42 files changed, 623 insertions, 255 deletions

diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 83a2b0592..cf57d96d5 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -23,7 +23,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
-%.o : %.c $(H_FILE_LIST)
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
         $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
 
 firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 1c4ac8d37..d623c5fd3 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -240,6 +240,7 @@ int caps_check_list(const char *clist, void (*callback)(int)) {
 }
 
 void caps_print(void) {
+        EUID_ASSERT();
         int i;
         int elems = sizeof(capslist) / sizeof(capslist[0]);
         
@@ -364,6 +365,8 @@ void caps_keep_list(const char *clist) {
 
 #define MAXBUF 4098
 static uint64_t extract_caps(int pid) {
+        EUID_ASSERT();
+        
         char *file;
         if (asprintf(&file, "/proc/%d/status", pid) == -1) {
                 errExit("asprintf");
@@ -396,6 +399,7 @@ static uint64_t extract_caps(int pid) {
 
 
 void caps_print_filter_name(const char *name) {
+        EUID_ASSERT();
         if (!name || strlen(name) == 0) {
                 fprintf(stderr, "Error: invalid sandbox name\n");
                 exit(1);
@@ -410,6 +414,8 @@ void caps_print_filter_name(const char *name) {
 }
 
 void caps_print_filter(pid_t pid) {
+        EUID_ASSERT();
+        
         // if the pid is that of a firejail  process, use the pid of the first child process
         char *comm = pid_proc_comm(pid);
         if (comm) {
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index 040a1f934..ebd87f0d2 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -71,6 +71,8 @@ errout:
 
 
 void set_cgroup(const char *path) {
+        EUID_ASSERT();
+        
         invalid_filename(path);
         
         // path starts with /sys/fs/cgroup
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index bfad1dc25..23906ae48 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -40,6 +40,8 @@ static void set_cpu(const char *str) {
 }
 
 void read_cpu_list(const char *str) {
+        EUID_ASSERT();
+        
         char *tmp = strdup(str);
         if (tmp == NULL)
                 errExit("strdup");
diff --git a/src/firejail/env.c b/src/firejail/env.c
index cccab966d..54a6b0036 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -86,7 +86,9 @@ void env_ibus_load(void) {
                                 *ptr = '\0';
                         if (arg_debug)
                                 printf("%s\n", buf);
+                        EUID_USER();
                         env_store(buf);
+                        EUID_ROOT();
                 }
 
                 fclose(fp);
@@ -125,6 +127,7 @@ void env_defaults(void) {
 
 // parse and store the environment setting 
 void env_store(const char *str) {
+        EUID_ASSERT();
         assert(str);
         
         // some basic checking
diff --git a/src/firejail/errno.c b/src/firejail/errno.c
index 6c8bd3876..c493dfa09 100644
--- a/src/firejail/errno.c
+++ b/src/firejail/errno.c
@@ -172,7 +172,7 @@ static ErrnoEntry errnolist[] = {
 };
 
 int errno_highest_nr(void) {
-        int i, max = 0;
+        int i, max = 0;
         int elems = sizeof(errnolist) / sizeof(errnolist[0]);
         for (i = 0; i < elems; i++) {
                 if (errnolist[i].nr > max)
@@ -183,6 +183,8 @@ int errno_highest_nr(void) {
 }
 
 int errno_find_name(const char *name) {
+        EUID_ASSERT();
+        
         int i;
         int elems = sizeof(errnolist) / sizeof(errnolist[0]);
         for (i = 0; i < elems; i++) {
@@ -205,6 +207,8 @@ char *errno_find_nr(int nr) {
 }
 
 void errno_print(void) {
+        EUID_ASSERT();
+        
         int i;
         int elems = sizeof(errnolist) / sizeof(errnolist[0]);
         for (i = 0; i < elems; i++) {
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2662cc1d7..4babc58e7 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -20,10 +20,15 @@
 #ifndef FIREJAIL_H
 #define FIREJAIL_H
 #include "../include/common.h"
+#include "../include/euid_common.h"
+
 
 // filesystem
 #define RUN_FIREJAIL_BASEDIR    "/run"
 #define RUN_FIREJAIL_DIR        "/run/firejail"
+#define RUN_FIREJAIL_NAME_DIR   "/run/firejail/name"
+#define RUN_FIREJAIL_NETWORK_DIR        "/run/firejail/network"
+#define RUN_FIREJAIL_BANDWIDTH_DIR      "/run/firejail/bandwidth"
 #define RUN_NETWORK_LOCK_FILE   "/run/firejail/firejail.lock"
 #define RUN_RO_DIR      "/run/firejail/firejail.ro.dir"
 #define RUN_RO_FILE     "/run/firejail/firejail.ro.file"
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index c3e9890b4..92cf4c1bc 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -73,6 +73,12 @@ void fs_build_firejail_dir(void) {
                 if (chmod(RUN_FIREJAIL_BASEDIR, 0755) < 0)
                         errExit("chmod");
         }
+        else { // check /tmp/firejail directory belongs to root end exit if doesn't!
+                if (s.st_uid != 0 || s.st_gid != 0) {
+                        fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR);
+                        exit(1);
+                }
+        }
 
         if (stat(RUN_FIREJAIL_DIR, &s)) {
                 if (arg_debug)
@@ -86,11 +92,39 @@ void fs_build_firejail_dir(void) {
                 if (chmod(RUN_FIREJAIL_DIR, 0755) < 0)
                         errExit("chmod");
         }
-        else { // check /tmp/firejail directory belongs to root end exit if doesn't!
-                if (s.st_uid != 0 || s.st_gid != 0) {
-                        fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR);
-                        exit(1);
-                }
+        
+        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) {
+                if (arg_debug)
+                        printf("Creating %s directory\n", RUN_FIREJAIL_NETWORK_DIR);
+                
+                if (mkdir(RUN_FIREJAIL_NETWORK_DIR, 0755) == -1)
+                        errExit("mkdir");
+                if (chown(RUN_FIREJAIL_NETWORK_DIR, 0, 0) < 0)
+                        errExit("chown");
+                if (chmod(RUN_FIREJAIL_NETWORK_DIR, 0755) < 0)
+                        errExit("chmod");
+        }
+        
+        if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) {
+                if (arg_debug)
+                        printf("Creating %s directory\n", RUN_FIREJAIL_BANDWIDTH_DIR);
+                if (mkdir(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) == -1)
+                        errExit("mkdir");
+                if (chown(RUN_FIREJAIL_BANDWIDTH_DIR, 0, 0) < 0)
+                        errExit("chown");
+                if (chmod(RUN_FIREJAIL_BANDWIDTH_DIR, 0755) < 0)
+                        errExit("chmod");
+        }
+                
+        if (stat(RUN_FIREJAIL_NAME_DIR, &s)) {
+                if (arg_debug)
+                        printf("Creating %s directory\n", RUN_FIREJAIL_NAME_DIR);
+                if (mkdir(RUN_FIREJAIL_NAME_DIR, 0755) == -1)
+                        errExit("mkdir");
+                if (chown(RUN_FIREJAIL_NAME_DIR, 0, 0) < 0)
+                        errExit("chown");
+                if (chmod(RUN_FIREJAIL_NAME_DIR, 0755) < 0)
+                        errExit("chmod");
         }
         
         create_empty_dir();
@@ -853,6 +887,7 @@ void fs_overlayfs(void) {
 #ifdef HAVE_CHROOT              
 // return 1 if error
 int fs_check_chroot_dir(const char *rootdir) {
+        EUID_ASSERT();
         assert(rootdir);
         struct stat s;
         char *name;
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index af67ac290..447ef7f8f 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -64,6 +64,7 @@ static char *check_dir_or_file(const char *name) {
 }
 
 void fs_check_bin_list(void) {
+        EUID_ASSERT();
         if (strstr(cfg.bin_private_keep, "..")) {
                 fprintf(stderr, "Error: invalid private bin list\n");
                 exit(1);
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index c3a247331..5a8bf6904 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -57,6 +57,7 @@ static int check_dir_or_file(const char *name) {
 }
 
 void fs_check_etc_list(void) {
+        EUID_ASSERT();
         if (strstr(cfg.etc_private_keep, "..")) {
                 fprintf(stderr, "Error: invalid private etc list\n");
                 exit(1);
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 2bfabbe89..2b6142c6c 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -338,6 +338,7 @@ void fs_private(void) {
 
