44 files changed, 594 insertions, 151 deletions
diff --git a/README b/README
index d20503974..1d2191c65 100644
--- a/README
+++ b/README
@@ -97,6 +97,14 @@ valoq (https://github.com/valoq)
        - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
        - added wget profile
        - disable gnupg and systemd directories under /run/user
+SYN-cook (https://github.com/SYN-cook)
+        - keepass/keepassx browser fixes
+thewisenerd (https://github.com/thewisenerd)
+        - appimage: pass commandline arguments
+KOLANICH (https://github.com/KOLANICH)
+        - added symlink fixer
+Jesse Smith (https://github.com/slicer69)
+        - added QupZilla profile
 Lari Rauno (https://github.com/tuutti)
        - qutebrowser profile fixes
 SpotComms (https://github.com/SpotComms)
@@ -117,6 +125,8 @@ curiosity-seeker (https://github.com/curiosity-seeker)
        - cherrytree profile fixes
        - added quiterss profile
        - added guayadeque profile
+        - added VirtualBox.profile
+        - various other profile fixes
 Simon Peter (https://github.com/probonopd)
        - set $APPIMAGE and $APPDIR environment variables
        - AppImage version detection
@@ -313,6 +323,7 @@ Peter Millerchip (https://github.com/pmillerchip)
        - support for files and directories starting with ~ in blacklist option
        - support for files and directories with spaces in blacklist option
        - lots of other fixes
+        - implement the --allow-private-blacklist option
 sarneaud (https://github.com/sarneaud)
        - rewrite globbing code to fix various minor issues
        - added noblacklist command for profile files
diff --git a/README.md b/README.md
index 609533a91..9057a9a88 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ prefix your command with “firejail”:
 `````
 $ firejail firefox            # starting Mozilla Firefox
-$ firejail transmission-gtk   # starting Transmission BitTorrent 
+$ firejail transmission-gtk   # starting Transmission BitTorrent
 $ firejail vlc                # starting VideoLAN Client
 $ sudo firejail /etc/init.d/nginx start
 `````
@@ -81,6 +81,15 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
              Example:
              $ firejail --machine-id
+       --allow-private-blacklist
+              Allow  blacklisting  files in private home directory. By default
+              these blacklists are disabled.
+              Example:
+              $   firejail    --allow-private-blacklist   --private=~/priv-dir
+              --blacklist=~/.mozilla
+             
 `````
 ## New Profiles
 xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,
@@ -88,5 +97,6 @@ amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exifto
 gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-photos, gnome-weather,
 goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext,
 simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget,
-xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, 
+xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5,
-PDFSam, Pithos, Xonotic, wireshark
+PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla
diff --git a/RELNOTES b/RELNOTES
index 064553f98..2d57b1a88 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -13,12 +13,14 @@ firejail (0.9.45) baseline; urgency=low
  * feature: private /opt directory (--private-opt, profile support)
  * feature: private /srv directory (--private-srv, profile support)
  * feature: spoof machine-id
-  * feature: config support for firejail prompt in terminal
+  * feature: config support for firejail prompt in terminals
+  * feature: pass command line arguments to appimages
+  * feature: --allow-private-blacklist option
  * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
  * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
-  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, 
+  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
  * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
-  * new profies: Xonotic, wireshark
+  * new profies: Xonotic, wireshark, keepassx2, QupZilla
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  Sun, 23 Oct 2016 08:00:00 -0500
@@ -32,7 +34,7 @@ firejail (0.9.44) baseline; urgency=low
  * feature: support starting/joining sandbox is a single command
    (--join-or-start)
  * feature: X11 detection support for --audit
-  * feature: assign a name to the interface connected to the bridge 
+  * feature: assign a name to the interface connected to the bridge
    (--veth-name)
  * feature: all user home directories are visible (--allusers)
  * feature: add files to sandbox container (--put)
@@ -265,7 +267,7 @@ firejail (0.9.24) baseline; urgency=low
  * two build patches from Reiner Herman (tickets 11, 12)
  * man page patch from Reiner Herman (ticket 13)
  * output patch (ticket 15) from sshirokov
-  
 -- netblue30 <netblue30@yahoo.com>  Sun, 5 Apr 2015 08:00:00 -0500
 firejail (0.9.22) baseline; urgency=low
@@ -330,7 +332,7 @@ firejail (0.9.16) baseline; urgency=low
 -- netblue30 <netblue30@yahoo.com>  Tue, 4 Nov 2014 10:00:00 -0500
 firejail (0.9.14) baseline; urgency=low
-  * Linux capabilities and seccomp filters are automatically enabled in 
+  * Linux capabilities and seccomp filters are automatically enabled in
    chroot mode (--chroot option) if the sandbox is started as regular user
  * Added support for user defined seccomp blacklists
  * Added syscall trace support
@@ -382,7 +384,7 @@ firejail (0.9.8.1) baseline; urgency=low
  * FIxed a number of bugs introduced in 0.9.8
 -- netblue30 <netblue30@yahoo.com>  Fri, 25 Jul 2014 07:25:00 -0500
-  
 firejail (0.9.8) baseline; urgency=low
  * Implemented nowrap mode for firejail --list command option
  * Added --top option in both firejail and firemon
@@ -391,7 +393,7 @@ firejail (0.9.8) baseline; urgency=low
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  Tue, 24 Jul 2014 08:51:00 -0500
-  
 firejail (0.9.6) baseline; urgency=low
  * Mounting tmpfs on top of /var/log, required by several server programs
@@ -430,7 +432,7 @@ firejail (0.9.2) baseline; urgency=low
  * Added an expect-based testing framework for the project
  * Added bash completion support
  * Added support for multiple networks
-  
 -- netblue30 <netblue30@yahoo.com>  Fri, 25 Apr 2014 08:00:00 -0500
 firejail (0.9) baseline; urgency=low
diff --git a/contrib/fix_private-bin_for_symlinked_sh.py b/contrib/fix_private-bin_for_symlinked_sh.py
new file mode 100644
index 000000000..705e46e46
--- /dev/null
+++ b/contrib/fix_private-bin_for_symlinked_sh.py
@@ -0,0 +1,68 @@
+#!/usr/bin/python3
+import sys, os, glob, re
+privRx=re.compile("^(?:#\s*)?private-bin")
+def fixSymlinkedBins(files, replMap):
+        rxs=dict()
