27 files changed, 493 insertions, 186 deletions
diff --git a/Makefile.in b/Makefile.in
index 83d44fb1c..8649475dd 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -146,7 +146,7 @@ uninstall:
        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
        
 DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
-DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/appimage test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils"
+DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils"
 dist:
        mv config.status config.status.old
@@ -232,26 +232,34 @@ test-arguments:
 test-fs:
        cd test/fs; ./fs.sh | grep TESTING
-test-appimage:
+test: test-profiles test-fs test-utils  test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
-        cd test/appimage; ./appimage.sh | grep TESTING
-        
-test: test-profiles test-fs test-utils  test-environment test-appimage test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
        echo "TEST COMPLETE"
-#
+##########################################
-# individual tests, some of them requiring root access
+# Individual tests, some of them require root access
-#
+# The tests are very intrussive, by the time you are done
+# with them you will need to restart your computer.
+##########################################
-# root access, network devices are created before the test
+# Huge appimage files, not included in "make dist" archive
+test-appimage:
+        cd test/appimage; ./appimage.sh | grep TESTING
+# Root access, network devices are created before the test
+# restart your computer to get rid of these devices
 test-network:
        cd test/network; ./network.sh | grep TESTING
-# all the tests are run as root
+# Tesets running a root user
 test-root:
        cd test/root; su -c ./root.sh | grep TESTING
        
-# runs as regular user
+# OverlayFS is not available on all platforms
 test-overlay:
        cd test/overlay; ./overlay.sh | grep TESTING
-# mount -o remount,rw,hidepid=2 /proc
+# For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
+test-all: test-root test-network test-appimage test-overlay test
+        echo "TEST COMPLETE"
+        
+\ No newline at end of file
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 96c054048..a658173eb 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -94,14 +94,8 @@ void appimage_set(const char *appimage_path) {
        if (asprintf(&mntdir, "%s/.appimage-%u",  RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1)
                errExit("asprintf");
        EUID_ROOT();
-        if (mkdir(mntdir, 0700) == -1) {
+        mkdir_attr(mntdir, 0700, getuid(), getgid());
-                fprintf(stderr, "Error: cannot create appimage mount point\n");
-                exit(1);
-        }
-        if (set_perms(mntdir, getuid(), getgid(), 0700))
-                errExit("set_perms");
        EUID_USER();
-        ASSERT_PERMS(mntdir, getuid(), getgid(), 0700);
        
        // mount
        char *mode;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 282271a64..d7ba539e6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -461,6 +461,7 @@ void flush_stdin(void);
 void create_empty_dir_as_root(const char *dir, mode_t mode);
 void create_empty_file_as_root(const char *dir, mode_t mode);
 int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
+void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 3a2fd8c38..7ff7e3c59 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -247,21 +247,13 @@ void fs_blacklist(void) {
                // process bind command
                if (strncmp(entry->data, "bind ", 5) == 0)  {
+                        struct stat s;
                        char *dname1 = entry->data + 5;
                        char *dname2 = split_comma(dname1);
-                        if (dname2 == NULL) {
+                        if (dname2 == NULL ||
-                                fprintf(stderr, "Error: second directory missing in bind command\n");
+                            stat(dname1, &s) == -1 ||
-                                entry = entry->next;
+                            stat(dname2, &s) == -1) {
-                                continue;
+                                fprintf(stderr, "Error: invalid bind command, directory missing\n");
-                        }
-                        struct stat s;
-                        if (stat(dname1, &s) == -1) {