 // check new private home directory (--private= option) - exit if it fails
 void fs_check_private_dir(void) {
+        EUID_ASSERT();
         invalid_filename(cfg.home_private);
         
         // Expand the home directory
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c
index 0829ad7ac..f803982d7 100644
--- a/src/firejail/fs_logger.c
+++ b/src/firejail/fs_logger.c
@@ -122,6 +122,8 @@ void fs_logger_change_owner(void) {
 }
 
 void fs_logger_print_log_name(const char *name) {
+        EUID_ASSERT();
+        
         if (!name || strlen(name) == 0) {
                 fprintf(stderr, "Error: invalid sandbox name\n");
                 exit(1);
@@ -136,6 +138,8 @@ void fs_logger_print_log_name(const char *name) {
 }
 
 void fs_logger_print_log(pid_t pid) {
+        EUID_ASSERT();
+
         // if the pid is that of a firejail  process, use the pid of the first child process
         char *comm = pid_proc_comm(pid);
         if (comm) {
@@ -163,6 +167,7 @@ void fs_logger_print_log(pid_t pid) {
         }
 
         // print RUN_FSLOGGER_FILE
+        EUID_ROOT();
         char *fname;
         if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_FSLOGGER_FILE) == -1)
                 errExit("asprintf");
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 69bf2fae7..398c534bf 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -25,6 +25,8 @@
  #include <sys/wait.h>
  
 void fs_mkdir(const char *name) {
+        EUID_ASSERT();
+        
         // check directory name
         invalid_filename(name);
         char *expanded = expand_home(name, cfg.homedir);
@@ -39,31 +41,9 @@ void fs_mkdir(const char *name) {
                 goto doexit;
         }
 
-        // fork a process, drop privileges, and create the directory
-        // no error recovery will be attempted
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                if (arg_debug)
-                        printf("Create %s directory\n", expanded);
-                
-                // drop privileges
-                if (setgroups(0, NULL) < 0)
-                        errExit("setgroups");
-                if (setgid(getgid()) < 0)
-                        errExit("setgid/getgid");
-                if (setuid(getuid()) < 0)
-                        errExit("setuid/getuid");
-                
-                // create directory
-                if (mkdir(expanded, 0700) == -1)
-                        fprintf(stderr, "Warning: cannot create %s directory\n", expanded);
-                exit(0);
-        }
-        
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
+        // create directory
+        if (mkdir(expanded, 0700) == -1)
+                fprintf(stderr, "Warning: cannot create %s directory\n", expanded);
 
 doexit:
         free(expanded);
diff --git a/src/firejail/join.c b/src/firejail/join.c
index b05e25387..4cd315d90 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -30,6 +30,7 @@ static int apply_seccomp = 0;
 #define BUFLEN 4096
 
 static void extract_command(int argc, char **argv, int index) {
+        EUID_ASSERT();
         if (index >= argc)
                 return;
 
@@ -179,20 +180,23 @@ static void extract_user_namespace(pid_t pid) {
 }
 
 void join_name(const char *name, const char *homedir, int argc, char **argv, int index) {
+        EUID_ASSERT();
         if (!name || strlen(name) == 0) {
                 fprintf(stderr, "Error: invalid sandbox name\n");
                 exit(1);
         }
+
         pid_t pid;
         if (name2pid(name, &pid)) {
                 fprintf(stderr, "Error: cannot find sandbox %s\n", name);
                 exit(1);
         }
-
         join(pid, homedir, argc, argv, index);
 }
 
 void join(pid_t pid, const char *homedir, int argc, char **argv, int index) {
+        EUID_ASSERT();
+        
         extract_command(argc, argv, index);
 
         // if the pid is that of a firejail  process, use the pid of the first child process
@@ -222,6 +226,7 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) {
                 }
         }
 
+        EUID_ROOT();
         // in user mode set caps seccomp, cpu, cgroup, etc
         if (getuid() != 0) {
                 extract_caps_seccomp(pid);
diff --git a/src/firejail/list.c b/src/firejail/list.c
index 7a3cf0aad..676df6a14 100644
--- a/src/firejail/list.c
+++ b/src/firejail/list.c
@@ -20,7 +20,7 @@
 #include "firejail.h"
 
 void top(void) {
-        drop_privs(1);
+        EUID_ASSERT();
         
         char *arg[4];
         arg[0] = "bash";
@@ -31,7 +31,7 @@ void top(void) {
 }
 
 void netstats(void) {
-        drop_privs(1);
+        EUID_ASSERT();
         
         char *arg[4];
         arg[0] = "bash";
@@ -42,7 +42,7 @@ void netstats(void) {
 }
 
 void list(void) {
-        drop_privs(1);
+        EUID_ASSERT();
         
         char *arg[4];
         arg[0] = "bash";
@@ -53,7 +53,7 @@ void list(void) {
 }
 
 void tree(void) {
-        drop_privs(1);
+        EUID_ASSERT();
         
         char *arg[4];
         arg[0] = "bash";
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 6fd011868..fe4027a55 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -45,6 +45,8 @@ printf("time %s:%d %u\n", __FILE__, __LINE__, (uint32_t) systick);
 }
 #endif
 
+uid_t firejail_uid = 0;
+
 #define STACK_SIZE (1024 * 1024)
 static char child_stack[STACK_SIZE];            // space for child's stack
 Config cfg;                                     // configuration
@@ -102,6 +104,9 @@ int fullargc = 0;
 static pid_t child = 0;
 pid_t sandbox_pid;
 
+static void set_name_file(uid_t pid);
+static void delete_name_file(uid_t pid);
+
 static void myexit(int rv) {
         logmsg("exiting...");
         if (!arg_command && !arg_quiet)
@@ -110,6 +115,7 @@ static void myexit(int rv) {
         // delete sandbox files in shared memory
         bandwidth_shm_del_file(sandbox_pid);            // bandwidth file
         network_shm_del_file(sandbox_pid);              // network map file
+        delete_name_file(sandbox_pid);
         
         exit(rv); 
 }
@@ -122,38 +128,6 @@ static void my_handler(int s){
         myexit(1);
 }
 
-static void extract_user_data(void) {
-        // check suid
-        if (geteuid()) {
-                fprintf(stderr, "Error: the sandbox is not setuid root\n");
-                exit(1);
-        }
-
-        struct passwd *pw = getpwuid(getuid());
-        if (!pw)
-                errExit("getpwuid");
-        cfg.username = strdup(pw->pw_name);
-        if (!cfg.username)
-                errExit("strdup");
-
-        // build home directory name
-        cfg.homedir = NULL;
-        if (pw->pw_dir != NULL) {
-                cfg.homedir = strdup(pw->pw_dir);
-                if (!cfg.homedir)
-                        errExit("strdup");
-        }
-        else {
-                fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username);
-                exit(1);
-        }
-        
-        cfg.cwd = getcwd(NULL, 0);
-}
-
-
-
-
 static inline Bridge *last_bridge_configured(void) {
         if (cfg.bridge3.configured)
                 return &cfg.bridge3;
@@ -167,8 +141,6 @@ static inline Bridge *last_bridge_configured(void) {
                 return NULL;
 }
 
-
-
 // return 1 if error, 0 if a valid pid was found
 static int read_pid(char *str, pid_t *pid) {
         char *endptr;
@@ -185,15 +157,43 @@ static int read_pid(char *str, pid_t *pid) {
         return 0;
 }
 
-static void init_cfg(void) {
+// init configuration
+static void init_cfg(int argc, char **argv) {
+        EUID_ASSERT();
         memset(&cfg, 0, sizeof(cfg));
-        
+
+        cfg.original_argv = argv;
+        cfg.original_argc = argc;
         cfg.bridge0.devsandbox = "eth0";
         cfg.bridge1.devsandbox = "eth1";
         cfg.bridge2.devsandbox = "eth2";
         cfg.bridge3.devsandbox = "eth3";
         
