55 files changed, 908 insertions, 748 deletions

diff --git a/README b/README
index 3f8eb6136..04d2c7001 100644
--- a/README
+++ b/README
@@ -310,6 +310,8 @@ DiGitHubCap (https://github.com/DiGitHubCap)
         - fix qt5ct colour schemes and QSS
 Disconnect3d (https://github.com/disconnect3d)
         - code cleanup
+dm9pZCAq (https://github.com/dm9pZCAq)
+        - fix for compilation under musl
 dmfreemon (https://github.com/dmfreemon)
         - add sandbox name or name of private directory to the window title when xpra is used
         - handle malloc() failures; use gnu_basename() instead of basenaem()
diff --git a/README.md b/README.md
index 40c6e9d98..cf9d9563e 100644
--- a/README.md
+++ b/README.md
@@ -22,43 +22,23 @@ implemented directly in Linux kernel and available on any Linux computer.
 <table><tr>
 
 <td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=8jfXL0ePV7U
-" target="_blank"><img src="http://img.youtube.com/vi/8jfXL0ePV7U/0.jpg"
-alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a>
+<a href="https://www.brighteon.com/1928415c-2bce-40b2-a81f-7861a3734913" target="_blank">
+<img src="https://video.brighteon.com/file/Brighteon-staging/thumbnail/682ae17c-3fd8-4813-9c4e-6917c7cd2a5c.0000001.jpg"
+alt="Introduction" width="240" height="142" border="10" /><br/>Introduction</a>
 </td>
 
 <td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU
-" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg"
-alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a>
+<a href="https://www.brighteon.com/c20c32ac-1953-438f-8640-a414dcb318d6" target="_blank">
+<img src="https://photos.brighteon.com/thumbnail/ecd8b0ca-7564-4993-a676-bbe4aa21cffc"
+alt="Technology" width="240" height="142" border="10" /><br/>Technology</a>
 </td>
 
 <td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4
-" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg"
-alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a>
+<a href="https://www.brighteon.com/94ae1731-2352-4cda-bb48-7cc7a6ad32f8" target="_blank">
+<img src="https://photos.brighteon.com/thumbnail/5c90254c-61f3-4927-ac57-ae279dc543cf"
+alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a>
 </td>
 
-
-</tr><tr>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w
-" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg"
-alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a>
-
-</td>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ
-" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg"
-alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a>
-
-</td>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o
-" target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg"
-alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a>
-
-</td>
 </tr></table>
 
 Project webpage: https://firejail.wordpress.com/
@@ -239,30 +219,30 @@ A small tool to print profile statistics. Compile as usual and run in /etc/profi
 $ sudo cp src/profstats/profstats /etc/firejail/.
 $ cd /etc/firejail
 $ ./profstats *.profile
-    profiles                    1150
-    include local profile       1150   (include profile-name.local)
-    include globals             1120   (include globals.local)
-    blacklist ~/.ssh            1026   (include disable-common.inc)
-    seccomp                     1050
-    capabilities                1146
-    noexec                      1030   (include disable-exec.inc)
-    noroot                      959
-    memory-deny-write-execute   253
-    apparmor                    681
-    private-bin                 667
-    private-dev                 1009
-    private-etc                 523
-    private-tmp                 883
-    whitelist home directory    547
-    whitelist var               818   (include whitelist-var-common.inc)
-    whitelist run/user          616   (include whitelist-runuser-common.inc
+    profiles                    1167
+    include local profile       1167   (include profile-name.local)
+    include globals             1136   (include globals.local)
+    blacklist ~/.ssh            1042   (include disable-common.inc)
+    seccomp                     1062
+    capabilities                1163
+    noexec                      1049   (include disable-exec.inc)
+    noroot                      971
+    memory-deny-write-execute   256
+    apparmor                    693
+    private-bin                 677
+    private-dev                 1027
+    private-etc                 532
+    private-tmp                 897
+    whitelist home directory    557
+    whitelist var               836   (include whitelist-var-common.inc)
+    whitelist run/user          1137   (include whitelist-runuser-common.inc
                                         or blacklist ${RUNUSER})
-    whitelist usr/share         591   (include whitelist-usr-share-common.inc
-    net none                    391
-    dbus-user none              641
-    dbus-user filter            105
-    dbus-system none            792
-    dbus-system filter          7
+    whitelist usr/share         609   (include whitelist-usr-share-common.inc
+    net none                    396
+    dbus-user none              656
+    dbus-user filter            108
+    dbus-system none            808
+    dbus-system filter          10
 ```
 
 ### New profiles:
diff --git a/configure b/configure
index 33a4ca9fb..557f5beb2 100755
--- a/configure
+++ b/configure
@@ -711,6 +711,7 @@ ac_subst_files=''
 ac_user_opts='
 enable_option_checking
 enable_analyzer
+enable_sanitizer
 enable_apparmor
 enable_selinux
 enable_dbusproxy
@@ -1368,6 +1369,8 @@ Optional Features:
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
   --enable-analyzer       enable GCC static analyzer
+  --enable-sanitizer=[address | memory | undefined]
+                          enable a compiler-based sanitizer (debug)
   --enable-apparmor       enable apparmor
   --enable-selinux        SELinux labeling support
   --disable-dbusproxy     disable dbus proxy
@@ -3294,6 +3297,57 @@ if test "x$enable_analyzer" = "xyes"; then :
 
 fi
 
+# Check whether --enable-sanitizer was given.
+if test "${enable_sanitizer+set}" = set; then :
+  enableval=$enable_sanitizer;
+else
+  enable_sanitizer=no
+fi
+
+if test "x$enable_sanitizer" != "xno" ; then :
+  as_CACHEVAR=`$as_echo "ax_cv_check_cflags__-fsanitize=$enable_sanitizer" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=$enable_sanitizer" >&5
+$as_echo_n "checking whether C compiler accepts -fsanitize=$enable_sanitizer... " >&6; }
+if eval \${$as_CACHEVAR+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -fsanitize=$enable_sanitizer"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  eval "$as_CACHEVAR=yes"
+else
+  eval "$as_CACHEVAR=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+eval ac_res=\$$as_CACHEVAR
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then :
+
+                EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer"
+                EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer"
+
+else
+  as_fn_error $? "sanitizer not supported: $enable_sanitizer" "$LINENO" 5
+
+fi
+
+fi
+
 HAVE_APPARMOR=""