-                                fprintf(stderr, "Error: cannot find %s for bind command\n", dname1);
-                                entry = entry->next;
-                                continue;
-                        }
-                        if (stat(dname2, &s) == -1) {
-                                fprintf(stderr, "Error: cannot find %s for bind command\n", dname2);
                                entry = entry->next;
                                continue;
                        }
@@ -410,10 +402,9 @@ void fs_rdonly(const char *dir) {
        int rv = stat(dir, &s);
        if (rv == 0) {
                // mount --bind /bin /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount read-only");
                // mount --bind -o remount,ro /bin
-                if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0)
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
+                    mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0)
                        errExit("mount read-only");
                fs_logger2("read-only", dir);
        }
@@ -428,15 +419,15 @@ static void fs_rdwr(const char *dir) {
                // if the file is outside /home directory, allow only root user
                uid_t u = getuid();
                if (u != 0 && s.st_uid != u) {
-                        fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir);
+                        if (!arg_quiet)
+                                fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir);
                        return;
                }
                
                // mount --bind /bin /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount read-write");
                // mount --bind -o remount,rw /bin
-                if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || 
+                    mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
                        errExit("mount read-write");
                fs_logger2("read-write", dir);
        }
@@ -449,37 +440,16 @@ void fs_noexec(const char *dir) {
        int rv = stat(dir, &s);
        if (rv == 0) {
                // mount --bind /bin /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount noexec");
                // mount --bind -o remount,ro /bin
-                if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0)
+                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || 
-                        errExit("mount read-only");
+                    mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0)
+                        errExit("mount noexec");
                fs_logger2("noexec", dir);
        }
 }
-void fs_rdonly_noexit(const char *dir) {
-        assert(dir);
-        // check directory exists
-        struct stat s;
-        int rv = stat(dir, &s);
-        if (rv == 0) {
-                int merr = 0;
-                // mount --bind /bin /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        merr = 1;
-                // mount --bind -o remount,ro /bin
-                if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0)
-                        merr = 1;
-                if (merr)
-                        fprintf(stderr, "Warning: cannot mount %s read-only\n", dir); 
-                else
-                        fs_logger2("read-only", dir);
-        }
-}
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void) {
        if (arg_debug)
@@ -489,10 +459,8 @@ void fs_proc_sys_dev_boot(void) {
        fs_logger("remount /proc");
        // remount /proc/sys readonly
-        if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0)
+        if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 ||
-                errExit("mounting /proc/sys");
+            mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0)
-        if (mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0)
                errExit("mounting /proc/sys");
        fs_logger("read-only /proc/sys");
@@ -646,12 +614,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
                errExit("asprintf");
        if (stat(dirname, &s) == -1) {
-                /* coverity[toctou] */
+                mkdir_attr(dirname, 0700, 0, 0);
-                if (mkdir(dirname, 0700))
-                        errExit("mkdir");
-                if (chmod(dirname, 0700) == -1)