-        extract_user_data();
+        // extract user data
+        struct passwd *pw = getpwuid(getuid());
+        if (!pw)
+                errExit("getpwuid");
+        cfg.username = strdup(pw->pw_name);
+        if (!cfg.username)
+                errExit("strdup");
+
+        // build home directory name
+        cfg.homedir = NULL;
+        if (pw->pw_dir != NULL) {
+                cfg.homedir = strdup(pw->pw_dir);
+                if (!cfg.homedir)
+                        errExit("strdup");
+        }
+        else {
+                fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username);
+                exit(1);
+        }
+        cfg.cwd = getcwd(NULL, 0);
+
+        // initialize random number generator
+        sandbox_pid = getpid();
+        time_t t = time(NULL);
+        srand(t ^ sandbox_pid);
 }
 
 static void check_network(Bridge *br) {
@@ -211,6 +211,7 @@ static void check_network(Bridge *br) {
 
 #ifdef HAVE_USERNS
 void check_user_namespace(void) {
+        EUID_ASSERT();
         if (getuid() == 0) {
                 fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n");
                 exit(1);
@@ -233,6 +234,8 @@ void check_user_namespace(void) {
 
 // exit commands
 static void run_cmd_and_exit(int i, int argc, char **argv) {
+        EUID_ASSERT();
+        
         //*************************************
         // basic arguments
         //*************************************
@@ -315,6 +318,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 
                 // extract pid or sandbox name
                 pid_t pid;
+                EUID_ROOT();
                 if (read_pid(argv[i] + 12, &pid) == 0)
                         bandwidth_pid(pid, cmd, dev, down, up);
                 else
@@ -465,6 +469,36 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 
 }
 
+static void set_name_file(uid_t pid) {
+        char *fname;
+        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
+                errExit("asprintf");
+
+        // the file is deleted first
+        FILE *fp = fopen(fname, "w");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot create %s\n", fname);
+                exit(1);
+        }
+        fprintf(fp, "%s\n", cfg.name);
+        fclose(fp);
+        
+        // mode and ownership
+        if (chown(fname, 0, 0) == -1)
+                errExit("chown");
+        if (chmod(fname, 0644) == -1)
+                errExit("chmod");
+        
+}
+
+static void delete_name_file(uid_t pid) {
+        char *fname;
+        if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
+                errExit("asprintf");
+        int rv = unlink(fname);
+        (void) rv;
+}
+
 //*******************************************
 // Main program
 //*******************************************
@@ -481,11 +515,15 @@ int main(int argc, char **argv) {
         int highest_errno = errno_highest_nr();
 #endif
 
+
+        // drop permissions by default and rise them when required
+        EUID_INIT();
+        EUID_USER();
+
         // check argv[0] symlink wrapper if this is not a login shell
         if (*argv[0] != '-')
                 run_symlink(argc, argv);
 
-
         // check if we already have a sandbox running
         int rv = check_kernel_procs();
         if (rv == 0) {
@@ -506,21 +544,26 @@ int main(int argc, char **argv) {
                 }
         }
 
+        // check root/suid
+        EUID_ROOT();
+        if (geteuid()) {
+                fprintf(stderr, "Error: the sandbox is not setuid root\n");
+                exit(1);
+        }
+        EUID_USER();
+
         // initialize globals
-        init_cfg();
-        cfg.original_argv = argv;
-        cfg.original_argc = argc;
+        init_cfg(argc, argv);
 
-        // initialize random number generator
-        sandbox_pid = getpid();
-        time_t t = time(NULL);
-        srand(t ^ sandbox_pid);
 
         // check firejail directories
+        EUID_ROOT();
         fs_build_firejail_dir();
+        // todo: deprecate shm functions
         shm_create_firejail_dir();      
         bandwidth_shm_del_file(sandbox_pid);
-
+        EUID_USER();
+        
         // is this a login shell?
         if (*argv[0] == '-') {
                 fullargc = restricted_shell(cfg.username);
@@ -1449,6 +1492,7 @@ int main(int argc, char **argv) {
 
         // check and assign an IP address - for macvlan it will be done again in the sandbox!
         if (any_bridge_configured()) {
+                EUID_ROOT();
                 lockfd = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
                 if (lockfd != -1) {
                         int rv = fchown(lockfd, 0, 0);
@@ -1463,6 +1507,7 @@ int main(int argc, char **argv) {
                         
                 // save network mapping in shared memory
                 network_shm_set_file(sandbox_pid);
+                EUID_USER();
         }
 
         // create the parent-child communication pipe
@@ -1480,6 +1525,13 @@ int main(int argc, char **argv) {
                 arg_noroot = 0;
         }
 
+
+        // set name file
+        EUID_ROOT();
+        if (cfg.name)
+                set_name_file(sandbox_pid);
+        EUID_USER();
+        
         // clone environment
         int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD;
         
@@ -1494,12 +1546,14 @@ int main(int argc, char **argv) {
         else if (arg_debug)
                 printf("Using the local network stack\n");
 
+        EUID_ROOT();
         child = clone(sandbox,
                 child_stack + STACK_SIZE,
                 flags,
                 NULL);
         if (child == -1)
                 errExit("clone");
+        EUID_USER();
 
         if (!arg_command && !arg_quiet) {
                 printf("Parent pid %u, child pid %u\n", sandbox_pid, child);
@@ -1508,7 +1562,8 @@ int main(int argc, char **argv) {
                         printf("The new log directory is /proc/%d/root/var/log\n", child);
         }
         
-        
+
+        EUID_ROOT();    
         if (!arg_nonetwork) {
                 // create veth pair or macvlan device
                 if (cfg.bridge0.configured) {
@@ -1554,6 +1609,7 @@ int main(int argc, char **argv) {
                         net_move_interface(cfg.interface3.dev, child);
                 }
         }
+        EUID_USER();
 
         // close each end of the unused pipes
         close(parent_to_child_fds[0]);
@@ -1576,7 +1632,9 @@ int main(int argc, char **argv) {
                 uid_t uid = getuid();
                 if (asprintf(&map, "%d %d 1", uid, uid) == -1)
                         errExit("asprintf");
+                EUID_ROOT();
                 update_map(map, map_path);
+                EUID_USER();
                 free(map);
                 free(map_path);
          
@@ -1586,7 +1644,9 @@ int main(int argc, char **argv) {
                 gid_t gid = getgid();
                 if (asprintf(&map, "%d %d 1", gid, gid) == -1)
                         errExit("asprintf");
+                EUID_ROOT();
                 update_map(map, map_path);
+                EUID_USER();
                 free(map);
                 free(map_path);
         }
@@ -1595,9 +1655,13 @@ int main(int argc, char **argv) {
         notify_other(parent_to_child_fds[1]);
         close(parent_to_child_fds[1]);
  
+        EUID_ROOT();
         if (lockfd != -1)
                 flock(lockfd, LOCK_UN);
 
+        // create name file under /run/firejail
+        
+
         // handle CTRL-C in parent
         signal (SIGINT, my_handler);
         signal (SIGTERM, my_handler);
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 2ed09434a..4a5499699 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -44,6 +44,7 @@ static char *client_filter =
 "COMMIT\n";
 
 void check_netfilter_file(const char *fname) {
+        EUID_ASSERT();
         invalid_filename(fname);
         
         if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) {
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index bd104343a..9ddd56dcd 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -165,6 +165,7 @@ void check_default_gw(uint32_t defaultgw) {
 }
 
 void net_check_cfg(void) {
+        EUID_ASSERT();
         int net_configured = 0;
         if (cfg.bridge0.configured)
                 net_configured++;
@@ -223,6 +224,7 @@ void net_check_cfg(void) {
 
 
 void net_dns_print_name(const char *name) {
+        EUID_ASSERT();
         if (!name || strlen(name) == 0) {
                 fprintf(stderr, "Error: invalid sandbox name\n");
                 exit(1);
@@ -238,8 +240,8 @@ void net_dns_print_name(const char *name) {
 
 #define MAXBUF 4096
 void net_dns_print(pid_t pid) {
+        EUID_ASSERT();
         // drop privileges - will not be able to read /etc/resolv.conf for --noroot option
-//      drop_privs(1);
 