 # Check whether --enable-apparmor was given.
 if test "${enable_apparmor+set}" = set; then :
diff --git a/configure.ac b/configure.ac
index 5fde6d402..fc5823143 100644
--- a/configure.ac
+++ b/configure.ac
@@ -45,6 +45,15 @@ AS_IF([test "x$enable_analyzer" = "xyes"], [
         EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak"
 ])
 
+AC_ARG_ENABLE([sanitizer],
+    AS_HELP_STRING([--enable-sanitizer=@<:@address | memory | undefined@:>@], [enable a compiler-based sanitizer (debug)]), [], [enable_sanitizer=no])
+AS_IF([test "x$enable_sanitizer" != "xno" ],
+        [AX_CHECK_COMPILE_FLAG([-fsanitize=$enable_sanitizer], [
+                EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer"
+                EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer"
+        ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])]
+)])
+
 HAVE_APPARMOR=""
 AC_ARG_ENABLE([apparmor],
     AS_HELP_STRING([--enable-apparmor], [enable apparmor]))
diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc
new file mode 100644
index 000000000..81a8883f3
--- /dev/null
+++ b/etc/inc/disable-proc.inc
@@ -0,0 +1,82 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-proc.local
+
+blacklist /proc/acpi
+blacklist /proc/asound
+blacklist /proc/bootconfig
+blacklist /proc/buddyinfo
+blacklist /proc/cgroups
+blacklist /proc/cmdline
+blacklist /proc/config.gz
+blacklist /proc/consoles
+#blacklist /proc/cpuinfo
+blacklist /proc/crypto
+blacklist /proc/devices
+blacklist /proc/diskstats
+blacklist /proc/dma
+#blacklist /proc/driver
+blacklist /proc/dynamic_debug
+blacklist /proc/execdomains
+blacklist /proc/fb
+#blacklist /proc/filesystems
+blacklist /proc/fs
+blacklist /proc/i8k
+blacklist /proc/interrupts
+blacklist /proc/iomem
+blacklist /proc/ioports
+blacklist /proc/irq
+blacklist /proc/kallsyms
+blacklist /proc/kcore
+blacklist /proc/keys
+blacklist /proc/key-users
+blacklist /proc/kmsg
+blacklist /proc/kpagecgroup
+blacklist /proc/kpagecount
+blacklist /proc/kpageflags
+blacklist /proc/latency_stats
+#blacklist /proc/loadavg
+blacklist /proc/locks
+blacklist /proc/mdstat
+#blacklist /proc/meminfo
+blacklist /proc/misc
+#blacklist /proc/modules
+#blacklist /proc/mounts
+blacklist /proc/mtrr
+#blacklist /proc/net
+blacklist /proc/partitions
+blacklist /proc/pressure
+blacklist /proc/sched_debug
+blacklist /proc/schedstat
+blacklist /proc/scsi
+#blacklist /proc/self
+blacklist /proc/slabinfo
+blacklist /proc/softirqs
+blacklist /proc/spl
+#blacklist /proc/stat
+blacklist /proc/swaps
+#blacklist /proc/sys
+blacklist /proc/sysrq-trigger
+blacklist /proc/sysvipc
+#blacklist /proc/thread-self
+blacklist /proc/timer_list
+blacklist /proc/tty
+#blacklist /proc/uptime
+#blacklist /proc/version
+blacklist /proc/version_signature
+blacklist /proc/vmallocinfo
+#blacklist /proc/vmstat
+#blacklist /proc/zoneinfo
+
+blacklist /proc/sys/abi
+blacklist /proc/sys/crypto
+blacklist /proc/sys/debug
+blacklist /proc/sys/dev
+blacklist /proc/sys/fs
+blacklist /proc/sys/net
+blacklist /proc/sys/user
+blacklist /proc/sys/vm
+
+noblacklist /proc/sys/kernel/osrelease
+noblacklist /proc/sys/kernel/yama
+blacklist /proc/sys/*/*
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc
index 224d21064..0d87657a9 100644
--- a/etc/inc/whitelist-run-common.inc
+++ b/etc/inc/whitelist-run-common.inc
@@ -7,5 +7,6 @@ whitelist /run/cups/cups.sock
 whitelist /run/dbus/system_bus_socket
 whitelist /run/media
 whitelist /run/resolvconf/resolv.conf
+whitelist /run/shm
 whitelist /run/systemd/resolve/resolv.conf
 whitelist /run/systemd/resolve/stub-resolv.conf
diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile
index 76fd21d32..a256e942f 100644
--- a/etc/profile-a-l/Books.profile
+++ b/etc/profile-a-l/Books.profile
@@ -1,5 +1,10 @@
 # Firejail profile for gnome-books
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Books.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
 
 
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
index 62857a3e2..68512e37b 100644
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@@ -29,7 +29,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index e7b78f7d0..7d8ec481d 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -39,7 +39,7 @@ dbus-user.own org.kde.amarok
 dbus-user.own org.mpris.amarok
 dbus-user.own org.mpris.MediaPlayer2.amarok
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 # If you're not on kde-plasma add the next lines to your amarok.local.
 #dbus-user.own org.kde.kded
 #dbus-user.own org.kde.klauncher
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 683a7858b..66f38b358 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.parallelrealities/blobwars
 whitelist ${HOME}/.parallelrealities/blobwars
 whitelist /usr/share/blobwars
+whitelist /usr/share/games/blobwars
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -28,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 5c7bc03d8..862ef6ab6 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -63,6 +63,6 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.portal.Desktop
 dbus-user.talk org.gnome.Shell
 dbus-user.talk org.kde.KWin
-dbus-user.talk org.kde.StatusNotifierWatcher
-dbus-user.own org.kde.*
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.own org.kde.*
 dbus-system none
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index bb35c9447..88943760a 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -30,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index 1009f345b..4a08fca9b 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -35,7 +35,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
index 35d969e6d..edb85048b 100644
--- a/etc/profile-a-l/gl-117.profile
+++ b/etc/profile-a-l/gl-117.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
index dec0daef2..b5f98b411 100644
--- a/etc/profile-a-l/glaxium.profile
+++ b/etc/profile-a-l/glaxium.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
index 8d391b90f..59d762f55 100644
--- a/etc/profile-a-l/jumpnbump-menu.profile
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -10,7 +10,7 @@ include jumpnbump-menu.local
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
-private-bin jumpnbump-menu,python3*
+private-bin env,jumpnbump-menu,python3*
 
 # Redirect
 include jumpnbump.profile
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index b9bc8f219..9726ff6fe 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -27,7 +27,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 0f3e6605b..45a707071 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -98,11 +98,10 @@ dbus-user.talk org.freedesktop.ScreenSaver
 dbus-user.talk org.gnome.ScreenSaver
 dbus-user.talk org.gnome.SessionManager
 dbus-user.talk org.xfce.ScreenSaver
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.own org.kde.*
 # Add the next line to your keepassxc.local to allow notifications.
 #dbus-user.talk org.freedesktop.Notifications
-# Add the next line to your keepassxc.local to allow the tray menu.
-#dbus-user.talk org.kde.StatusNotifierWatcher
-#dbus-user.own org.kde.*
 dbus-system filter
 dbus-system.talk org.freedesktop.login1
 
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 16dc97d0c..5b5902563 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -37,7 +37,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index 58cc716d9..0f55b674f 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -60,6 +60,6 @@ private-tmp
 dbus-user filter
 dbus-user.own org.kde.neochat
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user.talk org.kde.kwalletd5
 dbus-system none
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index d0eef9704..354d3351e 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -67,6 +67,5 @@ private-tmp
 
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
-# Add the next line to your nextcloud.local for tray icon support
-#dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 2f305dae9..89a146a09 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -53,8 +53,7 @@ private-tmp
 
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 # Add the next line to your nheko.local to enable notification support.
 #dbus-user.talk org.freedesktop.Notifications
-# Add the next line to your nheko.local to enable tray icon support.
-#dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index 12c7ea3d0..c2c22f42d 100644
--- a/etc/profile-m-z/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -25,7 +25,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 253465991..68362cbc8 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -28,7 +28,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index 5f17b73dc..3f7f68009 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -49,10 +49,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
 
-dbus-user none
-# Add the next lines to your spectral.local to enable notification support.
-#ignore dbus-user none
-#dbus-user filter
+dbus-user filter
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# Add the next line to your spectral.local to enable notification support.