-                        errExit("chmod");
-                ASSERT_PERMS(dirname, getuid(), getgid(), 0700);
        }
        else if (is_link(dirname)) {
                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
@@ -733,11 +696,7 @@ void fs_overlayfs(void) {
        char *oroot;
        if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1)
                errExit("asprintf");
-        if (mkdir(oroot, 0755))
+        mkdir_attr(oroot, 0755, 0, 0);
-                errExit("mkdir");
-        if (chmod(oroot, 0755) == -1)
-                errExit("chmod");
-        ASSERT_PERMS(oroot, 0, 0, 0755);
        struct stat s;
        char *basedir = RUN_MNT_DIR;
@@ -766,11 +725,9 @@ void fs_overlayfs(void) {
        // no need to check arg_overlay_reuse
        if (stat(odiff, &s) != 0) {
-                if (mkdir(odiff, 0755))
+                mkdir_attr(odiff, 0755, 0, 0);
-                        errExit("mkdir");
        }
+        else if (set_perms(odiff, 0, 0, 0755))
-        if (set_perms(odiff, 0, 0, 0755))
                errExit("set_perms");
        
        char *owork;
@@ -779,11 +736,9 @@ void fs_overlayfs(void) {
        // no need to check arg_overlay_reuse
        if (stat(owork, &s) != 0) {
-                if (mkdir(owork, 0755))
+                mkdir_attr(owork, 0755, 0, 0);
-                        errExit("mkdir");
        }
+        else if (set_perms(owork, 0, 0, 0755))
-        if (set_perms(owork, 0, 0, 0755))
                errExit("chown");
        
        // mount overlayfs
@@ -839,11 +794,9 @@ void fs_overlayfs(void) {
                                // no need to check arg_overlay_reuse
                                if (stat(hdiff, &s) != 0) {
-                                        if (mkdir(hdiff, S_IRWXU | S_IRWXG | S_IRWXO))
+                                        mkdir_attr(hdiff, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0);
-                                                errExit("mkdir");
                                }
+                                else if (set_perms(hdiff, 0, 0, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
-                                if (set_perms(hdiff, 0, 0, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
                                        errExit("set_perms");
                
                                if(asprintf(&hwork, "%s/hwork", basedir) == -1)
@@ -851,11 +804,9 @@ void fs_overlayfs(void) {
                                // no need to check arg_overlay_reuse
                                if (stat(hwork, &s) != 0) {
-                                        if (mkdir(hwork, S_IRWXU | S_IRWXG | S_IRWXO))
+                                        mkdir_attr(hwork, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0);
-                                                errExit("mkdir");
                                }
+                                else if (set_perms(hwork, 0, 0, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
-                                if (set_perms(hwork, 0, 0, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
                                        errExit("set_perms");
                
                                // no homedir in overlay so now mount another overlay for /home
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index c906e32c0..6cc1bf3ab 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -212,11 +212,7 @@ void fs_private_bin_list(void) {
        assert(private_list);
        
        // create /run/firejail/mnt/bin directory
-        if (mkdir(RUN_BIN_DIR, 0755) == -1)
+        mkdir_attr(RUN_BIN_DIR, 0755, 0, 0);
-                errExit("mkdir");
-        if (chmod(RUN_BIN_DIR, 0755) == -1)
-                errExit("chmod");
-        ASSERT_PERMS(RUN_BIN_DIR, 0, 0, 0755);
        
        // copy the list of files in the new etc directory
        // using a new child process without root privileges
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index ef5d67b55..d710e98f2 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -65,11 +65,7 @@ static void deventry_mount(void) {
                        if (arg_debug)
                                printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file");
                        if (dir) {
-                                if (mkdir(dev[i].dev_fname, 0755) == -1)