         // if the pid is that of a firejail  process, use the pid of the first child process
         char *comm = pid_proc_comm(pid);
@@ -258,6 +260,7 @@ void net_dns_print(pid_t pid) {
         }
         
         char *fname;
+        EUID_ROOT();
         if (asprintf(&fname, "/proc/%d/root/etc/resolv.conf", pid) == -1)
                 errExit("asprintf");
 
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 15d61362a..9f9ace527 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -26,6 +26,8 @@
 // check process space for kernel processes
 // return 1 if found, 0 if not found
 int check_kernel_procs(void) {
+        EUID_ASSERT();
+        
         char *kern_proc[] = {
                 "kthreadd",
                 "ksoftirqd",
@@ -97,14 +99,7 @@ int check_kernel_procs(void) {
 }
 
 void run_no_sandbox(int argc, char **argv) {
-        // drop privileges
-        int rv = setgroups(0, NULL); // this could fail
-        (void) rv;
-        if (setgid(getgid()) < 0)
-                errExit("setgid/getgid");
-        if (setuid(getuid()) < 0)
-                errExit("setuid/getuid");
-
+        EUID_ASSERT();
 
         // build command
         char *command = NULL;
@@ -141,7 +136,7 @@ void run_no_sandbox(int argc, char **argv) {
         // start the program in /bin/sh
         fprintf(stderr, "Warning: an existing sandbox was detected. "
                 "%s will run without any additional sandboxing features in a /bin/sh shell\n", command);
-        rv = system(command);
+        int rv = system(command);
         (void) rv;
         if (allocated)
                 free(command);
diff --git a/src/firejail/output.c b/src/firejail/output.c
index d553e283f..a554b76aa 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -23,6 +23,8 @@
 #include <unistd.h>
 
 void check_output(int argc, char **argv) {
+        EUID_ASSERT();
+        
         int i;
         char *outfile = NULL;
 //      drop_privs(0);
@@ -55,8 +57,6 @@ void check_output(int argc, char **argv) {
                                 }
                         }
 
-                        // drop privileges and try to open the file for writing
-                        drop_privs(0);
                         /* coverity[toctou] */
                         FILE *fp = fopen(outfile, "a");
                         if (!fp) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 0c28eefd8..112454396 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -25,6 +25,7 @@
 
 // find and read the profile specified by name from dir directory
 int profile_find(const char *name, const char *dir) {
+        EUID_ASSERT();
         assert(name);
         assert(dir);
         
@@ -66,6 +67,8 @@ int profile_find(const char *name, const char *dir) {
 // return 1 if the command is to be added to the linked list of profile commands
 // return 0 if the command was already executed inside the function
 int profile_check_line(char *ptr, int lineno, const char *fname) {
+        EUID_ASSERT();
+        
         // check ignore list
         int i;
         for (i = 0; i < MAX_PROFILE_IGNORE; i++) {
@@ -458,6 +461,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
 // add a profile entry in cfg.profile list; use str to populate the list
 void profile_add(char *str) {
+        EUID_ASSERT();
+        
         ProfileEntry *prf = malloc(sizeof(ProfileEntry));
         if (!prf)
                 errExit("malloc");
@@ -479,6 +484,8 @@ void profile_add(char *str) {
 // read a profile file
 static int include_level = 0;
 void profile_read(const char *fname) {
+        EUID_ASSERT();
+        
         // exit program if maximum include level was reached
         if (include_level > MAX_INCLUDE_LEVEL) {
                 fprintf(stderr, "Error: maximum profile include level was reached\n");
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 407f8c62d..24fbfc024 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -101,6 +101,8 @@ static struct sock_filter *find_protocol_domain(const char *p) {
 
 // --debug-protocols
 void protocol_list(void) {
+        EUID_ASSERT();
+        
 #ifndef SYS_socket
         fprintf(stderr, "Warning: --protocol not supported on this platform\n");
         return;
@@ -117,6 +119,7 @@ void protocol_list(void) {
 
 // check protocol list and store it in cfg structure
 void protocol_store(const char *prlist) {
+        EUID_ASSERT();
         assert(prlist);
         
         if (cfg.protocol) {
@@ -308,6 +311,8 @@ void protocol_filter_load(const char *fname) {
 
 // --protocol.print
 void protocol_print_filter_name(const char *name) {
+        EUID_ASSERT();
+        
         (void) name;
 #ifdef SYS_socket
         if (!name || strlen(name) == 0) {
@@ -329,6 +334,8 @@ void protocol_print_filter_name(const char *name) {
 
 // --protocol.print
 void protocol_print_filter(pid_t pid) {
+        EUID_ASSERT();
+        
         (void) pid;
 #ifdef SYS_socket
         // if the pid is that of a firejail  process, use the pid of the first child process
@@ -358,6 +365,7 @@ void protocol_print_filter(pid_t pid) {
         }
 
         // find the seccomp filter
+        EUID_ROOT();
         char *fname;
         if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_PROTOCOL_CFG) == -1)
                 errExit("asprintf");
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index 95e543031..da4e9d332 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -24,6 +24,7 @@ char *restricted_user = NULL;
 
 
 int restricted_shell(const char *user) {
+        EUID_ASSERT();
         assert(user);
 
         // open profile file:
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index bc1bb3011..d57816e12 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -23,6 +23,8 @@
 #include <unistd.h>
 
 void run_symlink(int argc, char **argv) {
+        EUID_ASSERT();
+        
         char *program = strrchr(argv[0], '/');
         if (program)
                 program += 1;
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 57f483b1c..f9a9df211 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -800,6 +800,7 @@ void seccomp_set(void) {
 }
 
 void seccomp_print_filter_name(const char *name) {
+        EUID_ASSERT();
         if (!name || strlen(name) == 0) {
                 fprintf(stderr, "Error: invalid sandbox name\n");
                 exit(1);
@@ -814,6 +815,8 @@ void seccomp_print_filter_name(const char *name) {
 }
 
 void seccomp_print_filter(pid_t pid) {
+        EUID_ASSERT();
+        
         // if the pid is that of a firejail  process, use the pid of the first child process
         char *comm = pid_proc_comm(pid);
         if (comm) {
@@ -842,6 +845,7 @@ void seccomp_print_filter(pid_t pid) {
 
 
         // find the seccomp filter
+        EUID_ROOT();
         char *fname;
         if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_CFG) == -1)
                 errExit("asprintf");
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index edaac7eb9..c88683aaa 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -24,6 +24,7 @@
 #include <sys/prctl.h>
 
 void shut_name(const char *name) {
+        EUID_ASSERT();
         if (!name || strlen(name) == 0) {
                 fprintf(stderr, "Error: invalid sandbox name\n");
                 exit(1);
@@ -39,6 +40,8 @@ void shut_name(const char *name) {
 }
 
 void shut(pid_t pid) {
+        EUID_ASSERT();
+        
         pid_t parent = pid;
         // if the pid is that of a firejail  process, use the pid of a child process inside the sandbox
         char *comm = pid_proc_comm(pid);
@@ -73,6 +76,7 @@ void shut(pid_t pid) {
                 }
         }
         
+        EUID_ROOT();
         printf("Sending SIGTERM to %u\n", pid);
         kill(pid, SIGTERM);
         sleep(2);
diff --git a/src/firejail/syscall.c b/src/firejail/syscall.c
index 50d59391e..985cc8bb8 100644
--- a/src/firejail/syscall.c
+++ b/src/firejail/syscall.c
@@ -103,6 +103,8 @@ int syscall_check_list(const char *slist, void (*callback)(int syscall, int arg)
 }
 
 void syscall_print(void) {
+        EUID_ASSERT();
+        
         int i;
         int elems = sizeof(syslist) / sizeof(syslist[0]);
         for (i = 0; i < elems; i++) {
diff --git a/src/firejail/user.c b/src/firejail/user.c
index e5f7848e8..a2f34392c 100644
--- a/src/firejail/user.c
+++ b/src/firejail/user.c
@@ -26,6 +26,7 @@
 
 
 void check_user(int argc, char **argv) {
+        EUID_ASSERT();
         int i;
         char *user = NULL;
 
diff --git a/src/firejail/util.c b/src/firejail/util.c
index d969f6439..3463095f9 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -258,6 +258,7 @@ int is_link(const char *fname) {
 