 #dbus-user.talk org.freedesktop.Notifications
-#dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 323849e35..d48065c4b 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -30,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index df54fb9ba..d0fb0d43e 100644
--- a/etc/profile-m-z/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -26,7 +26,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index fd4b82524..dc1f77664 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -50,7 +50,7 @@ private-tmp
 dbus-user filter
 dbus-user.own org.telegram.desktop.*
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.freedesktop.ScreenSaver
 dbus-system none
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
index a7ebaf2af..19e586db4 100644
--- a/etc/profile-m-z/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -28,7 +28,6 @@ ipc-namespace
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index 4e16df553..96541ae25 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -8,6 +8,9 @@ include globals.local
 
 noblacklist ${HOME}/.tremulous
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -41,7 +44,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin tremded,tremulous,tremulous-wrapper
+private-bin env,sh,tremded,tremulous,tremulous-wrapper
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index 5659ec69c..2f818b733 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -11,6 +11,9 @@ ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/warsow-2.1
 noblacklist ${HOME}/.local/share/warsow-2.1
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -34,19 +37,18 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
 
 disable-mnt
-private-bin warsow
+private-bin basename,bash,dirname,sed,sh,uname,warsow
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 6ffe9ece9..7c2b38d1d 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -32,7 +32,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 7628313e0..44197b547 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -116,6 +116,7 @@ include globals.local
 #include disable-devel.inc
 #include disable-exec.inc
 #include disable-interpreters.inc
+#include disable-proc.inc
 #include disable-programs.inc
 #include disable-shell.inc
 #include disable-write-mnt.inc
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 8700e0ba1..a1847284c 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -236,9 +236,6 @@ void build_share(const char *fname, FILE *fp) {
 //*******************************************
 static FileDB *tmp_out = NULL;
 static void tmp_callback(char *ptr) {
-        // skip strace file
-        if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
-                return;
         if (strncmp(ptr, "/tmp/runtime-", 13) == 0)
                 return;
         if (strcmp(ptr, "/tmp") == 0)
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index e7ffbca36..38b3c32d3 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -18,7 +18,8 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
-#include <sys/stat.h>
+#include <sys/wait.h>
+#include <errno.h>
 
 #define MAXBUF 4096
 
@@ -68,52 +69,60 @@ errout:
                 fclose(fp);
 }
 
+static int is_cgroup_path(const char *fname) {
+        // path starts with /sys/fs/cgroup
+        if (strncmp(fname, "/sys/fs/cgroup", 14) != 0)
+                return 0;
 
-void set_cgroup(const char *path) {
-        EUID_ASSERT();
+        // no .. traversal
+        char *ptr = strstr(fname, "..");
+        if (ptr)
+                return 0;
 
-        invalid_filename(path, 0); // no globbing
+        return 1;
+}
 
-        // path starts with /sys/fs/cgroup
-        if (strncmp(path, "/sys/fs/cgroup", 14) != 0)
-                goto errout;
+void check_cgroup_file(const char *fname) {
+        assert(fname);
+        invalid_filename(fname, 0); // no globbing
 
-        // path ends in tasks
-        char *ptr = strstr(path, "tasks");
-        if (!ptr)
-                goto errout;
-        if (*(ptr + 5) != '\0')
+        if (!is_cgroup_path(fname))
                 goto errout;
 
-        // no .. traversal
-        ptr = strstr(path, "..");
-        if (ptr)
+        const char *base = gnu_basename(fname);
+        if (strcmp(base, "tasks") != 0 &&  // cgroup v1
+            strcmp(base, "cgroup.procs") != 0)
                 goto errout;
 
-        // tasks file exists
-        FILE *fp = fopen(path, "ae");
-        if (!fp)
-                goto errout;
-        // task file belongs to the user running the sandbox
-        int fd = fileno(fp);
-        if (fd == -1)
-                errExit("fileno");
-        struct stat s;
-        if (fstat(fd, &s) == -1)
-                errExit("fstat");
-        if (s.st_uid != getuid() && s.st_gid != getgid())
-                goto errout2;
-        // add the task to cgroup
-        pid_t pid = getpid();
-        int rv = fprintf(fp, "%d\n", pid);
-        (void) rv;
-        fclose(fp);
-        return;
+        if (access(fname, W_OK) == 0)
+                return;
 
 errout:
         fprintf(stderr, "Error: invalid cgroup\n");
         exit(1);
-errout2:
-        fprintf(stderr, "Error: you don't have permissions to use this control group\n");
-        exit(1);
+}
+
+static void do_set_cgroup(const char *fname, pid_t pid) {
+        FILE *fp = fopen(fname, "ae");
+        if (!fp) {
+                fwarning("cannot open %s for writing: %s\n", fname, strerror(errno));
+                return;
+        }
+
+        int rv = fprintf(fp, "%d\n", pid);
+        (void) rv;
+        fclose(fp);
+}
+
+void set_cgroup(const char *fname, pid_t pid) {
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                drop_privs(0);
+
+                do_set_cgroup(fname, pid);
+                _exit(0);
+        }
+        waitpid(child, NULL, 0);
 }
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index 37ec22117..9425638ea 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -86,7 +86,7 @@ static void update_file(int parentfd, const char *relpath) {
         if (arg_debug)
                 printf("Updating chroot /%s\n", relpath);
         unlinkat(parentfd, relpath, 0);
-        int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (out == -1) {
                 close(in);
                 goto errout;
diff --git a/src/firejail/env.c b/src/firejail/env.c
index ad16de037..4c0d729a1 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -22,6 +22,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <dirent.h>
+#include <limits.h>
 
 typedef struct env_t {
         struct env_t *next;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 730c37aed..a6924b830 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -22,6 +22,7 @@
 #include "../include/common.h"
 #include "../include/euid_common.h"
 #include "../include/rundefs.h"
+#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
 #include <stdarg.h>
 #include <sys/stat.h>
 
@@ -433,13 +434,15 @@ void fs_proc_sys_dev_boot(void);
 void disable_config(void);
 // build a basic read-only filesystem
 void fs_basic_fs(void);
-// mount overlayfs on top of / directory
-char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
-void fs_overlayfs(void);
 void fs_private_tmp(void);
 void fs_private_cache(void);
 void fs_mnt(const int enforce);
 
+// fs_overlayfs.c
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
+void fs_overlayfs(void);
+int remove_overlay_directory(void);
+
 // chroot.c
 // chroot into an existing directory; mount existing /dev and update /etc/resolv.conf
 void fs_check_chroot_dir(void);
@@ -516,6 +519,7 @@ void touch_file_as_user(const char *fname, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
 char *realpath_as_user(const char *fname);
+ssize_t readlink_as_user(const char *fname, char *buf, size_t sz);
 int stat_as_user(const char *fname, struct stat *s);
 int lstat_as_user(const char *fname, struct stat *s);
 void trim_trailing_slash_or_dot(char *path);
@@ -529,8 +533,7 @@ void update_map(char *mapping, char *map_file);
 void wait_for_other(int fd);
 void notify_other(int fd);
 uid_t pid_get_uid(pid_t pid);
-uid_t get_group_id(const char *group);
-int remove_overlay_directory(void);
+gid_t get_group_id(const char *groupname);
 void flush_stdin(void);
 int create_empty_dir_as_user(const char *dir, mode_t mode);
 void create_empty_dir_as_root(const char *dir, mode_t mode);
@@ -564,7 +567,7 @@ typedef struct {
 // mountinfo.c
 MountData *get_last_mount(void);
 int get_mount_id(int fd);
-char **build_mount_array(const int mount_id, const char *path);
+char **build_mount_array(const int mountid, const char *path);
 
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
@@ -645,7 +648,8 @@ void cpu_print_filter(pid_t pid) __attribute__((noreturn));
 // cgroup.c
 void save_cgroup(void);
 void load_cgroup(const char *fname);
-void set_cgroup(const char *path);
+void check_cgroup_file(const char *fname);
+void set_cgroup(const char *fname, pid_t pid);
 
 // output.c
 void check_output(int argc, char **argv);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 3144156a3..9c1b889ed 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -20,10 +20,7 @@
 #include "firejail.h"
 #include "../include/gcov_wrapper.h"
 #include <sys/mount.h>
-#include <sys/stat.h>
 #include <sys/statvfs.h>
-#include <sys/wait.h>
-#include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
@@ -35,7 +32,7 @@
 #endif
 
 #define MAX_BUF 4096
-#define EMPTY_STRING ("")
+
 // check noblacklist statements not matched by a proper blacklist in disable-*.inc files
 //#define TEST_NO_BLACKLIST_MATCHING
 
@@ -657,12 +654,13 @@ static void fs_remount_rec(const char *path, OPERATION op) {
 
         // build array with all mount points that need to get remounted
         char **arr = build_mount_array(mountid, path);
-        assert(arr);
+        if (!arr)
+                return;
         // remount
-        char **tmp = arr;
-        while (*tmp) {
-                fs_remount_simple(*tmp, op);
-                free(*tmp++);
+        int i;
+        for (i = 0; arr[i]; i++) {
+                fs_remount_simple(arr[i], op);
+                free(arr[i]);
         }
         free(arr);
 }
@@ -897,367 +895,6 @@ void fs_basic_fs(void) {
 }
 
 
-
-#ifdef HAVE_OVERLAYFS
-char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
-        assert(subdirname);
-        EUID_ASSERT();
-        struct stat s;
-        char *dirname;
-
-        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
-                errExit("asprintf");
-        // check if ~/.firejail already exists
-        if (lstat(dirname, &s) == 0) {
-                if (!S_ISDIR(s.st_mode)) {
-                        if (S_ISLNK(s.st_mode))
-                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
-                        else
-                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
-                        exit(1);
-                }
-                if (s.st_uid != getuid()) {
-                        fprintf(stderr, "Error: %s is not owned by the current user\n", dirname);
-                        exit(1);
-                }
-        }
-        else {
-                // create ~/.firejail directory
-                create_empty_dir_as_user(dirname, 0700);
-                if (stat(dirname, &s) == -1) {
-                        fprintf(stderr, "Error: cannot create directory %s\n", dirname);
-                        exit(1);
-                }
-        }
-        free(dirname);
-
-        // check overlay directory
-        if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
-                errExit("asprintf");
-        if (lstat(dirname, &s) == 0) {
-                if (!S_ISDIR(s.st_mode)) {
-                        if (S_ISLNK(s.st_mode))
-                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
-                        else
-                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
-                        exit(1);