+                                mkdir_attr(dev[i].dev_fname, 0755, 0, 0);
-                                        errExit("mkdir");
-                                if (chmod(dev[i].dev_fname, 0755) == -1)
-                                        errExit("chmod");
-                                ASSERT_PERMS(dev[i].dev_fname, 0, 0, 0755);
                        }
                        else {
                                struct stat s;
@@ -130,11 +126,7 @@ void fs_private_dev(void){
        // create DRI_DIR
        // keep a copy of dev directory
-        if (mkdir(RUN_DEV_DIR, 0755) == -1)
+        mkdir_attr(RUN_DEV_DIR, 0755, 0, 0);
-                errExit("mkdir");
-        if (chmod(RUN_DEV_DIR, 0755) == -1)
-                errExit("chmod");
-        ASSERT_PERMS(RUN_DEV_DIR, 0, 0, 0755);
        if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mounting /dev/dri");
@@ -179,12 +171,7 @@ void fs_private_dev(void){
        // create /dev/shm
        if (arg_debug)
                printf("Create /dev/shm directory\n");
-        if (mkdir("/dev/shm", 01777) == -1)
+        mkdir_attr("/dev/shm", 01777, 0, 0);
-                errExit("mkdir");
-        // mkdir sets only the file permission bits
-        if (chmod("/dev/shm", 01777) < 0)
-                errExit("chmod");
-        ASSERT_PERMS("/dev/shm", 0, 0, 01777);
        fs_logger("mkdir /dev/shm");
        // create devices
@@ -206,11 +193,7 @@ void fs_private_dev(void){
 #endif
        // pseudo-terminal
-        if (mkdir("/dev/pts", 0755) == -1)
+        mkdir_attr("/dev/pts", 0755, 0, 0);
-                errExit("mkdir");
-        if (chmod("/dev/pts", 0755) == -1)
-                errExit("chmod");
-        ASSERT_PERMS("/dev/pts", 0, 0, 0755);
        fs_logger("mkdir /dev/pts");
        create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2");
        fs_logger("mknod /dev/pts/ptmx");
@@ -260,12 +243,7 @@ void fs_dev_shm(void) {
                if (lnk) {
                        if (!is_dir(lnk)) {
                                // create directory
-                                if (mkdir(lnk, 01777))
+                                mkdir_attr(lnk, 01777, 0, 0);
-                                        errExit("mkdir");
-                                // mkdir sets only the file permission bits
-                                if (chmod(lnk, 01777))
-                                        errExit("chmod");
-                                ASSERT_PERMS(lnk, 0, 0, 01777);
                        }
                        if (arg_debug)
                                printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk);
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index ebcde29a3..7e18840fd 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -132,11 +132,7 @@ void fs_private_etc_list(void) {
        }
        // create /run/firejail/mnt/etc directory
-        if (mkdir(RUN_ETC_DIR, 0755) == -1)
+        mkdir_attr(RUN_ETC_DIR, 0755, 0, 0);
-                errExit("mkdir");
-        if (chmod(RUN_ETC_DIR, 0755) == -1)
-                errExit("chmod");
-        ASSERT_PERMS(RUN_ETC_DIR, 0, 0, 0755);
        fs_logger("tmpfs /etc");
        
        fs_logger_print();      // save the current log
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 4ff00f3ba..ca50685ad 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -98,10 +98,7 @@ static void build_dirs(void) {
        // create directories under /var/log
        DirData *ptr = dirlist;
        while (ptr) {
-                if (mkdir(ptr->name, ptr->st_mode))
+                mkdir_attr(ptr->name, ptr->st_mode, ptr->st_uid, ptr->st_gid);
-                        errExit("mkdir");
-                if (chown(ptr->name, ptr->st_uid, ptr->st_gid))
-                        errExit("chown");
                fs_logger2("mkdir", ptr->name);
                ptr = ptr->next;
        }
@@ -223,18 +220,10 @@ void fs_var_cache(void) {
                        gid = p->pw_gid;
                }
                
-                int rv = mkdir("/var/cache/lighttpd/compress", 0755);
+                mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown("/var/cache/lighttpd/compress", uid, gid) < 0)
-                        errExit("chown");
                fs_logger("mkdir /var/cache/lighttpd/compress");
-                rv = mkdir("/var/cache/lighttpd/uploads", 0755);