 // remove multiple spaces and return allocated memory
 char *line_remove_spaces(const char *buf) {
+        EUID_ASSERT();
         assert(buf);
         if (strlen(buf) == 0)
                 return NULL;
@@ -307,6 +308,7 @@ char *line_remove_spaces(const char *buf) {
 
 
 char *split_comma(char *str) {
+        EUID_ASSERT();
         if (str == NULL || *str == '\0')
                 return NULL;
         char *ptr = strchr(str, ',');
@@ -321,6 +323,8 @@ char *split_comma(char *str) {
 
 
 int not_unsigned(const char *str) {
+        EUID_ASSERT();
+        
         int rv = 0;
         const char *ptr = str;
         while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') {
@@ -338,6 +342,7 @@ int not_unsigned(const char *str) {
 #define BUFLEN 4096
 // find the first child for this parent; return 1 if error
 int find_child(pid_t parent, pid_t *child) {
+        EUID_ASSERT();
         *child = 0;                               // use it to flag a found child
 
         DIR *dir;
@@ -399,6 +404,7 @@ int find_child(pid_t parent, pid_t *child) {
 
 
 void extract_command_name(int index, char **argv) {
+        EUID_ASSERT();
         assert(argv);
         assert(argv[index]);
 
@@ -527,8 +533,7 @@ void notify_other(int fd) {
 // directory (supplied).
 // The return value is allocated using malloc and must be freed by the caller.
 // The function returns NULL if there are any errors.
-char *expand_home(const char *path, const char* homedir)
-{
+char *expand_home(const char *path, const char* homedir) {
         assert(path);
         assert(homedir);
         
@@ -551,8 +556,7 @@ char *expand_home(const char *path, const char* homedir)
 // Equivalent to the GNU version of basename, which is incompatible with
 // the POSIX basename. A few lines of code saves any portability pain.
 // https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
-const char *gnu_basename(const char *path)
-{
+const char *gnu_basename(const char *path) {
         const char *last_slash = strrchr(path, '/');
         if (!last_slash)
                 return path;
@@ -560,6 +564,7 @@ const char *gnu_basename(const char *path)
 }
 
 uid_t pid_get_uid(pid_t pid) {
+        EUID_ASSERT();
         uid_t rv = 0;
         
         // open status file
@@ -603,6 +608,7 @@ uid_t pid_get_uid(pid_t pid) {
 }
 
 void invalid_filename(const char *fname) {
+        EUID_ASSERT();
         assert(fname);
         const char *ptr = fname;
         
diff --git a/src/include/euid_common.h b/src/include/euid_common.h
new file mode 100644
index 000000000..f07cf2868
--- /dev/null
+++ b/src/include/euid_common.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#ifndef EUID_COMMON_H
+#define EUID_COMMON_H
+#include <stdio.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <assert.h>
+
+#define EUID_ASSERT() { \
+        if (getuid() != 0) \
+                assert(geteuid() != 0); \
+}
+
+extern uid_t firejail_uid;
+
+
+
+static inline void EUID_ROOT(void) {
+        if (seteuid(0) == -1)
+                fprintf(stderr, "Error: cannot switch euid to root\n");
+}
+
+static inline void EUID_USER(void) {
+        if (seteuid(firejail_uid) == -1)
+                fprintf(stderr, "Error: cannot switch euid to user\n");
+}
+
+static inline void EUID_PRINT(void) {
+        printf("debug: uid %d, euid %d\n", getuid(), geteuid());
+}
+
+static inline void EUID_INIT(void) {
+        firejail_uid = getuid();
+}
+
+#endif
diff --git a/src/lib/common.c b/src/lib/common.c
index d23cd589e..f321c5a47 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -58,6 +58,7 @@ int join_namespace(pid_t pid, char *type) {
 }
 
 // return 1 if error
+// this function requires root access - todo: fix it!
 int name2pid(const char *name, pid_t *pid) {
         pid_t parent = getpid();
         
@@ -94,53 +95,34 @@ int name2pid(const char *name, pid_t *pid) {
                         free(comm);
                 }
                 
-                char *cmd = pid_proc_cmdline(newpid);
-                if (cmd) {
-                        // mark the end of the name
-                        char *ptr = strstr(cmd, "--name=");
-                        char *start = ptr;
-                        if (!ptr) {
-                                free(cmd);
-                                
-                                // extract name for /run/mnt/firejail/fslogger file
-                                char *fname;
-                                if (asprintf(&fname, "/proc/%d/root/run/firejail/mnt/fslogger", newpid) == -1)
-                                        errExit("asprintf");
-
-                                struct stat s;
-                                if (stat(fname, &s) == 0) {
-                                        FILE *fp = fopen(fname, "r");
-                                        if (fp) {
-                                                char buf[BUFLEN];
-                                                if (fgets(buf, BUFLEN, fp)) {
-                                                        if (strncmp(buf, "sandbox name: ", 14) == 0) {
-                                                                char *ptr2 = buf + 14;
-                                                                if (strncmp(name, ptr2, strlen(name)) == 0) {
-                                                                        fclose(fp);
-                                                                        *pid = newpid;
-                                                                        closedir(dir);
-                                                                        return 0;
-                                                                }
-                                                        }
-                                                }
+                // look for the sandbox name in /run/firejail/name/<PID>
+                // todo: use RUN_FIREJAIL_NAME_DIR define from src/firejail/firejail.h
+                char *fname;
+                if (asprintf(&fname, "/run/firejail/name/%d", newpid) == -1)
+                        errExit("asprintf");
+                FILE *fp = fopen(fname, "r");
+                if (fp) {
+                        char buf[BUFLEN];
+                        if (fgets(buf, BUFLEN, fp)) {
+                                // remove \n
+                                char *ptr = strchr(buf, '\n');
+                                if (ptr) {
+                                        *ptr = '\0';
+                                        if (strcmp(buf, name) == 0) {
+                                                // we found it!
                                                 fclose(fp);
+                                                free(fname);
+                                                *pid = newpid;
+                                                closedir(dir);
+                                                return 0;
                                         }
-                                }       
-                                
-                                continue;
+                                }
+                                else
+                                        fprintf(stderr, "Error: invalid %s\n", fname);
                         }
-                        while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
-                                ptr++;
-                        *ptr = '\0';
-                        int rv = strcmp(start + 7, name);
-                        if (rv == 0) {
-                                free(cmd);
-                                *pid = newpid;
-                                closedir(dir);
-                                return 0;
-                        }
-                        free(cmd);
+                        fclose(fp);
                 }
+                free(fname);
         }
         closedir(dir);
         return 1;
diff --git a/test/env.exp b/test/env.exp
index d2edb0477..d7aee3c64 100755
--- a/test/env.exp
+++ b/test/env.exp
@@ -12,17 +12,17 @@ expect {
 }
 sleep 1
 
-send -- "env | grep ENV\r"
+send -- "env | grep ENV1\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
         "ENV1"
 }
-send -- "env | grep ENV\r"
+send -- "env | grep ENV2\r"
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
         "ENV2"
 }
-send -- "env | grep ENV\r"
+send -- "env | grep ENV3\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "ENV3"
@@ -52,4 +52,4 @@ expect {
         "Werror"
 }
 