-                }
-                if (s.st_uid != 0) {
-                        fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname);
-                        exit(1);
-                }
-                if (allow_reuse == 0) {
-                        fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
-                        exit(1);
-                }
-        }
-
-        return dirname;
-}
-
-
-
-// mount overlayfs on top of / directory
-// mounting an overlay and chrooting into it:
-//
-// Old Ubuntu kernel
-// # cd ~
-// # mkdir -p overlay/root
-// # mkdir -p overlay/diff
-// # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root
-// # chroot /root/overlay/root
-// to shutdown, first exit the chroot and then  unmount the overlay
-// # exit
-// # umount /root/overlay/root
-//
-// Kernels 3.18+
-// # cd ~
-// # mkdir -p overlay/root
-// # mkdir -p overlay/diff
-// # mkdir -p overlay/work
-// # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root
-// # cat /etc/mtab | grep overlay
-// /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0
-// # chroot /root/overlay/root
-// to shutdown, first exit the chroot and then  unmount the overlay
-// # exit
-// # umount /root/overlay/root
-
-
-// to do: fix the code below; also, it might work without /dev, but consider keeping /dev/shm; add locking mechanism for overlay-clean
-#include <sys/utsname.h>
-void fs_overlayfs(void) {
-        struct stat s;
-
-        // check kernel version
-        struct utsname u;
-        int rv = uname(&u);
-        if (rv != 0)
-                errExit("uname");
-        int major;
-        int minor;
-        if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
-                fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
-                exit(1);
-        }
-
-        if (arg_debug)
-                printf("Linux kernel version %d.%d\n", major, minor);
-        int oldkernel = 0;
-        if (major < 3) {
-                fprintf(stderr, "Error: minimum kernel version required 3.x\n");
-                exit(1);
-        }
-        if (major == 3 && minor < 18)
-                oldkernel = 1;
-
-        // mounting an overlayfs on top of / seems to be broken for kernels > 4.19
-        // we disable overlayfs for now, pending fixing
-        if (major >= 4 &&minor >= 19) {
-                fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n");
-                exit(1);
-        }
-
-        char *oroot = RUN_OVERLAY_ROOT;
-        mkdir_attr(oroot, 0755, 0, 0);
-
-        // set base for working and diff directories
-        char *basedir = RUN_MNT_DIR;
-        int basefd = -1;
-
-        if (arg_overlay_keep) {
-                basedir = cfg.overlay_dir;
-                assert(basedir);
-                // get a file descriptor for ~/.firejail, fails if there is any symlink
-                char *firejail;
-                if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1)
-                        errExit("asprintf");
-                int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                if (fd == -1)
-                        errExit("safer_openat");
-                free(firejail);
-                // create basedir if it doesn't exist
-                // the new directory will be owned by root
-                const char *dirname = gnu_basename(basedir);
-                if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) {
-                        perror("mkdir");
-                        fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir);
-                        exit(1);
-                }
-                // open basedir
-                basefd = openat(fd, dirname, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                close(fd);
-        }
-        else {
-                basefd = open(basedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-        }
-        if (basefd == -1) {
-                perror("open");
-                fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir);
-                exit(1);
-        }
-
-        // confirm once more base is owned by root
-        if (fstat(basefd, &s) == -1)
-                errExit("fstat");
-        if (s.st_uid != 0) {
-                fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir);
-                exit(1);
-        }
-        // confirm permissions of base are 0755
-        if (((S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) & s.st_mode) != (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) {
-                fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir);
-                exit(1);
-        }
-
-        // create diff and work directories inside base
-        // no need to check arg_overlay_reuse
-        char *odiff;
-        if (asprintf(&odiff, "%s/odiff", basedir) == -1)
-                errExit("asprintf");
-        // the new directory will be owned by root
-        if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) {
-                perror("mkdir");
-                fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff);
-                exit(1);
-        }
-        ASSERT_PERMS(odiff, 0, 0, 0755);
-
-        char *owork;
-        if (asprintf(&owork, "%s/owork", basedir) == -1)
-                errExit("asprintf");
-        // the new directory will be owned by root
-        if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) {
-                perror("mkdir");
-                fprintf(stderr, "Error: cannot create overlay directory %s\n", owork);
-                exit(1);
-        }
-        ASSERT_PERMS(owork, 0, 0, 0755);
-
-        // mount overlayfs
-        if (arg_debug)
-                printf("Mounting OverlayFS\n");
-        char *option;
-        if (oldkernel) { // old Ubuntu/OpenSUSE kernels
-                if (arg_overlay_keep) {
-                        fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n");
-                        exit(1);
-                }
-                if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1)
-                        errExit("asprintf");
-                if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0)
-                        errExit("mounting overlayfs");
-        }
-        else { // kernel 3.18 or newer
-                if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)
-                        errExit("asprintf");
-                if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) {
-                        fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor);
-                        errExit("mounting overlayfs");
-                }
-
-                //***************************
-                // issue #263 start code
-                // My setup has a separate mount point for /home. When the overlay is mounted,
-                // the overlay does not contain the original /home contents.
-                // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work
-                // @dshmgh, Jan 2016
-                {
-                        char *overlayhome;
-                        struct stat s;
-                        char *hroot;
-                        char *hdiff;
-                        char *hwork;
-
-                        // dons add debug
-                        if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s  odiff %s  owork %s\n",oroot,odiff,owork);
-
-                        // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it?
-                        // must create var for oroot/cfg.homedir
-                        if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1)
-                                errExit("asprintf");
-                        if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome);
-
-                        // if no homedir in overlay -- create another overlay for /home
-                        if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) {
-
-                                // no need to check arg_overlay_reuse
-                                if (asprintf(&hdiff, "%s/hdiff", basedir) == -1)
-                                        errExit("asprintf");
-                                // the new directory will be owned by root
-                                if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) {
-                                        perror("mkdir");
-                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff);
-                                        exit(1);
-                                }
-                                ASSERT_PERMS(hdiff, 0, 0, 0755);
-
-                                // no need to check arg_overlay_reuse
-                                if (asprintf(&hwork, "%s/hwork", basedir) == -1)
-                                        errExit("asprintf");
-                                // the new directory will be owned by root
-                                if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) {
-                                        perror("mkdir");
-                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork);
-                                        exit(1);
-                                }
-                                ASSERT_PERMS(hwork, 0, 0, 0755);
-
-                                // no homedir in overlay so now mount another overlay for /home
-                                if (asprintf(&hroot, "%s/home", oroot) == -1)
-                                        errExit("asprintf");
-                                if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
-                                        errExit("asprintf");
-                                if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0)
-                                        errExit("mounting overlayfs for mounted home directory");
-
-                                printf("OverlayFS for /home configured in %s directory\n", basedir);
-                                free(hroot);
-                                free(hdiff);
-                                free(hwork);
-
-                        } // stat(overlayhome)
-                        free(overlayhome);
-                }
-                // issue #263 end code
-                //***************************
-        }
-        fmessage("OverlayFS configured in %s directory\n", basedir);
-        close(basefd);
-
-        // /dev, /run and /tmp are not covered by the overlay
-        // mount-bind dev directory
-        if (arg_debug)
-                printf("Mounting /dev\n");
-        char *dev;
-        if (asprintf(&dev, "%s/dev", oroot) == -1)
-                errExit("asprintf");
-        if (mount("/dev", dev, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mounting /dev");
-        fs_logger("whitelist /dev");
-
-        // mount-bind run directory
-        if (arg_debug)
-                printf("Mounting /run\n");
-        char *run;
-        if (asprintf(&run, "%s/run", oroot) == -1)
-                errExit("asprintf");
-        if (mount("/run", run, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mounting /run");
-        fs_logger("whitelist /run");
-
-        // mount-bind tmp directory
-        if (arg_debug)
-                printf("Mounting /tmp\n");
-        char *tmp;
-        if (asprintf(&tmp, "%s/tmp", oroot) == -1)
-                errExit("asprintf");
-        if (mount("/tmp", tmp, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mounting /tmp");
-        fs_logger("whitelist /tmp");
-
-        // chroot in the new filesystem
-        __gcov_flush();
-
-        if (chroot(oroot) == -1)
-                errExit("chroot");
-
-        // mount a new proc filesystem
-        if (arg_debug)
-                printf("Mounting /proc filesystem representing the PID namespace\n");
-        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
-                errExit("mounting /proc");