+                mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid);
-                if (rv == -1)
-                        errExit("mkdir");
-                if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0)
-                        errExit("chown");
                fs_logger("/var/cache/lighttpd/uploads");
        }                       
 }
@@ -268,11 +257,7 @@ void fs_var_lock(void) {
                if (lnk) {
                        if (!is_dir(lnk)) {
                                // create directory
-                                if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO))
+                                mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0);
-                                        errExit("mkdir");
-                                if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO))
-                                        errExit("chmod");
-                                ASSERT_PERMS(lnk, 0, 0, S_IRWXU|S_IRWXG|S_IRWXO);
                        }
                        if (arg_debug)
                                printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 899166447..628002d35 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -229,15 +229,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
                        exit(1);
        }
        else {
-                if (join_namespace(pid, "ipc"))
+                if (join_namespace(pid, "ipc") ||
-                        exit(1);
+                    join_namespace(pid, "net") ||
-                if (join_namespace(pid, "net"))
+                    join_namespace(pid, "pid") ||
-                        exit(1);
+                    join_namespace(pid, "uts") ||
-                if (join_namespace(pid, "pid"))
+                    join_namespace(pid, "mnt"))
-                        exit(1);
-                if (join_namespace(pid, "uts"))
-                        exit(1);
-                if (join_namespace(pid, "mnt"))
                        exit(1);
        }
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3424d8ab6..d928c6b42 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -731,4 +731,40 @@ int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
        return 0;
 }
+void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
+        assert(fname);
+        mode &= 07777;
+#if 0   
+        printf("fname %s, uid %d, gid %d, mode %x - ", fname, uid, gid, (unsigned) mode);
+        if (S_ISLNK(mode))
+                printf("l");
+        else if (S_ISDIR(mode))
+                printf("d");
+        else if (S_ISCHR(mode))
+                printf("c");
+        else if (S_ISBLK(mode))
+                printf("b");
+        else if (S_ISSOCK(mode))
+                printf("s");
+        else
+                printf("-");
+        printf( (mode & S_IRUSR) ? "r" : "-");
+        printf( (mode & S_IWUSR) ? "w" : "-");
+        printf( (mode & S_IXUSR) ? "x" : "-");
+        printf( (mode & S_IRGRP) ? "r" : "-");
+        printf( (mode & S_IWGRP) ? "w" : "-");
+        printf( (mode & S_IXGRP) ? "x" : "-");
+        printf( (mode & S_IROTH) ? "r" : "-");
+        printf( (mode & S_IWOTH) ? "w" : "-");
+        printf( (mode & S_IXOTH) ? "x" : "-");
+        printf("\n");
+#endif  
+        if (mkdir(fname, mode) == -1 ||
+            chmod(fname, mode) == -1 ||
+            chown(fname, uid, gid)) {
+                fprintf(stderr, "Error: failed to create %s directory\n", fname);
+                errExit("mkdir/chmod");
+        }
+        ASSERT_PERMS(fname, uid, gid, mode);
+}
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
index 88687ae2a..503da2b9b 100755
--- a/test/appimage/appimage-v1.exp
+++ b/test/appimage/appimage-v1.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --appimage Leafpad-0.8.17-x86_64.AppImage\r"
+send -- "firejail --name=appimage-test --appimage Leafpad-0.8.17-x86_64.AppImage\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "Child process initialized"
@@ -77,5 +77,9 @@ expect {
 }
 after 100
+spawn $env(SHELL)
+send -- "firejail --shutdown=appimage-test\r"
+sleep 3
 puts "\nall done\n"
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp
index 7b3bf4cbd..5cb9d0849 100755
--- a/test/appimage/appimage-v2.exp
+++ b/test/appimage/appimage-v2.exp
@@ -77,5 +77,9 @@ expect {
 }
 after 100
+spawn $env(SHELL)