-puts "\n"
+puts "\nall done\n"
diff --git a/test/features/3.11.exp b/test/features/3.11.exp
new file mode 100755
index 000000000..3a5e38257
--- /dev/null
+++ b/test/features/3.11.exp
@@ -0,0 +1,171 @@
+#!/usr/bin/expect -f
+#
+# mkdir
+#
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+set overlay [lindex $argv 0]
+set chroot [lindex $argv 1]
+
+#
+# N
+#
+send -- "rm -fr ~/firejail-xy76_u9\r"
+sleep 1
+
+send -- "firejail --profile=3.11.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "ls -l ~ | grep firejail-xy76_u9\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "drwx------"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "netblue netblue" { puts "Debian\n"}
+        "netblue users" { puts "Arch\n"}
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "firejail-xy76_u9"
+}
+after 100
+
+send -- "ls -l ~/firejail-xy76_u9\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "drwx------"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "netblue netblue" { puts "Debian\n"}
+        "netblue users" { puts "Arch\n"}
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "testdir"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+send -- "rm -fr ~/firejail-xy76_u9\r"
+sleep 1
+
+#
+# O
+#
+if { $overlay == "overlay" } {
+        send -- "rm -fr ~/firejail-xy76_u9\r"
+        sleep 1
+        
+        send -- "firejail --profile=3.11.profile\r"
+        expect {
+                timeout {puts "TESTING ERROR 10\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -l ~ | grep firejail-xy76_u9\r"
+        expect {
+                timeout {puts "TESTING ERROR 11\n";exit}
+                "drwx------"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 12\n";exit}
+                "netblue netblue" { puts "Debian\n"}
+                "netblue users" { puts "Arch\n"}
+        }
+        expect {
+                timeout {puts "TESTING ERROR 13\n";exit}
+                "firejail-xy76_u9"
+        }
+        after 100
+        
+        send -- "ls -l ~/firejail-xy76_u9\r"
+        expect {
+                timeout {puts "TESTING ERROR 14\n";exit}
+                "drwx------"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 15\n";exit}
+                "netblue netblue" { puts "Debian\n"}
+                "netblue users" { puts "Arch\n"}
+        }
+        expect {
+                timeout {puts "TESTING ERROR 16\n";exit}
+                "testdir"
+        }
+        after 100
+        
+        send -- "exit\r"
+        sleep 1
+        send -- "rm -fr ~/firejail-xy76_u9\r"
+        sleep 1
+
+
+}
+
+#
+# C
+#
+if { $chroot == "chroot" } {
+        send -- "rm -fr ~/firejail-xy76_u9\r"
+        sleep 1
+        
+        send -- "firejail --profile=3.11.profile\r"
+        expect {
+                timeout {puts "TESTING ERROR 20\n";exit}
+                "Child process initialized"
+        }
+        sleep 1
+        
+        send -- "ls -l ~ | grep firejail-xy76_u9\r"
+        expect {
+                timeout {puts "TESTING ERROR 21\n";exit}
+                "drwx------"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 22\n";exit}
+                "netblue netblue" { puts "Debian\n"}
+                "netblue users" { puts "Arch\n"}
+        }
+        expect {
+                timeout {puts "TESTING ERROR 23\n";exit}
+                "firejail-xy76_u9"
+        }
+        after 100
+        
+        send -- "ls -l ~/firejail-xy76_u9\r"
+        expect {
+                timeout {puts "TESTING ERROR 24\n";exit}
+                "drwx------"
+        }
+        expect {
+                timeout {puts "TESTING ERROR 25\n";exit}
+                "netblue netblue" { puts "Debian\n"}
+                "netblue users" { puts "Arch\n"}
+        }
+        expect {
+                timeout {puts "TESTING ERROR 26\n";exit}
+                "testdir"
+        }
+        after 100
+        
+        send -- "rm -fr ~/firejail-xy76_u9\r"
+        sleep 1
+
+        send -- "exit\r"
+
+}
+
+
+puts "\nall done\n"
+
diff --git a/test/features/3.11.profile b/test/features/3.11.profile
new file mode 100644
index 000000000..144733f8f
--- /dev/null
+++ b/test/features/3.11.profile
@@ -0,0 +1,2 @@
+mkdir ~/firejail-xy76_u9
+mkdir ~/firejail-xy76_u9/testdir
diff --git a/test/features/3.4.exp b/test/features/3.4.exp
index 996312334..3f316af5b 100755
--- a/test/features/3.4.exp
+++ b/test/features/3.4.exp
@@ -53,7 +53,7 @@ expect {
         ".Xauthority"
 }
 
-send -- "ls -al | grep config\r"
+send -- "ls -al | grep .config\r"
 expect {
         timeout {puts "TESTING ERROR 1.8\n";exit}
         "netblue"
@@ -117,7 +117,7 @@ if { $overlay == "overlay" } {
                 ".Xauthority"
         }
         
-        send -- "ls -al | grep config\r"
+        send -- "ls -al | grep .config\r"
         expect {
                 timeout {puts "TESTING ERROR 3.8\n";exit}
                 "netblue"
@@ -181,7 +181,7 @@ if { $chroot == "chroot" } {
                 ".Xauthority"
         }
         
-        send -- "ls -al | grep config\r"
+        send -- "ls -al | grep .config\r"
         expect {
                 timeout {puts "TESTING ERROR 5.8\n";exit}
                 "netblue"
diff --git a/test/features/3.5.exp b/test/features/3.5.exp
index d190ef36f..dfa8fae10 100755
--- a/test/features/3.5.exp
+++ b/test/features/3.5.exp
@@ -19,10 +19,11 @@ expect {
 }
 sleep 1
 
-send -- "ls -al /dev | wc -l\r"
+send -- "ls -l /dev | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 1.1\n";exit}
-        "14"
+        "12" { puts "Debian\n"}
+        "11" { puts "Centos\n"}
 }
 
 after 100
@@ -40,10 +41,10 @@ if { $overlay == "overlay" } {
         }
         sleep 1
         
-        send -- "ls -al /dev | wc -l\r"
+        send -- "ls -l /dev | wc -l\r"
         expect {
                 timeout {puts "TESTING ERROR 3.1\n";exit}
-                "13"
+                "11"
         }
         
         after 100
@@ -62,10 +63,10 @@ if { $chroot == "chroot" } {
         }
         sleep 1
         
-        send -- "ls -al /dev | wc -l\r"
+        send -- "ls -l /dev | wc -l\r"
         expect {
                 timeout {puts "TESTING ERROR 5.1\n";exit}
-                "13"
+                "11"
         }
         
         after 100
diff --git a/test/features/3.9.exp b/test/features/3.9.exp
index 1dc556d78..a1797804f 100755
--- a/test/features/3.9.exp
+++ b/test/features/3.9.exp
@@ -12,7 +12,7 @@ set chroot [lindex $argv 1]
 #
 # N
 #
-send -- "firejail --noprofile --whitelist=/dev/tty --whitelist=/dev/shm --whitelist=/dev/null\r"
+send -- "firejail --noprofile --whitelist=/dev/tty --whitelist=/dev/null\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
@@ -22,7 +22,7 @@ sleep 1
 send -- "ls -l /dev | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 1.1\n";exit}
-        "4"
+        "3"
 }
 
 
@@ -35,7 +35,7 @@ sleep 1
 # O
 #
 if { $overlay == "overlay" } {
-        send -- "firejail --noprofile --overlay --whitelist=/dev/tty --whitelist=/dev/shm --whitelist=/dev/null\r"
+        send -- "firejail --noprofile --overlay --whitelist=/dev/tty --whitelist=/dev/null\r"
         expect {
                 timeout {puts "TESTING ERROR 2\n";exit}
                 "Child process initialized"
@@ -45,7 +45,7 @@ if { $overlay == "overlay" } {
         send -- "ls -l /dev | wc -l\r"
         expect {
                 timeout {puts "TESTING ERROR 3.1\n";exit}
-                "4"
+                "3"
         }
         
 
@@ -58,7 +58,7 @@ if { $overlay == "overlay" } {
 # C
 #
 if { $chroot == "chroot" } {
-        send -- "firejail --noprofile --chroot=/tmp/chroot --whitelist=/dev/tty --whitelist=/dev/shm --whitelist=/dev/null\r"
+        send -- "firejail --noprofile --chroot=/tmp/chroot --whitelist=/dev/tty --whitelist=/dev/null\r"
         expect {
                 timeout {puts "TESTING ERROR 4\n";exit}
                 "Child process initialized"
@@ -68,7 +68,7 @@ if { $chroot == "chroot" } {
         send -- "ls -l /dev | wc -l\r"
         expect {
                 timeout {puts "TESTING ERROR 5.1\n";exit}
-                "4"
+                "3"
         }
         
         after 100
diff --git a/test/features/features.txt b/test/features/features.txt
index 4d8821a92..283e85d93 100644
--- a/test/features/features.txt
+++ b/test/features/features.txt
@@ -25,6 +25,7 @@ C - chroot filesystem
 1.9 mount namespace
 1.10 disable /selinux
 
+
 2. Networking features
 
 2.1 Hostname (use --hostname=newhostname, do a ping and cat /etc/hostname)
@@ -37,6 +38,7 @@ C - chroot filesystem
 2.5 interface
 2.6 Default gw (--noprofile --net=eth0 --defaultgw=192.168.1.10, run netstat -rn)
 