-
-        // update /var directory in order to support multiple sandboxes running on the same root directory
-//      if (!arg_private_dev)
-//              fs_dev_shm();
-        fs_var_lock();
-        if (!arg_keep_var_tmp)
-                fs_var_tmp();
-        if (!arg_writable_var_log)
-                fs_var_log();
-        fs_var_lib();
-        fs_var_cache();
-        fs_var_utmp();
-        fs_machineid();
-
-        // don't leak user information
-        restrict_users();
-
-        // when starting as root, firejail config is not disabled;
-        if (getuid() != 0)
-                disable_config();
-
-        // cleanup and exit
-        free(option);
-        free(odiff);
-        free(owork);
-        free(dev);
-        free(run);
-        free(tmp);
-}
-#endif
-
 // this function is called from sandbox.c before blacklist/whitelist functions
 void fs_private_tmp(void) {
         EUID_ASSERT();
@@ -1281,7 +918,6 @@ void fs_private_tmp(void) {
 
         // whitelist x11 directory
         profile_add("whitelist /tmp/.X11-unix");
-        // read-only x11 directory
         profile_add("read-only /tmp/.X11-unix");
 
         // whitelist sndio directory
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index a43b18344..694d0a379 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 590337da1..8d8530d81 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -19,7 +19,6 @@
 */
 #include "firejail.h"
 #include <sys/mount.h>
-#include <linux/limits.h>
 #include <dirent.h>
 #include <errno.h>
 #include <sys/stat.h>
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 7d320e90b..8b7e94f51 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
@@ -33,7 +32,7 @@ void fs_hostname(const char *hostname) {
                 if (arg_debug)
                         printf("Creating a new /etc/hostname file\n");
 
-                create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+                create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
 
                 // bind-mount the file on top of /etc/hostname
                 if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0)
@@ -75,7 +74,7 @@ void fs_hostname(const char *hostname) {
                 }
                 fclose(fp1);
                 // mode and owner
-                SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+                SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
                 fclose(fp2);
 
                 // bind-mount the file on top of /etc/hostname
diff --git a/src/firejail/fs_overlayfs.c b/src/firejail/fs_overlayfs.c
new file mode 100644
index 000000000..fe3761cb6
--- /dev/null
+++ b/src/firejail/fs_overlayfs.c
@@ -0,0 +1,470 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#ifdef HAVE_OVERLAYFS
+#include "firejail.h"
+#include "../include/gcov_wrapper.h"
+#include <sys/mount.h>
+#include <sys/wait.h>
+#include <ftw.h>
+#include <errno.h>
+
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
+        assert(subdirname);
+        EUID_ASSERT();
+        struct stat s;
+        char *dirname;
+
+        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+        // check if ~/.firejail already exists
+        if (lstat(dirname, &s) == 0) {
+                if (!S_ISDIR(s.st_mode)) {
+                        if (S_ISLNK(s.st_mode))
+                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
+                        else
+                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
+                        exit(1);
+                }
+                if (s.st_uid != getuid()) {
+                        fprintf(stderr, "Error: %s is not owned by the current user\n", dirname);
+                        exit(1);
+                }
+        }
+        else {
+                // create ~/.firejail directory
+                create_empty_dir_as_user(dirname, 0700);
+                if (stat(dirname, &s) == -1) {
+                        fprintf(stderr, "Error: cannot create directory %s\n", dirname);
+                        exit(1);
+                }
+        }
+        free(dirname);
+
+        // check overlay directory
+        if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
+                errExit("asprintf");
+        if (lstat(dirname, &s) == 0) {
+                if (!S_ISDIR(s.st_mode)) {
+                        if (S_ISLNK(s.st_mode))
+                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
+                        else
+                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
+                        exit(1);
+                }
+                if (s.st_uid != 0) {
+                        fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname);
+                        exit(1);
+                }
+                if (allow_reuse == 0) {
+                        fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
+                        exit(1);
+                }
+        }
+
+        return dirname;
+}
+
+
+// mount overlayfs on top of / directory
+// mounting an overlay and chrooting into it:
+//
+// Old Ubuntu kernel
+// # cd ~
+// # mkdir -p overlay/root
+// # mkdir -p overlay/diff
+// # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root
+// # chroot /root/overlay/root
+// to shutdown, first exit the chroot and then  unmount the overlay
+// # exit
+// # umount /root/overlay/root
+//
+// Kernels 3.18+
+// # cd ~
+// # mkdir -p overlay/root
+// # mkdir -p overlay/diff
+// # mkdir -p overlay/work
+// # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root
+// # cat /etc/mtab | grep overlay
+// /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0
+// # chroot /root/overlay/root
+// to shutdown, first exit the chroot and then  unmount the overlay
+// # exit
+// # umount /root/overlay/root
+
+// to do: fix the code below
+#include <sys/utsname.h>
+void fs_overlayfs(void) {
+        struct stat s;
+
+        // check kernel version
+        struct utsname u;
+        int rv = uname(&u);
+        if (rv != 0)
+                errExit("uname");
+        int major;
+        int minor;
+        if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+                fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+                exit(1);
+        }
+
+        if (arg_debug)
+                printf("Linux kernel version %d.%d\n", major, minor);
+        int oldkernel = 0;
+        if (major < 3) {
+                fprintf(stderr, "Error: minimum kernel version required 3.x\n");
+                exit(1);
+        }
+        if (major == 3 && minor < 18)
+                oldkernel = 1;
+
+        // mounting an overlayfs on top of / seems to be broken for kernels > 4.19
+        // we disable overlayfs for now, pending fixing
+        if (major >= 4 &&minor >= 19) {
+                fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n");
+                exit(1);
+        }
+
+        char *oroot = RUN_OVERLAY_ROOT;
+        mkdir_attr(oroot, 0755, 0, 0);
+
+        // set base for working and diff directories
+        char *basedir = RUN_MNT_DIR;
+        int basefd = -1;
+
+        if (arg_overlay_keep) {
+                basedir = cfg.overlay_dir;
+                assert(basedir);
+                // get a file descriptor for ~/.firejail, fails if there is any symlink
+                char *firejail;
+                if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1)
+                        errExit("asprintf");
+                int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                if (fd == -1)
+                        errExit("safer_openat");
+                free(firejail);
+                // create basedir if it doesn't exist
+                // the new directory will be owned by root
+                const char *dirname = gnu_basename(basedir);
+                if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) {
+                        perror("mkdir");
+                        fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir);
+                        exit(1);
+                }
+                // open basedir
+                basefd = openat(fd, dirname, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                close(fd);
+        }
+        else {
+                basefd = open(basedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        }
+        if (basefd == -1) {
+                perror("open");
+                fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir);
+                exit(1);
+        }
+
+        // confirm once more base is owned by root
+        if (fstat(basefd, &s) == -1)
+                errExit("fstat");
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir);
+                exit(1);
+        }
+        // confirm permissions of base are 0755
+        if (((S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) & s.st_mode) != (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) {
+                fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir);
+                exit(1);
+        }
+
+        // create diff and work directories inside base
+        // no need to check arg_overlay_reuse
+        char *odiff;
+        if (asprintf(&odiff, "%s/odiff", basedir) == -1)
+                errExit("asprintf");
+        // the new directory will be owned by root
+        if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) {
+                perror("mkdir");
+                fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff);
+                exit(1);
+        }
+        ASSERT_PERMS(odiff, 0, 0, 0755);
+
+        char *owork;
+        if (asprintf(&owork, "%s/owork", basedir) == -1)
+                errExit("asprintf");
+        // the new directory will be owned by root
+        if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) {
+                perror("mkdir");
+                fprintf(stderr, "Error: cannot create overlay directory %s\n", owork);
+                exit(1);
+        }
+        ASSERT_PERMS(owork, 0, 0, 0755);
+
+        // mount overlayfs
+        if (arg_debug)
+                printf("Mounting OverlayFS\n");
+        char *option;
+        if (oldkernel) { // old Ubuntu/OpenSUSE kernels
+                if (arg_overlay_keep) {
+                        fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n");
+                        exit(1);
+                }
+                if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1)
+                        errExit("asprintf");
+                if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0)
+                        errExit("mounting overlayfs");
+        }
+        else { // kernel 3.18 or newer
+                if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)
+                        errExit("asprintf");
+                if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) {
+                        fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor);
+                        errExit("mounting overlayfs");
+                }
+
+                //***************************
+                // issue #263 start code
+                // My setup has a separate mount point for /home. When the overlay is mounted,
+                // the overlay does not contain the original /home contents.
+                // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work
+                // @dshmgh, Jan 2016
+                {
+                        char *overlayhome;
+                        struct stat s;
+                        char *hroot;
+                        char *hdiff;
+                        char *hwork;
+
+                        // dons add debug
+                        if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s  odiff %s  owork %s\n",oroot,odiff,owork);
+
+                        // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it?
