);
+                        fprintf(stderr, " check list: %s,", sl.slist);
                 if (sl.prelist)
-                        printf(" prelist: %s,", sl.prelist);
+                        fprintf(stderr, " prelist: %s,", sl.prelist);
                 if (sl.postlist)
-                        printf(" postlist: %s", sl.postlist);
-                printf("\n");
+                        fprintf(stderr, " postlist: %s", sl.postlist);
+                fprintf(stderr, "\n");
         }
         *prelist = sl.prelist;
         *postlist = sl.postlist;
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 71dab18ba..e962e18da 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -349,6 +349,7 @@ Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The files in the list must be expressed as relative to the /bin,
 /sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
+Multiple private-bin commands are allowed and they accumulate.
 .TP
 \fBprivate-cache
 Mount an empty temporary filesystem on top of the .cache directory in user home. All
@@ -374,6 +375,7 @@ the /etc directory, and must not contain the / character
 (e.g., /etc/foo must be expressed as foo, but /etc/foo/bar --
 expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
+Multiple private-etc commands are allowed and they accumulate.
 #ifdef HAVE_PRIVATE_HOME
 .TP
 \fBprivate-home file,directory
@@ -502,7 +504,8 @@ There is no root account (uid 0) defined in the namespace.
 \fBprotocol protocol1,protocol2,protocol3
 Enable protocol filter. The filter is based on seccomp and checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
-\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
+\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR.
+Multiple protocol commands are allowed.
 .TP
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
@@ -724,6 +727,11 @@ env CFLAGS="-W -Wall -Werror"
 .TP
 \fBipc-namespace
 Enable IPC namespace.
+
+.TP
+\fBkeep-fd
+Inherit open file descriptors to sandbox.
+
 .TP
 \fBname sandboxname
 Set sandbox name. Example:
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 80487a49d..59dc5d310 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -185,10 +185,7 @@ $ firejail "\-\-blacklist=/home/username/My Virtual Machines"
 $ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
 .TP
 \fB\-\-build
-The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
-builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
-with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
-in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+The command builds a whitelisted profile. The profile is printed on the screen. The program is run in a very relaxed sandbox, with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported. Chromium and Chromium-based browsers will not work.
 .br
 
 .br
@@ -197,10 +194,8 @@ Example:
 $ firejail --build vlc ~/Videos/test.mp4
 .TP
 \fB\-\-build=profile-file
-The command builds a whitelisted profile, and saves it in profile-file. If /usr/bin/strace is installed on the system, it also
-builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
-with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
-in order to allow strace to run. Chromium and Chromium-based browsers will not work.
+The command builds a whitelisted profile, and saves it in profile-file. The program is run in a very relaxed sandbox,
+with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported. Chromium and Chromium-based browsers will not work.
 .br
 
 .br
@@ -1104,6 +1099,26 @@ Example:
 $ firejail --keep-dev-shm --private-dev
 
 .TP
+\fB\-\-keep-fd=all
+Inherit all open file descriptors to the sandbox. By default only file descriptors 0, 1 and 2 are inherited to the sandbox, and all other file descriptors are closed.
+.br
+
+.br
+Example:
+.br
+$ firejail --keep-fd=all
+
+.TP
+\fB\-\-keep-fd=file_descriptor
+Don't close specified open file descriptors. By default only file descriptors 0, 1 and 2 are inherited to the sandbox, and all other file descriptors are closed.
+.br
+
+.br
+Example:
+.br
+$ firejail --keep-fd=3,4,5
+
+.TP
 \fB\-\-keep-var-tmp
 /var/tmp directory is untouched.
 .br
@@ -1443,6 +1458,28 @@ $ firejail --name=browser --net=eth0 --netfilter firefox &
 $ firejail --netfilter6.print=browser
 