+send -- "firejail --shutdown=appimage-test\r"
+sleep 3
 puts "\nall done\n"
diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh
index 1b3494290..4a8671dbd 100755
--- a/test/apps-x11/apps-x11.sh
+++ b/test/apps-x11/apps-x11.sh
@@ -6,6 +6,33 @@
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: no x11 (test/apps-x11/x11-none.exp)"
+./x11-none.exp
+which xterm
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: xterm x11 xorg"
+        ./xterm-xorg.exp
+        which xpra
+        if [ "$?" -eq 0 ];
+        then
+        echo "TESTING: xterm x11 xpra"
+        ./xterm-xpra.exp
+        fi
+        
+        which Xephyr
+        if [ "$?" -eq 0 ];
+        then
+        echo "TESTING: xterm x11 xephyr"
+        ./xterm-xephyr.exp
+        fi
+else
+        echo "TESTING SKIP: xterm not found"
+fi
 # check xpra/xephyr
 which xpra
 if [ "$?" -eq 0 ];
@@ -23,15 +50,6 @@ else
        fi
 fi
-which xterm
-if [ "$?" -eq 0 ];
-then
-        echo "TESTING: xterm x11"
-        ./xterm.exp
-else
-        echo "TESTING SKIP: xterm not found"
-fi
 which firefox
 if [ "$?" -eq 0 ];
 then
diff --git a/test/apps-x11/x11-none.exp b/test/apps-x11/x11-none.exp
new file mode 100755
index 000000000..e9908839b
--- /dev/null
+++ b/test/apps-x11/x11-none.exp
@@ -0,0 +1,48 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=none\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "use network namespace in firejail"
+}
+sleep 1
+send -- "firejail --name=test --net=none --x11=none\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -al /tmp/.X11-unix\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "cannot open directory"
+}
+after 100
+send -- "xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "DISPLAY is not set"
+}
+after 100
+send -- "export DISPLAY=:0.0\r"
+after 100
+send -- "xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Xt error"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/apps-x11/x11-xephyr.exp b/test/apps-x11/x11-xephyr.exp
new file mode 100755
index 000000000..41a413890
--- /dev/null
+++ b/test/apps-x11/x11-xephyr.exp
@@ -0,0 +1,59 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xephyr xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+exit
+sleep 5
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "use network namespace in firejail"
+}
+sleep 1
+send -- "firejail --name=test --net=none --x11=none\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -al /tmp/.X11-unix\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "cannot open directory"
+}
+after 100
+send -- "xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "DISPLAY is not set"
+}
+after 100
+send -- "export DISPLAY=:0.0\r"
+after 100
+send -- "xterm\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Xt error"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/apps-x11/xterm-xephyr.exp b/test/apps-x11/xterm-xephyr.exp
new file mode 100755
index 000000000..5b4299478
--- /dev/null
+++ b/test/apps-x11/xterm-xephyr.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xephyr xterm\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "xterm"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11/xterm.exp b/test/apps-x11/xterm-xorg.exp
index 4fa5ddf0c..fbc88f196 100755
--- a/test/apps-x11/xterm.exp
+++ b/test/apps-x11/xterm-xorg.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --name=test --x11 xterm\r"
+send -- "firejail --name=test --x11=xorg xterm\r"
 sleep 10
 spawn $env(SHELL)
diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp
new file mode 100755
index 000000000..379de131a
--- /dev/null
+++ b/test/apps-x11/xterm-xpra.exp
@@ -0,0 +1,86 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xpra xterm\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "xterm"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp
index cfca15605..57986488e 100755
--- a/test/fs/read-write.exp
+++ b/test/fs/read-write.exp
@@ -20,12 +20,14 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "done"
 }
+after 100
 send -- "echo mytest >~/_firejail_test_dir/test1/b;echo done\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "done"
 }
+after 100
 send -- "cat ~/_firejail_test_dir/a;echo done\r"
 expect {
@@ -33,7 +35,7 @@ expect {
        "mytest" {puts "TESTING ERROR 4\n";exit}
        "done"
 }
+after 100
 send -- "cat ~/_firejail_test_dir/test1/b;echo done\r"
 expect {
diff --git a/test/network/firemon-arp.exp b/test/network/firemon-arp.exp