+                        // must create var for oroot/cfg.homedir
+                        if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1)
+                                errExit("asprintf");
+                        if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome);
+
+                        // if no homedir in overlay -- create another overlay for /home
+                        if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) {
+
+                                // no need to check arg_overlay_reuse
+                                if (asprintf(&hdiff, "%s/hdiff", basedir) == -1)
+                                        errExit("asprintf");
+                                // the new directory will be owned by root
+                                if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) {
+                                        perror("mkdir");
+                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff);
+                                        exit(1);
+                                }
+                                ASSERT_PERMS(hdiff, 0, 0, 0755);
+
+                                // no need to check arg_overlay_reuse
+                                if (asprintf(&hwork, "%s/hwork", basedir) == -1)
+                                        errExit("asprintf");
+                                // the new directory will be owned by root
+                                if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) {
+                                        perror("mkdir");
+                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork);
+                                        exit(1);
+                                }
+                                ASSERT_PERMS(hwork, 0, 0, 0755);
+
+                                // no homedir in overlay so now mount another overlay for /home
+                                if (asprintf(&hroot, "%s/home", oroot) == -1)
+                                        errExit("asprintf");
+                                if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
+                                        errExit("asprintf");
+                                if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0)
+                                        errExit("mounting overlayfs for mounted home directory");
+
+                                printf("OverlayFS for /home configured in %s directory\n", basedir);
+                                free(hroot);
+                                free(hdiff);
+                                free(hwork);
+
+                        } // stat(overlayhome)
+                        free(overlayhome);
+                }
+                // issue #263 end code
+                //***************************
+        }
+        fmessage("OverlayFS configured in %s directory\n", basedir);
+        close(basefd);
+
+        // /dev, /run and /tmp are not covered by the overlay
+        // mount-bind dev directory
+        if (arg_debug)
+                printf("Mounting /dev\n");
+        char *dev;
+        if (asprintf(&dev, "%s/dev", oroot) == -1)
+                errExit("asprintf");
+        if (mount("/dev", dev, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mounting /dev");
+        fs_logger("whitelist /dev");
+
+        // mount-bind run directory
+        if (arg_debug)
+                printf("Mounting /run\n");
+        char *run;
+        if (asprintf(&run, "%s/run", oroot) == -1)
+                errExit("asprintf");
+        if (mount("/run", run, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mounting /run");
+        fs_logger("whitelist /run");
+
+        // mount-bind tmp directory
+        if (arg_debug)
+                printf("Mounting /tmp\n");
+        char *tmp;
+        if (asprintf(&tmp, "%s/tmp", oroot) == -1)
+                errExit("asprintf");
+        if (mount("/tmp", tmp, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mounting /tmp");
+        fs_logger("whitelist /tmp");
+
+        // chroot in the new filesystem
+        __gcov_flush();
+
+        if (chroot(oroot) == -1)
+                errExit("chroot");
+
+        // mount a new proc filesystem
+        if (arg_debug)
+                printf("Mounting /proc filesystem representing the PID namespace\n");
+        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
+                errExit("mounting /proc");
+
+        // update /var directory in order to support multiple sandboxes running on the same root directory
+//      if (!arg_private_dev)
+//              fs_dev_shm();
+        fs_var_lock();
+        if (!arg_keep_var_tmp)
+                fs_var_tmp();
+        if (!arg_writable_var_log)
+                fs_var_log();
+        fs_var_lib();
+        fs_var_cache();
+        fs_var_utmp();
+        fs_machineid();
+
+        // don't leak user information
+        restrict_users();
+
+        // when starting as root, firejail config is not disabled;
+        if (getuid() != 0)
+                disable_config();
+
+        // cleanup and exit
+        free(option);
+        free(odiff);
+        free(owork);
+        free(dev);
+        free(run);
+        free(tmp);
+}
+
+
+static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
+        (void) sb;
+        (void) typeflag;
+        (void) ftwbuf;
+        assert(fpath);
+
+        if (strcmp(fpath, ".") == 0)    // rmdir would fail with EINVAL
+                return 0;
+
+        if (remove(fpath)) {    // removes the link not the actual file
+                fprintf(stderr, "Error: cannot remove file: %s\n", strerror(errno));
+                exit(1);
+        }
+
+        return 0;
+}
+
+int remove_overlay_directory(void) {
+        EUID_ASSERT();
+        sleep(1);
+
+        char *path;
+        if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+
+        if (access(path, F_OK) == 0) {
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // open ~/.firejail
+                        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+                        if (fd == -1) {
+                                fprintf(stderr, "Error: cannot open %s\n", path);
+                                exit(1);
+                        }
+                        struct stat s;
+                        if (fstat(fd, &s) == -1)
+                                errExit("fstat");
+                        if (!S_ISDIR(s.st_mode)) {
+                                if (S_ISLNK(s.st_mode))
+                                        fprintf(stderr, "Error: %s is a symbolic link\n", path);
+                                else
+                                        fprintf(stderr, "Error: %s is not a directory\n", path);
+                                exit(1);
+                        }
+                        if (s.st_uid != getuid()) {
+                                fprintf(stderr, "Error: %s is not owned by the current user\n", path);
+                                exit(1);
+                        }
+                        // chdir to ~/.firejail
+                        if (fchdir(fd) == -1)
+                                errExit("fchdir");
+                        close(fd);
+
+                        EUID_ROOT();
+                        // FTW_PHYS - do not follow symbolic links
+                        if (nftw(".", remove_callback, 64, FTW_DEPTH | FTW_PHYS) == -1)
+                                errExit("nftw");
+
+                        EUID_USER();
+                        // remove ~/.firejail
+                        if (rmdir(path) == -1)
+                                errExit("rmdir");
+
+                        __gcov_flush();
+
+                        _exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
+                // check if ~/.firejail was deleted
+                if (access(path, F_OK) == 0)
+                        return 1;
+        }
+        return 0;
+}
+
+#endif // HAVE_OVERLAYFS
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 718786cdc..17a7b3d23 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
@@ -54,7 +53,7 @@ void fs_tracefile(void) {
         if (arg_debug)
                 printf("Creating an empty trace log file: %s\n", arg_tracefile);
         EUID_USER();
-        int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (fd == -1) {
                 perror("open");
                 fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile);
@@ -107,7 +106,7 @@ void fs_trace(void) {
                 fmessage("Post-exec seccomp protector enabled\n");
         }
 
-        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         fclose(fp);
 
         // mount the new preload file
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 20e262d80..e19d0df96 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
@@ -129,7 +128,7 @@ void fs_var_log(void) {
                 /* coverity[toctou] */
                 FILE *fp = fopen("/var/log/wtmp", "wxe");
                 if (fp) {
-                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
+                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
                         fclose(fp);
                 }
                 fs_logger("touch /var/log/wtmp");
@@ -137,7 +136,7 @@ void fs_var_log(void) {
                 // create an empty /var/log/btmp file
                 fp = fopen("/var/log/btmp", "wxe");
                 if (fp) {
-                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP);
+                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
                         fclose(fp);
                 }
                 fs_logger("touch /var/log/btmp");
@@ -314,7 +313,7 @@ void fs_var_utmp(void) {
         // save new utmp file
         int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp);
         (void) rv;
-        SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
+        SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
         fclose(fp);
 
         // mount the new utmp file
diff --git a/src/firejail/join.c b/src/firejail/join.c
index a869f6b64..0e76fd944 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -431,7 +431,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
 
         // set cgroup
         if (cfg.cgroup) // not available for uid 0
-                set_cgroup(cfg.cgroup);
+                set_cgroup(cfg.cgroup, getpid());
 
         // join namespaces
         if (arg_join_network) {
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 70985ba9e..53e918dde 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -305,7 +305,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                 }
                 // create destination file if necessary
                 EUID_ASSERT();
-                int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE);
+                int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWUSR);
                 if (fd == -1) {
                         fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname);
                         exit(1);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 81d148257..1ba70b0bd 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -32,7 +32,8 @@
 #include <dirent.h>
 #include <pwd.h>
 #include <errno.h>
-//#include <limits.h>
+
+#include <limits.h>
 #include <sys/file.h>
 #include <sys/prctl.h>
 #include <signal.h>
@@ -1528,15 +1529,16 @@ int main(int argc, char **argv, char **envp) {
                 else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
                         if (checkcfg(CFG_CGROUP)) {
                                 if (option_cgroup) {
-                                        fprintf(stderr, "Error: only a cgroup can be defined\n");
+                                        fprintf(stderr, "Error: only one cgroup can be defined\n");
                                         exit(1);
                                 }
-
-                                option_cgroup = 1;
                                 cfg.cgroup = strdup(argv[i] + 9);
                                 if (!cfg.cgroup)
                                         errExit("strdup");
-                                set_cgroup(cfg.cgroup);
+
+                                check_cgroup_file(cfg.cgroup);
+                                set_cgroup(cfg.cgroup, getpid());
+                                option_cgroup = 1;
                         }
                         else
                                 exit_err_feature("cgroup");
@@ -2154,6 +2156,10 @@ int main(int argc, char **argv, char **envp) {
                         arg_novideo = 1;
                 else if (strcmp(argv[i], "--no3d") == 0)
                         arg_no3d = 1;
+                else if (strcmp(argv[i], "--noprinters") == 0) {
+                        profile_add("blacklist /dev/lp*");
+                        profile_add("blacklist /run/cups/cups.sock");
+                }
                 else if (strcmp(argv[i], "--notv") == 0)
                         arg_notv = 1;
                 else if (strcmp(argv[i], "--nodvd") == 0)
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index 304f80eee..ee437e10b 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -33,43 +33,38 @@ static MountData mdata;
 
 
 // Convert octal escape sequence to decimal value
-static int read_oct(const char *path) {
-        int dec = 0;
-        int digit, i;
-        // there are always exactly three octal digits
-        for (i = 1; i < 4; i++) {
-                digit = *(path + i);
-                if (digit < '0' || digit > '7') {
-                        fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
-                        exit(1);
-                }
-                dec = (dec << 3) + (digit - '0');
-        }
-        return dec;
+static unsigned read_oct(char *s) {
+        assert(s[0] == '\\');
+        s++;
+
+        int i;
+        for (i = 0; i < 3; i++)
+                assert(s[i] >= '0' && s[i] <= '7');
+
+        return ((s[0] - '0') << 6 |
+                (s[1] - '0') << 3 |
+                (s[2] - '0') << 0);
 }
 
 // Restore empty spaces in pathnames extracted from /proc/self/mountinfo
 static void unmangle_path(char *path) {
-        char *p = strchr(path, '\\');
-        if (p && read_oct(p) == ' ') {
-                *p = ' ';
-                int i = 3;
-                do {
-                        p++;
-                        if (*(p + i) == '\\' && read_oct(p + i) == ' ') {
-                                *p = ' ';
-                                i += 3;
-                        }
-                        else
-                                *p = *(p + i);
-                } while (*p);
-        }
+        char *r = strchr(path, '\\');
+        if (!r)
+                return;
+
+        char *w = r;
+        do {
+                while (*r == '\\') {
+                        *w++ = read_oct(r);
+                        r += 4;
+                }
+                *w++ = *r;
+        } while (*r++);
 }
 
 // Parse a line from /proc/self/mountinfo,
 // the function does an exit(1) if anything goes wrong.