+
 3. Filesystem features (use --noprofile)
 
 3.1 private
@@ -56,6 +58,7 @@ C - chroot filesystem
         - N not working on Debian wheezy (32-bit and 64-bit) - todo
 3.10 whitelist tmp
         - O not working on Arch Linux - todo
+3.11 mkdir
 
 
 
diff --git a/test/features/test.sh b/test/features/test.sh
index 495996551..3570dae5a 100755
--- a/test/features/test.sh
+++ b/test/features/test.sh
@@ -83,7 +83,7 @@ fi
 ####################
 # filesystem features
 ####################
-echo "TESTING: 3.1 private"
+echo "TESTING: 3.1 private (fails on OpenSUSE)"
 ./3.1.exp $OVERLAY $CHROOT
 
 echo "TESTING: 3.2 read-only"
@@ -92,7 +92,7 @@ echo "TESTING: 3.2 read-only"
 echo "TESTING: 3.3 blacklist"
 ./3.3.exp $OVERLAY $CHROOT
 
-echo "TESTING: 3.4 whitelist home"
+echo "TESTING: 3.4 whitelist home (fails on OpenSUSE)"
 ./3.4.exp $OVERLAY $CHROOT
 
 echo "TESTING: 3.5 private-dev"
@@ -113,3 +113,6 @@ echo "TESTING: 3.9 whitelist dev"
 echo "TESTING: 3.10 whitelist tmp"
 ./3.10.exp $OVERLAY $CHROOT
 
+echo "TESTING: 3.11 mkdir"
+./3.11.exp $OVERLAY $CHROOT
+
diff --git a/test/ip6.exp b/test/ip6.exp
index 19a822ee2..fba47d095 100755
--- a/test/ip6.exp
+++ b/test/ip6.exp
@@ -4,7 +4,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --debug --noprofile --net=eth0 --ip6=2001:0db8:0:f101::1/64 --netfilter6=ipv6.net\r"
+send -- "firejail --debug --noprofile --net=br0 --ip6=2001:0db8:0:f101::1/64 --netfilter6=ipv6.net\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Installing network filter"
@@ -26,15 +26,16 @@ sleep 2
 send -- "/sbin/ifconfig\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "inet6 addr"
+        "inet6"
 }
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "2001:db8:0:f101::1/64"
+        "2001:db8:0:f101::1"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "Scope:Global"
+        "Scope:Global" { puts "Debian\n"}
+        "scopeid 0x0<global>" { puts "Arch\n"}
 }
 
 
diff --git a/test/private-whitelist.exp b/test/private-whitelist.exp
index b78eb3b61..f06415c52 100755
--- a/test/private-whitelist.exp
+++ b/test/private-whitelist.exp
@@ -18,14 +18,14 @@ expect {
 }
 sleep 1
 
-send -- "ls -a /tmp | wc\r"
+send -- "ls -a /tmp | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
         "3"
 }
 sleep 1
 
-send -- "ls -a ~ | wc\r"
+send -- "ls -a ~ | wc -l\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
         "4"
diff --git a/test/test.sh b/test/test.sh
index 923a9b390..93e38edfb 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -6,37 +6,38 @@
 
 ./fscheck.sh
 
-echo "TESTING: nice"
+echo "TESTING: nice (nice.exp)"
 ./nice.exp
 
-echo "TESTING: protocol"
+echo "TESTING: protocol (protocol.exp)"
 ./protocol.exp
 
-echo "TESTING: invalid filename"
+echo "TESTING: invalid filename (invalid_filename.exp)"
 ./invalid_filename.exp
 
-echo "TESTING: environment variables"
+echo "TESTING: environment variables (env.exp)"
 ./env.exp
 
-echo "TESTING: whitelist empty"
+echo "TESTING: whitelist empty (whitelist-empty.exp)"
 ./whitelist-empty.exp
 
-echo "TESTING: ignore command"
+echo "TESTING: ignore command (ignore.exp)"
 ./ignore.exp
 
-echo "TESTING: private-etc"
+echo "TESTING: private-etc (private-etc.exp)"
 ./private-etc.exp
 
-echo "TESTING: private-bin"
+echo "TESTING: private-bin (private-bin.exp)"
 ./private-bin.exp
 
-echo "TESTING: private whitelist"
+echo "TESTING: private whitelist (private-whitelist.exp)"
+echo "TESTING:    failing on OpenSUSE"
 ./private-whitelist.exp
 
 sleep 1
 rm -fr dir\ with\ space
 mkdir dir\ with\ space
-echo "TESTING: blacklist"
+echo "TESTING: blacklist (blacklist.exp)"
 ./blacklist.exp
 sleep 1
 rm -fr dir\ with\ space
@@ -44,31 +45,31 @@ rm -fr dir\ with\ space
 ln -s auto auto2
 ln -s /bin auto3
 ln -s /usr/bin auto4
-echo "TESTING: blacklist directory link"
+echo "TESTING: blacklist directory link (blacklist-link.exp)"
 ./blacklist-link.exp
 rm -fr auto2
 rm -fr auto3
 rm -fr auto4
 
 
-echo "TESTING: version"
+echo "TESTING: version (option_version.exp)"
 ./option_version.exp
 
-echo "TESTING: help"
+echo "TESTING: help (option_help.exp)"
 ./option_help.exp
 
-echo "TESTING: man"
+echo "TESTING: man (opton_man.exp)"
 ./option_man.exp
 
-echo "TESTING: list"
+echo "TESTING: list (option_list.exp)"
 ./option_list.exp
 
-echo "TESTING: tree"
+echo "TESTING: tree (option_tree.exp)"
 ./option_tree.exp
 
 if [ -f /proc/self/uid_map ];
 then
-        echo "TESTING: noroot"
+        echo "TESTING: noroot (noroot.exp)"
         ./noroot.exp
 else
         echo "TESTING: user namespaces not available"
@@ -81,78 +82,78 @@ cp -- /bin/bash -testdir/.
 ./doubledash.exp
 rm -fr -- -testdir
 
-echo "TESTING: trace1"
+echo "TESTING: trace1 (option-trace.exp)"
 ./option-trace.exp
 
-echo "TESTING: trace2"
+echo "TESTING: trace2 (trace.exp)"
 rm -f index.html*
 ./trace.exp
 rm -f index.html*
 
-echo "TESTING: extract command"
+echo "TESTING: extract command (extract_command.exp)"
 ./extract_command.exp
 
-echo "TESTING: kmsg access"
+echo "TESTING: kmsg access (kmsg.exp)"
 ./kmsg.exp
 
-echo "TESTING: rlimit"
+echo "TESTING: rlimit (option_rlimit.exp)"
 ./option_rlimit.exp
 
-echo "TESTING: shutdown"
+echo "TESTING: shutdown (option_shutdown.exp)"
 ./option-shutdown.exp
 
-echo "TESTING: join"
+echo "TESTING: join (opton-join.exp)"
 ./option-join.exp
 
-echo "TESTING: join profile"
+echo "TESTING: join profile (option-join-profile.exp)"
 ./option-join-profile.exp
 
-echo "TESTING: firejail in firejail - single sandbox"
+echo "TESTING: firejail in firejail - single sandbox (firejail-in-firejail.exp)"
 ./firejail-in-firejail.exp
 
-echo "TESTING: firejail in firejail - force new sandbox"
+echo "TESTING: firejail in firejail - force new sandbox (firejail-in-firejail2.exp)"
 ./firejail-in-firejail2.exp
 
-echo "TESTING: chroot overlay"
+echo "TESTING: chroot overlay (opton_chroot_overlay.exp)"
 ./option_chroot_overlay.exp
 
-echo "TESTING: blacklist directory"
+echo "TESTING: blacklist directory (option_blacklist.exp)"
 ./option_blacklist.exp
 
-echo "TESTING: blacklist file"
+echo "TESTING: blacklist file (opton_blacklist_file.exp)"
 ./option_blacklist_file.exp
 
-echo "TESTING: bind as user"
+echo "TESTING: bind as user (option_bind_user.exp)"
 ./option_bind_user.exp
 
 if [ -d /home/bingo ];
 then
-        echo "TESTING: home sanitize"
+        echo "TESTING: home sanitize (opton_version.exp)"
         ./option_version.exp
 fi
 