index e40ffb609..71fa1660f 100755
--- a/test/network/firemon-arp.exp
+++ b/test/network/firemon-arp.exp
@@ -4,12 +4,12 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "ping -c 3 192.168.1.1\r"
+#send -- "ping -c 3 192.168.1.1\r"
-expect {
+#expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
+#       timeout {puts "TESTING ERROR 0\n";exit}
-        "3 packets transmitted"
+#       "3 packets transmitted"
-}
+#}
-sleep 1
+#sleep 1
 send --  "firejail --name=test1\r"
 expect {
diff --git a/test/root/firejail.config b/test/root/firejail.config
new file mode 100644
index 000000000..71ff2f4e9
--- /dev/null
+++ b/test/root/firejail.config
@@ -0,0 +1,20 @@
+bind yes
+chroot yes
+chroot-desktop yes
+file-transfer yes
+force-nonewprivs no
+network yes
+overlayfs yes
+private-bin-no-local no
+private-home yes
+quiet-by-default no
+remount-proc-sys yes
+restricted-network no
+# netfilter-default /etc/iptables.iptables.rules
+seccomp yes
+userns yes
+whitelist yes
+x11 yes
+xephyr-screen 800x600
+xephyr-window-title yes
+xephyr-extra-params -grayscale
diff --git a/test/root/root.sh b/test/root/root.sh
index 8c7437e49..471b7d535 100755
--- a/test/root/root.sh
+++ b/test/root/root.sh
@@ -1,5 +1,8 @@
 #!/bin/bash
+# set a new firejail config file
+cp firejail.config /etc/firejail/firejail.config
 #********************************
 # servers
 #********************************
@@ -91,3 +94,6 @@ else
        echo "TESTING SKIP: firecfg, firefox not found"
 fi
+# restore the default config file
+cp ../../etc/firejail.config /etc/firejail/firejail.config
diff --git a/test/root/seccomp-umount.exp b/test/root/seccomp-umount.exp
index 04a9b7a3d..c441c5fc4 100755
--- a/test/root/seccomp-umount.exp
+++ b/test/root/seccomp-umount.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send --  "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r"
+send --  "firejail --seccomp --noprofile\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
diff --git a/test/utils/join.exp b/test/utils/join.exp
index 7f582e2e5..fc30bc6a4 100755
--- a/test/utils/join.exp
+++ b/test/utils/join.exp
@@ -8,7 +8,7 @@ cd /home
 spawn $env(SHELL)
 match_max 100000
-send --  "firejail --name=jointesting\r"
+send --  "firejail --name=jointesting --cpu=0 --nice=2\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
diff --git a/test/utils/ls.exp b/test/utils/ls.exp
index cd2c2984c..ff6867c51 100755
--- a/test/utils/ls.exp
+++ b/test/utils/ls.exp
@@ -3,6 +3,8 @@
 set timeout 10
 spawn $env(SHELL)
 match_max 100000
+set firstspawn $spawn_id
 send -- "rm -f lstesting\r"
 sleep 1
@@ -11,11 +13,11 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
 send -- "echo my_testing > ~/lstesting\r"
-sleep 2
+after 100
+# ls
 spawn $env(SHELL)
 send -- "firejail --ls=test ~/.\r"
 expect {
@@ -23,14 +25,44 @@ expect {
        "lstesting"
 }
 sleep 1
+# get
 send -- "firejail --get=test ~/lstesting\r"
-sleep 2
+sleep 1
 send -- "cat lstesting\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 2n";exit}
        "my_testing"
 }
+after 100
+# put
+send -- "echo put_test > ~/lstesting\r"
+after 100
+send -- "firejail --put=test ~/lstesting ~/lstesting_2\r"
 sleep 1
+set spawn_id $firstspawn
+send -- "ls -al ~\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "lstesting_2"
+}
+after 100
+send -- "cat ~/lstesting_2\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "put_test"
+}
+after 100
+send -- "exit\r"
+sleep 1
 send -- "rm -f lstesting\r"
 after 100
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index 7b0ab1096..bd91110f7 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -88,10 +88,10 @@ echo "TESTING: top (test/utils/top.exp)"
 echo "TESTING: file transfer (test/utils/ls.exp)"
 ./ls.exp
-echo "TESTING: firemon --seccomp (test/utils/firemon-seccomp.exp)"
+echo "TESTING: firemon seccomp (test/utils/firemon-seccomp.exp)"
 ./firemon-seccomp.exp
-echo "TESTING: firemon --caps (test/utils/firemon-caps.exp)"
+echo "TESTING: firemon caps (test/utils/firemon-caps.exp)"
 ./firemon-caps.exp
 echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)"
diff --git a/todo b/todo
index 253704fcf..6bc73313f 100644
--- a/todo
+++ b/todo
@@ -286,4 +286,5 @@ removable media, partitions, software RAID volumes, logical volumes, and files.
 29. grsecurity - move test after "firejail --name=blablabla" in /test/apps*
+30. /* coverity[toctou] */