 static void parse_line(char *line, MountData *output) {
-        assert(line && output);
         memset(output, 0, sizeof(*output));
         // extract mount id, filesystem name, directory and filesystem types
         // examples:
@@ -87,8 +82,6 @@ static void parse_line(char *line, MountData *output) {
         char *ptr = strtok(line, " ");
         if (!ptr)
                 goto errexit;
-        if (ptr != line)
-                goto errexit;
         output->mountid = atoi(ptr);
         int cnt = 1;
 
@@ -109,10 +102,9 @@ static void parse_line(char *line, MountData *output) {
         ptr = strtok(NULL, " ");
         if (!ptr)
                 goto errexit;
-        output->fstype = ptr++;
+        output->fstype = ptr;
 
-
-        if (output->mountid == 0 ||
+        if (output->mountid < 0 ||
             output->fsname == NULL ||
             output->dir == NULL ||
             output->fstype == NULL)
@@ -195,9 +187,9 @@ static int get_mount_id_from_fdinfo(int fd) {
         char buf[MAX_BUF];
         while (fgets(buf, MAX_BUF, fp)) {
                 if (strncmp(buf, "mnt_id:", 7) == 0) {
-                        if (sscanf(buf + 7, "%d", &rv) != 1)
-                                goto errexit;
-                        break;
+                        if (sscanf(buf + 7, "%d", &rv) == 1)
+                                break;
+                        goto errexit;
                 }
         }
 
@@ -219,62 +211,50 @@ int get_mount_id(int fd) {
 
 // Check /proc/self/mountinfo if path contains any mounts points.
 // Returns an array that can be iterated over for recursive remounting.
-char **build_mount_array(const int mount_id, const char *path) {
+char **build_mount_array(const int mountid, const char *path) {
         assert(path);
 
-        // open /proc/self/mountinfo
         FILE *fp = fopen("/proc/self/mountinfo", "re");
         if (!fp) {
                 fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
                 exit(1);
         }
 
-        // array to be returned
-        size_t cnt = 0;
+        // try to find line with mount id
+        int found = 0;
+        MountData mntp;
+        char line[MAX_BUF];
+        while (fgets(line, MAX_BUF, fp)) {
+                parse_line(line, &mntp);
+                if (mntp.mountid == mountid) {
+                        found = 1;
+                        break;
+                }
+        }
+
+        if (!found) {
+                fclose(fp);
+                return NULL;
+        }
+
+        // allocate array
         size_t size = 32;
         char **rv = malloc(size * sizeof(*rv));
         if (!rv)
                 errExit("malloc");
 
-        // read /proc/self/mountinfo
-        size_t pathlen = strlen(path);
-        char buf[MAX_BUF];
-        MountData mntp;
-        int found = 0;
+        // add directory itself
+        size_t cnt = 0;
+        rv[cnt] = strdup(path);
+        if (rv[cnt] == NULL)
+                errExit("strdup");
 
-        if (fgets(buf, MAX_BUF, fp) == NULL) {
-                fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
-                exit(1);
-        }
-        do {
-                parse_line(buf, &mntp);
-                // find mount point with mount id
-                if (!found) {
-                        if (mntp.mountid == mount_id) {
-                                // give up if mount id has been reassigned,
-                                // don't remount blacklisted path
-                                if (strncmp(mntp.dir, path, strlen(mntp.dir)) ||
-                                    strstr(mntp.fsname, "firejail.ro.dir") ||
-                                    strstr(mntp.fsname, "firejail.ro.file"))
-                                            break;
-
-                                rv[cnt] = strdup(path);
-                                if (rv[cnt] == NULL)
-                                        errExit("strdup");
-                                cnt++;
-                                found = 1;
-                                continue;
-                        }
-                        continue;
-                }
-                // from here on add all mount points below path,
-                // don't remount blacklisted paths
-                if (strncmp(mntp.dir, path, pathlen) == 0 &&
-                    mntp.dir[pathlen] == '/' &&
-                    strstr(mntp.fsname, "firejail.ro.dir") == NULL &&
-                    strstr(mntp.fsname, "firejail.ro.file") == NULL) {
-
-                        if (cnt == size) {
+        // and add all following mountpoints contained in this directory
+        size_t pathlen = strlen(path);
+        while (fgets(line, MAX_BUF, fp)) {
+                parse_line(line, &mntp);
+                if (strncmp(mntp.dir, path, pathlen) == 0 && mntp.dir[pathlen] == '/') {
+                        if (++cnt == size) {
                                 size *= 2;
                                 rv = realloc(rv, size * sizeof(*rv));
                                 if (!rv)
@@ -283,18 +263,17 @@ char **build_mount_array(const int mount_id, const char *path) {
                         rv[cnt] = strdup(mntp.dir);
                         if (rv[cnt] == NULL)
                                 errExit("strdup");
-                        cnt++;
                 }
-        } while (fgets(buf, MAX_BUF, fp));
+        }
+        fclose(fp);
 
-        if (cnt == size) {
-                size++;
+        // end of array
+        if (++cnt == size) {
+                ++size;
                 rv = realloc(rv, size * sizeof(*rv));
                 if (!rv)
                         errExit("realloc");
         }
-        rv[cnt] = NULL; // end of the array
-
-        fclose(fp);
+        rv[cnt] = NULL;
         return rv;
 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5390249ea..babc3941e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -449,6 +449,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_no3d = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "noprinters") == 0) {
+                profile_add("blacklist /dev/lp*");
+                profile_add("blacklist /run/cups/cups.sock");
+                return 0;
+        }
         else if (strcmp(ptr, "noinput") == 0) {
                 arg_noinput = 1;
                 return 0;
@@ -1129,8 +1134,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // cgroup
         if (strncmp(ptr, "cgroup ", 7) == 0) {
-                if (checkcfg(CFG_CGROUP))
-                        set_cgroup(ptr + 7);
+                if (checkcfg(CFG_CGROUP)) {
+                        cfg.cgroup = strdup(ptr + 7);
+                        if (!cfg.cgroup)
+                                errExit("strdup");
+
+                        check_cgroup_file(cfg.cgroup);
+                        set_cgroup(cfg.cgroup, getpid());
+                }
                 else
                         warning_feature_disabled("cgroup");
                 return 0;
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 6f17231a4..59077dada 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -21,7 +21,6 @@
 #include "../include/firejail_user.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b776a0cc5..d66b6c573 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -204,7 +204,7 @@ static void save_umask(void) {
 }
 
 static char *create_join_file(void) {
-        int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (fd == -1)
                 errExit("open");
         if (ftruncate(fd, 1) == -1)
diff --git a/src/firejail/util.c b/src/firejail/util.c
index f0df45eb2..55dcdc246 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -20,8 +20,6 @@
 #define _XOPEN_SOURCE 500
 #include "firejail.h"
 #include "../include/gcov_wrapper.h"
-#include <ftw.h>
-#include <sys/stat.h>
 #include <sys/mount.h>
 #include <syslog.h>
 #include <errno.h>
@@ -32,9 +30,6 @@
 #include <sys/wait.h>
 #include <limits.h>
 
-#include <string.h>
-#include <ctype.h>
-
 #include <fcntl.h>
 #ifndef O_PATH
 #define O_PATH 010000000
@@ -489,13 +484,6 @@ int is_link(const char *fname) {
         if (*fname == '\0')
                 return 0;
 
-        int called_as_root = 0;
-        if (geteuid() == 0)
-                called_as_root = 1;
-
-        if (called_as_root)
-                EUID_USER();
-
         // remove trailing '/' if any
         char *tmp = strdup(fname);
         if (!tmp)
@@ -503,12 +491,9 @@ int is_link(const char *fname) {
         trim_trailing_slash_or_dot(tmp);
 
         char c;
-        ssize_t rv = readlink(tmp, &c, 1);