 .TP
+\fB\-\-netlock=name/pid
+Several type of programs (email clients, multiplayer games etc.) talk to a very small
+number of IP addresses. But the best example is tor browser. It only talks to a guard node,
+and there are two or three more on standby in case the main one fails.
+During startup, the browser contacts all of them, after that it keeps talking to the main
+one... for weeks!
+
+Use the network locking feature to build and deploy a network firewall in your sandbox.
+The firewall allows only the network traffic to the IP addresses detected during the program
+startup. Traffic to any other address is quietly dropped. By default the startup monitoring
+time is one minute. Example:
+.br
+
+.br
+$ firejail --net=eth0 --netlock \\
+.br
+--private=~/tor-browser_en-US ./start-tor-browser.desktop
+.br
+
+.br
+
+.TP
 \fB\-\-netmask=address
 Use this option when you want to assign an IP address in a new namespace and
 the parent interface specified by --net is not configured. An IP address and
@@ -1480,25 +1517,35 @@ PID  User    RX(KB/s) TX(KB/s) Command
 .br
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
 .TP
-\fB\-\-nettrace=name|pid
+\fB\-\-nettrace[=name|pid]
 Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes
 created with \-\-net are supported.
 .br
 
 .br
-$ firejail --nettrace=browser
+Without a name/pid, Firejail will monitor the main system network namespace.
+.br
+
+.br
+ $ firejail --nettrace=browser
+.br
+
+.br
+                        95 KB/s  geoip 457, IP database 4436
+.br
+   52 KB/s ***********           64.222.84.207:443 United States
 .br
-   86 KB/s *********           64.222.84.207:443 United States
+   33 KB/s *******               89.147.74.105:63930 Hungary
 .br
-   76 KB/s ********            192.229.210.163:443 MCI
+    0 B/s                        45.90.28.0:443 NextDNS
 .br
-  111 B/s                      9.9.9.9:53 Quad9 DNS
+    0 B/s                        94.70.122.176:52309(UDP) Greece
 .br
-   32 KB/s ***                 142.250.179.182:443 Google
+  339 B/s                        104.26.7.35:443 Cloudflare
 .br
 
 .br
-If /usr/bin/geoiplookup is installed (geoip-bin packet in Debian),
+If /usr/bin/geoiplookup is installed (geoip-bin package in Debian),
 the country the IP address originates from is added to the trace.
 We also use the static IP map in /etc/firejail/hostnames
 to print the domain names for some of the more common websites and cloud platforms.
@@ -1860,8 +1907,9 @@ The files in the list must be expressed as relative to the /bin,
 /sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories.
 If no listed files are found, /bin directory will be empty.
 The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.
-All modifications are discarded when the sandbox is closed. File globbing is supported,
-see \fBFILE GLOBBING\fR section for more details.
+All modifications are discarded when the sandbox is closed.
+Multiple private-bin commands are allowed and they accumulate.
+File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
@@ -1957,6 +2005,7 @@ The files and directories in the list must be expressed as relative to
 the /etc directory (e.g., /etc/foo must be expressed as foo).
 If no listed file is found, /etc directory will be empty.
 All modifications are discarded when the sandbox is closed.
+Multiple private-etc commands are allowed and they accumulate.
 .br
 
 .br
@@ -2115,7 +2164,7 @@ $ firejail \-\-profile.print=browser
 .TP
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
-Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture.
+Recognized values: unix, inet, inet6, netlink, packet, and bluetooth. This option is not supported for i386 architecture.
 .br
 
 .br
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 334812dd6..f7cd3cdff 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -104,6 +104,7 @@ _firejail_args=(
     '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails'
     '--keep-config-pulse[disable automatic ~/.config/pulse init]'
     '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
+    '--keep-fd[inherit open file descriptors to sandbox]'
     '--keep-var-tmp[/var/tmp directory is untouched]'
     '--machine-id[spoof /etc/machine-id with a random id]'
     '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]'
diff --git a/test/environment/deterministic-shutdown.exp b/test/environment/deterministic-shutdown.exp
index dbbe226bb..be4e9c42e 100755
--- a/test/environment/deterministic-shutdown.exp
+++ b/test/environment/deterministic-shutdown.exp
@@ -3,14 +3,15 @@
 # Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
 
-set timeout 5
+set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --deterministic-shutdown bash -c \"sleep 10 & exec sleep 1\"\r"
+send -- "firejail --deterministic-shutdown bash -c \"sleep 100 & exec sleep 1\"\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Parent is shutting down, bye..."
 }
+after 100
 
 puts "\nall done\n"
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index ce0bb306c..2b77973ac 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -127,5 +127,11 @@ echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code
 echo "TESTING: deterministic shutdown (test/environment/deterministic-shutdown.exp)"
 ./deterministic-shutdown.exp
 