-echo "TESTING: chroot as user"
+echo "TESTING: chroot as user (fs_chroot.exp)"
 ./fs_chroot.exp
 
-echo "TESTING: /sys"
+echo "TESTING: /sys (fs_sys.exp)"
 ./fs_sys.exp
 
-echo "TESTING: readonly"
+echo "TESTING: readonly (option_readonly.exp)"
 ls -al > tmpreadonly
 ./option_readonly.exp
 sleep 5
 rm -f tmpreadonly
 
-echo "TESTING: zsh"
+echo "TESTING: zsh (shell_zsh.exp)"
 ./shell_zsh.exp
 
-echo "TESTING: csh"
+echo "TESTING: csh (shell_csh.exp)"
 ./shell_csh.exp
 
 which dash
 if [ "$?" -eq 0 ];
 then
-        echo "TESTING: dash"
+        echo "TESTING: dash (shell_dash.exp)"
         ./shell_dash.exp
 else
         echo "TESTING: dash not found"
@@ -160,151 +161,152 @@ fi
 
 ./test-apps.sh
 
-echo "TESTING: PID"
+echo "TESTING: PID (pid.exp)"
 ./pid.exp
 
-echo "TESTING: output"
+echo "TESTING: output (output.exp)"
 ./output.exp
 
-echo "TESTING: profile no permissions"
+echo "TESTING: profile no permissions (profile_noperm.exp)"
 ./profile_noperm.exp
 
-echo "TESTING: profile syntax"
+echo "TESTING: profile syntax (profile_syntax.exp)"
 ./profile_syntax.exp
 
-echo "TESTING: profile syntax 2"
+echo "TESTING: profile syntax 2 (profile_syntax2.exp)"
 ./profile_syntax2.exp
 
-echo "TESTING: profile rlimit"
+echo "TESTING: profile rlimit (profile_rlimit.exp)"
 ./profile_rlimit.exp
 
-echo "TESTING: profile read-only"
+echo "TESTING: profile read-only (profile_readonly.exp)"
 ./profile_readonly.exp
 
-echo "TESTING: private"
+echo "TESTING: private (private.exp)"
 ./private.exp `whoami`
 
-echo "TESTING: private directory"
+echo "TESTING: private directory (private_dir.exp)"
 rm -fr dirprivate
 mkdir dirprivate
 ./private_dir.exp
 rm -fr dirprivate
 
-echo "TESTING: private directory profile"
+echo "TESTING: private directory profile (private_dir_profile.exp)"
 rm -fr dirprivate
 mkdir dirprivate
 ./private_dir_profile.exp
 rm -fr dirprivate
 
-echo "TESTING: overlayfs"
+echo "TESTING: overlayfs (fs_overlay.exp)"
 ./fs_overlay.exp
 
-echo "TESTING: seccomp debug"
+echo "TESTING: seccomp debug  (seccomp-debug.exp)"
 ./seccomp-debug.exp
 
-echo "TESTING: seccomp errno"
+echo "TESTING: seccomp errno (seccomp-errno.exp)"
 ./seccomp-errno.exp
 
-echo "TESTING: seccomp su"
+echo "TESTING: seccomp su (seccomp-su.exp)"
 ./seccomp-su.exp
 
-echo "TESTING: seccomp ptrace"
+echo "TESTING: seccomp ptrace (seccomp-ptrace.exp)"
 ./seccomp-ptrace.exp
 
-echo "TESTING: seccomp chmod - seccomp lists"
+echo "TESTING: seccomp chmod - seccomp lists (seccomp-chmod.exp)"
 ./seccomp-chmod.exp
 
-echo "TESTING: seccomp chmod profile - seccomp lists"
+echo "TESTING: seccomp chmod profile - seccomp lists (seccomp-chmod-profile.exp)"
 ./seccomp-chmod-profile.exp
 
-echo "TESTING: seccomp empty"
+echo "TESTING: seccomp empty (seccomp-empty.exp)"
 ./seccomp-empty.exp
 
-echo "TESTING: seccomp bad empty"
+echo "TESTING: seccomp bad empty (seccomp-bad-empty.exp)"
 ./seccomp-bad-empty.exp
 
-echo "TESTING: seccomp dual filter"
+echo "TESTING: seccomp dual filter (seccomp-dualfilter.exp)"
 ./seccomp-dualfilter.exp
 
-echo "TESTING: read/write /var/tmp"
+echo "TESTING: read/write /var/tmp (fs_var_tmp.exp)"
 ./fs_var_tmp.exp
 
-echo "TESTING: read/write /var/lock"
+echo "TESTING: read/write /var/lock (fs_var_lock.exp)"
 ./fs_var_lock.exp
 
-echo "TESTING: read/write /dev/shm"
+echo "TESTING: read/write /dev/shm (fs_dev_shm.exp)"
 ./fs_dev_shm.exp
 
-echo "TESTING: quiet"
+echo "TESTING: quiet (quiet.exp)"
 ./quiet.exp
 
-echo "TESTING: IPv6 support"
+echo "TESTING: IPv6 support (ip6.exp)"
+echo "TESTING:    broken on Centos - todo"
 ./ip6.exp
 
-echo "TESTING: local network"
+echo "TESTING: local network (net_local.exp)"
 ./net_local.exp
 
-echo "TESTING: no network"
+echo "TESTING: no network (net_none.exp)"
 ./net_none.exp
 
-echo "TESTING: network IP"
+echo "TESTING: network IP (net_ip.exp)"
 ./net_ip.exp
 
-echo "TESTING: network MAC"
+echo "TESTING: network MAC (net_mac.exp)"
 sleep 2
 ./net_mac.exp
 
-echo "TESTING: network MTU"
+echo "TESTING: network MTU (net_mtu.exp)"
 ./net_mtu.exp
 
-echo "TESTING: network hostname"
+echo "TESTING: network hostname (hostname.exp)"
 ./hostname.exp
 
-echo "TESTING: network bad IP"
+echo "TESTING: network bad IP (net_badip.exp)"
 ./net_badip.exp
 
-echo "TESTING: network no IP test 1"
+echo "TESTING: network no IP test 1 (net_noip.exp)"
 ./net_noip.exp
 
-echo "TESTING: network no IP test 2"
+echo "TESTING: network no IP test 2 (net_noip2.exp)"
 ./net_noip2.exp
 
-echo "TESTING: network default gateway test 1"
+echo "TESTING: network default gateway test 1 (net_defaultgw.exp)"
 ./net_defaultgw.exp
 
-echo "TESTING: network default gateway test 2"
+echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)"
 ./net_defaultgw2.exp
 
-echo "TESTING: network default gateway test 3"
+echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)"
 ./net_defaultgw3.exp
 
-echo "TESTING: netfilter"
+echo "TESTING: netfilter (net_netfilter.exp)"
 ./net_netfilter.exp
 
-echo "TESTING: 4 bridges ARP"
+echo "TESTING: 4 bridges ARP (4bridges_arp.exp)"
 ./4bridges_arp.exp
 
-echo "TESTING: 4 bridges IP"
+echo "TESTING: 4 bridges IP (4bridges_ip.exp)"
 ./4bridges_ip.exp
 
-echo "TESTING: login SSH"
+echo "TESTING: login SSH (login_ssh.exp)"
 ./login_ssh.exp
 
-echo "TESTING: ARP"
+echo "TESTING: ARP (net_arp.exp)"
 ./net_arp.exp
 
-echo "TESTING: DNS"
+echo "TESTING: DNS (dns.exp)"
 ./dns.exp
 
-echo "TESTING: firemon --arp"
+echo "TESTING: firemon --arp (firemon-arp.exp)"
 ./firemon-arp.exp
 
-echo "TESTING: firemon --route"
+echo "TESTING: firemon --route (firemon-route.exp)"
 ./firemon-route.exp
 
-echo "TESTING: firemon --seccomp"
+echo "TESTING: firemon --seccomp (firemon-seccomp.exp)"
 ./firemon-seccomp.exp
 
-echo "TESTING: firemon --caps"
+echo "TESTING: firemon --caps (firemon-caps.exp)"
 ./firemon-caps.exp