+        ssize_t rv = readlink_as_user(tmp, &c, 1);
         free(tmp);
 
-        if (called_as_root)
-                EUID_ROOT();
-
         return (rv != -1);
 }
 
@@ -530,6 +515,24 @@ char *realpath_as_user(const char *fname) {
         return rv;
 }
 
+ssize_t readlink_as_user(const char *fname, char *buf, size_t sz) {
+        assert(fname && buf && sz);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        ssize_t rv = readlink(fname, buf, sz);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
 int stat_as_user(const char *fname, struct stat *s) {
         assert(fname);
 
@@ -964,12 +967,9 @@ uid_t pid_get_uid(pid_t pid) {
 }
 
 
-
-
-uid_t get_group_id(const char *group) {
-        // find tty group id
+gid_t get_group_id(const char *groupname) {
         gid_t gid = 0;
-        struct group *g = getgrnam(group);
+        struct group *g = getgrnam(groupname);
         if (g)
                 gid = g->gr_gid;
 
@@ -977,86 +977,6 @@ uid_t get_group_id(const char *group) {
 }
 
 
-static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
-        (void) sb;
-        (void) typeflag;
-        (void) ftwbuf;
-        assert(fpath);
-
-        if (strcmp(fpath, ".") == 0)
-                return 0;
-
-        if (remove(fpath)) {    // removes the link not the actual file
-                perror("remove");
-                fprintf(stderr, "Error: cannot remove file from user .firejail directory: %s\n", fpath);
-                exit(1);
-        }
-
-        return 0;
-}
-
-
-int remove_overlay_directory(void) {
-        EUID_ASSERT();
-        sleep(1);
-
-        char *path;
-        if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
-                errExit("asprintf");
-
-        if (access(path, F_OK) == 0) {
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // open ~/.firejail
-                        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-                        if (fd == -1) {
-                                fprintf(stderr, "Error: cannot open %s\n", path);
-                                exit(1);
-                        }
-                        struct stat s;
-                        if (fstat(fd, &s) == -1)
-                                errExit("fstat");
-                        if (!S_ISDIR(s.st_mode)) {
-                                if (S_ISLNK(s.st_mode))
-                                        fprintf(stderr, "Error: %s is a symbolic link\n", path);
-                                else
-                                        fprintf(stderr, "Error: %s is not a directory\n", path);
-                                exit(1);
-                        }
-                        if (s.st_uid != getuid()) {
-                                fprintf(stderr, "Error: %s is not owned by the current user\n", path);
-                                exit(1);
-                        }
-                        // chdir to ~/.firejail
-                        if (fchdir(fd) == -1)
-                                errExit("fchdir");
-                        close(fd);
-
-                        EUID_ROOT();
-                        // FTW_PHYS - do not follow symbolic links
-                        if (nftw(".", remove_callback, 64, FTW_DEPTH | FTW_PHYS) == -1)
-                                errExit("nftw");
-
-                        EUID_USER();
-                        // remove ~/.firejail
-                        if (rmdir(path) == -1)
-                                errExit("rmdir");
-
-                        __gcov_flush();
-
-                        _exit(0);
-                }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
-                // check if ~/.firejail was deleted
-                if (access(path, F_OK) == 0)
-                        return 1;
-        }
-        return 0;
-}
-
 // flush stdin if it is connected to a tty and has input
 void flush_stdin(void) {
         if (!isatty(STDIN_FILENO))
@@ -1085,31 +1005,33 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
         assert(dir);
         mode &= 07777;
 
-        if (access(dir, F_OK) != 0) {
+        if (access(dir, F_OK) == 0)
+                return 0;
+
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
                 if (arg_debug)
                         printf("Creating empty %s directory\n", dir);
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // drop privileges
-                        drop_privs(0);
-
-                        if (mkdir(dir, mode) == 0) {
-                                int err = chmod(dir, mode);
-                                (void) err;
-                        }
-                        else if (arg_debug)
-                                printf("Directory %s not created: %s\n", dir, strerror(errno));
+                if (mkdir(dir, mode) == 0) {
+                        int err = chmod(dir, mode);
+                        (void) err;
+                }
+                else if (arg_debug)
+                        printf("Directory %s not created: %s\n", dir, strerror(errno));
 
-                        __gcov_flush();
+                __gcov_flush();
 
-                        _exit(0);
-                }
-                waitpid(child, NULL, 0);
-                if (access(dir, F_OK) == 0)
-                        return 1;
+                _exit(0);
         }
+        waitpid(child, NULL, 0);
+
+        if (access(dir, F_OK) == 0)
+                        return 1;
         return 0;
 }
 
@@ -1499,7 +1421,7 @@ static int has_link(const char *dir) {
 void check_homedir(const char *dir) {
         assert(dir);
         if (dir[0] != '/') {
-                fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir);
+                fprintf(stderr, "Error: invalid user directory \"%s\"\n", dir);
                 exit(1);
         }
         // symlinks are rejected in many places
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index d88512b0a..319902ff7 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -18,12 +18,12 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #define _GNU_SOURCE
+#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <dlfcn.h>
 #include <sys/types.h>
-#include <limits.h>
 #include <unistd.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -706,10 +706,14 @@ __attribute__((constructor))
 static void log_exec(int argc, char** argv) {
         (void) argc;
         (void) argv;
-        static char buf[PATH_MAX + 1];
-        int rv = readlink("/proc/self/exe", buf, PATH_MAX);
-        if (rv != -1) {
-                buf[rv] = '\0'; // readlink does not add a '\0' at the end
+        char *buf = realpath("/proc/self/exe", NULL);
+        if (buf == NULL) {
+                if (errno == ENOMEM) {
+                        tprintf(ftty, "realpath: %s\n", strerror(errno));
+                        exit(1);
+                }
+        } else {
                 tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf);
+                free(buf);
         }
 }
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2883ab257..e724e4bb9 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -290,8 +290,8 @@ $ firejail \-\-caps.print=3272
 Print content of file from sandbox container, see FILE TRANSFER section for more details.
 #endif
 .TP
-\fB\-\-cgroup=tasks-file
-Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file.
+\fB\-\-cgroup=file
+Place the sandbox in the specified control group. file is the full path of a tasks or cgroup.procs file.
 .br
 
 .br
@@ -310,6 +310,11 @@ regular user, nonewprivs and a default capabilities filter are enabled.
 Example:
 .br
 $ firejail \-\-chroot=/media/ubuntu warzone2100
+.br
+
+.br
+For automatic mounting of X11 and PulseAudio sockets set environment variables
+FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE.
 #endif
 .TP
 \fB\-\-cpu=cpu-number,cpu-number,cpu-number
@@ -2192,6 +2197,11 @@ More information about groups can be found in /usr/share/doc/firejail/syscalls.t
 .br
 
 .br
+The default list can be customized, see \-\-seccomp= for a description.
+It can be customized also globally in /etc/firejail/firejail.config file.
+.br
+
+.br
 System architecture is strictly imposed only if flag
 \-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
@@ -2206,11 +2216,7 @@ Firejail will print seccomp violations to the audit log if the kernel was compil
 Example:
 .br
 $ firejail \-\-seccomp
-.br
 
-.br
-The default list can be customized, see \-\-seccomp= for a description. It can be customized
-also globally in /etc/firejail/firejail.config file.
 
 .TP
 \fB\-\-seccomp=syscall,@group,!syscall2