+echo "TESTING: keep fd (test/environment/keep-fd.exp)"
+./keep-fd.exp
+
+echo "TESTING: keep fd errors (test/environment/keep-fd-bad.exp)"
+./keep-fd-bad.exp
+
 echo "TESTING: retain umask (test/environment/umask.exp)"
 (umask 123 && ./umask.exp)
diff --git a/test/environment/keep-fd-bad.exp b/test/environment/keep-fd-bad.exp
new file mode 100755
index 000000000..e8b411ea0
--- /dev/null
+++ b/test/environment/keep-fd-bad.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+send -- "firejail --noprofile --keep-fd=\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Error: invalid keep-fd option"
+}
+after 100
+
+send -- "firejail --noprofile --keep-fd=,,,\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Error: invalid keep-fd option"
+}
+after 100
+
+send -- "firejail --noprofile --keep-fd=dall\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Error: invalid keep-fd option"
+}
+after 100
+
+send -- "firejail --noprofile --keep-fd=6,7,8,10b,11\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Error: invalid keep-fd option"
+}
+after 100
+
+
+puts "\nall done\n"
diff --git a/test/environment/keep-fd.exp b/test/environment/keep-fd.exp
new file mode 100755
index 000000000..222234ceb
--- /dev/null
+++ b/test/environment/keep-fd.exp
@@ -0,0 +1,223 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+#
+# obtain some open file descriptors
+#
+send -- "exec {WRITE_FD}> blabla\r"
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "exec {READ_FD}< blabla\r"
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "/blabla"
+}
+after 100
+
+
+#
+# inherit environment variables
+#
+send -- "export READ_FD\r"
+send -- "export WRITE_FD\r"
+after 100
+
+
+#
+# close all file descriptors
+# 0, 1, 2 stay open
+#
+send -- "firejail --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+after 100
+
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "4"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "No such file or directory"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "No such file or directory"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# keep one file descriptor
+#
+send -- "firejail --noprofile --keep-fd=\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Child process initialized"
+}
+after 100
+
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "5"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "No such file or directory"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# keep other file descriptor
+#
+send -- "firejail --noprofile --keep-fd=\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+after 100
+
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "5"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "No such file or directory"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# keep both file descriptors
+#
+send -- "firejail --noprofile --keep-fd=\$READ_FD,\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "Child process initialized"
+}
+after 100
+
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "6"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# keep all file descriptors
+#
+send -- "firejail --noprofile --keep-fd=all\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "Child process initialized"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "/blabla"
+}
+after 100
+
+send -- "exit\r"
+after 500
+
+
+#
+# cleanup
+#
+send -- "rm -f blabla\r"
+after 100
+
+
+puts "\nall done\n"
diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp
index 0882561e5..a779f80cd 100755
--- a/test/fcopy/dircopy.exp
+++ b/test/fcopy/dircopy.exp
@@ -12,9 +12,21 @@ match_max 100000
 
 send -- "rm -fr dest/*\r"
 after 100
+send -- "cd src\r"
+after 100
+send -- "ln -s ../dircopy.exp dircopy.exp\r"
+after 100
+send -- "cd ..\r"
+after 100
 
 send -- "fcopy src dest\r"
 after 100
+send -- "cd src\r"
+after 100
+send -- "ln -s ../dircopy.exp dircopy.exp\r"
+after 100
+send -- "cd ..\r"
+after 100
 
 send -- "find dest\r"
 expect {
@@ -135,5 +147,7 @@ expect {
 
 send -- "rm -fr dest/*\r"
 after 100
+send -- "rm -f src/dircopy.exp\r"
+after 100
 
 puts "\nall done\n"
diff --git a/test/fcopy/fcopy.sh b/test/fcopy/fcopy.sh
index cdfc424a3..fca599889 100755
--- a/test/fcopy/fcopy.sh
+++ b/test/fcopy/fcopy.sh
@@ -19,13 +19,14 @@ mkdir dest
 echo "TESTING: fcopy cmdline (test/fcopy/cmdline.exp)"
 ./cmdline.exp
 
-echo "TESTING: fcopy directory (test/fcopy/dircopy.exp)"
-./dircopy.exp
-
 echo "TESTING: fcopy file (test/fcopy/filecopy.exp)"
 ./filecopy.exp
 
 echo "TESTING: fcopy link (test/fcopy/linkcopy.exp)"
 ./linkcopy.exp
 
+echo "TESTING: fcopy directory (test/fcopy/dircopy.exp)"
+./dircopy.exp
+
 rm -fr dest/*
+rm -f src/dircopy.exp
\ No newline at end of file
diff --git a/test/fcopy/linkcopy.exp b/test/fcopy/linkcopy.exp
index dd91ac26f..7c085e552 100755
--- a/test/fcopy/linkcopy.exp
+++ b/test/fcopy/linkcopy.exp
@@ -12,6 +12,12 @@ match_max 100000
 
 send -- "rm -fr dest/*\r"
 after 100
+send -- "cd src\r"
+after 100
+send -- "ln -s ../dircopy.exp dircopy.exp\r"
+after 100
+send -- "cd ..\r"
+after 100
 
 send -- "fcopy src/dircopy.exp dest\r"
 after 100
@@ -19,7 +25,7 @@ after 100
 send -- "find dest\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "dest/"
+        "dest"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -27,11 +33,11 @@ expect {
 }
 after 100
 
-
 send -- "ls -al dest\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "lrwxrwxrwx"
+        "rwxr-xr-x" { puts "umask 0022\n" }
+        "rwxrwxr-x" { puts "umask 0002\n" }
 }
 after 100
 send -- "stty -echo\r"
@@ -52,5 +58,7 @@ expect {
 
 send -- "rm -fr dest/*\r"
 after 100
+send -- "rm -f src/dircopy.exp\r"
+after 100
 
 puts "\nall done\n"
diff --git a/test/fcopy/src/dircopy.exp b/test/fcopy/src/dircopy.exp
deleted file mode 100755
index 0882561e5..000000000
--- a/test/fcopy/src/dircopy.exp
+++ /dev/null
@@ -1,139 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2022 Firejail Authors
-# License GPL v2
-
-#
-# copy directory src to dest
-#
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "rm -fr dest/*\r"
-after 100
-
-send -- "fcopy src dest\r"
-after 100
-
-send -- "find dest\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "dest/"
-}
-after 100
-
-send -- "find dest\r"
-expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "dest/"
-}
-after 100
-
-send -- "find dest\r"
-expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "dest/a"
-}
-after 100
-
-send -- "find dest\r"
-expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "dest/a/b"
-}
-after 100
-
-send -- "find dest\r"
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "dest/a/b/file4"
-}
-after 100
-
-send -- "find dest\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "dest/a/file3"
-}
-after 100
-
-send -- "find dest\r"
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "dest/dircopy.exp"
-}
-after 100
-
-send -- "find dest\r"
-expect {
-        timeout {puts "TESTING ERROR 6\n";exit}
-        "dest/file2"
-}
-after 100
-
-send -- "find dest\r"
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "dest/file1"
-}
-after 100
-
-
-send -- "ls -al dest\r"
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "drwxr-xr-x" { puts "umask 0022\n" }
-        "drwxrwxr-x" { puts "umask 0002\n" }
-}
-expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
-        "a"
-}
-expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
-        "lrwxrwxrwx"
-}
-expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
-        "dircopy.exp"
-}
-expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
-        "rwxr-xr-x" { puts "umask 0022\n" }
-        "rwxrwxr-x" { puts "umask 0002\n" }
-}
-expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
-        "file1"
-}
-expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
-        "rw-r--r--" { puts "umask 0022\n" }
-        "rw-rw-r--" { puts "umask 0002\n" }
-}
-expect {
-        timeout {puts "TESTING ERROR 15\n";exit}
-        "file2"
-}
-after 100
-
-send -- "stty -echo\r"
-after 100
-send -- "diff -q src/a/b/file4 dest/a/b/file4; echo done\r"
-expect {
-        timeout {puts "TESTING ERROR 16\n";exit}
-        "differ" {puts "TESTING ERROR 17\n";exit}
-        "done"
-}
-
-send -- "file dest/dircopy.exp\r"
-expect {
-        timeout {puts "TESTING ERROR 18\n";exit}
-        "symbolic link"
-}
-
-send -- "rm -fr dest/*\r"
-after 100
-
-puts "\nall done\n"