+        for (old,new) in replMap.items():
+                rxs[old]=re.compile("\\b"+old+"\\b")
+                rxs[new]=re.compile("\\b"+new+"\\b")
+        print(rxs)
+        
+        for filename in files:
+                lines=None
+                with open(filename,"r") as file:
+                        lines=file.readlines()
+                
+                shouldUpdate=False
+                for (i,line) in enumerate(lines):
+                        if privRx.search(line):
+                                for (old,new) in replMap.items():
+                                        if rxs[old].search(line) and not rxs[new].search(line):
+                                                lines[i]=rxs[old].sub(old+","+new, line)
+                                                shouldUpdate=True
+                                                print(lines[i])
+                
+                if shouldUpdate:
+                        with open(filename,"w") as file:
+                                file.writelines(lines)
+                                pass
+def createListOfBinaries(files):
+        s=set()
+        for filename in files:
+                lines=None
+                with open(filename,"r") as file:
+                        for line in file:
+                                if privRx.search(line):
+                                        bins=line.split(",")
+                                        bins[0]=bins[0].split(" ")[-1]
+                                        bins = [n.strip() for n in bins]
+                                        s=s|set(bins)
+        return s
+def createSymlinkTable(binDirs, binariesSet):
+        m=dict()
+        for sh in binariesSet:
+                for bD in binDirs:
+                        p=bD+os.path.sep+sh
+                        if os.path.exists(p):
+                                if os.path.islink(p):
+                                        m[sh]=os.readlink(p)
+                                else:
+                                        pass
+                                break
+        return m
+sh="sh"
+binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"]
+profilesPath="."
+files=glob.glob(profilesPath+os.path.sep+"*.profile")
+bins=createListOfBinaries(files)
+stbl=createSymlinkTable(binDirs,bins)
+print(stbl)
+fixSymlinkedBins(files,{a[0]:a[1] for a in stbl.items() if a[0].find("/") < 0 and a[1].find("/")<0})
diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile
new file mode 100644
index 000000000..ff0a4b6ef
--- /dev/null
+++ b/etc/VirtualBox.profile
@@ -0,0 +1 @@
+include /etc/firejail/virtualbox.profile
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index 481301420..f25bbd94d 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -29,14 +29,14 @@ whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 #silverlight
 whitelist ~/.wine-pipelight
 whitelist ~/.wine-pipelight64
diff --git a/etc/chromium.profile b/etc/chromium.profile
index 4109af9a4..7610d9b26 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -18,10 +18,11 @@ whitelist ~/.cache/chromium
 mkdir ~/.pki
 whitelist ~/.pki
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index 84021dab3..f722915f0 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -29,14 +29,14 @@ whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 #silverlight
 whitelist ~/.wine-pipelight
 whitelist ~/.wine-pipelight64
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index b86c6f998..efe5c850d 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -39,19 +39,19 @@ blacklist /usr/share/applications/veracrypt.*
 blacklist /usr/share/pixmaps/veracrypt.*
 blacklist ${HOME}/.VeraCrypt
-# TrueCrypt                                                                                                                                                                                                         
+# TrueCrypt
-blacklist ${PATH}/truecrypt                                                                                                                                                                                         
+blacklist ${PATH}/truecrypt
-blacklist ${PATH}/truecrypt-uninstall.sh                                                                                                                                                                            
+blacklist ${PATH}/truecrypt-uninstall.sh
-blacklist /usr/share/truecrypt                                                                                                                                                                                      
+blacklist /usr/share/truecrypt
-blacklist /usr/share/applications/truecrypt.*                                                                                                                                                                       
+blacklist /usr/share/applications/truecrypt.*
-blacklist /usr/share/pixmaps/truecrypt.*                                                                                                                                                                            
+blacklist /usr/share/pixmaps/truecrypt.*
-blacklist ${HOME}/.TrueCrypt 
+blacklist ${HOME}/.TrueCrypt
-# zuluCrypt                                                                                                                                                                                                         
+# zuluCrypt
-blacklist ${HOME}/.zuluCrypt                                                                                                                                                                                        
+blacklist ${HOME}/.zuluCrypt
-blacklist ${HOME}/.zuluCrypt-socket                                                                                                                                                                                 
+blacklist ${HOME}/.zuluCrypt-socket
-blacklist ${PATH}/zuluCrypt-cli                                                                                                                                                                                     
+blacklist ${PATH}/zuluCrypt-cli
-blacklist ${PATH}/zuluMount-cli                                                                                                                                                                                                                                                                                                                                                              
+blacklist ${PATH}/zuluMount-cli
 # var
 blacklist /var/spool/cron
@@ -154,7 +154,7 @@ blacklist /etc/ssh
 blacklist /var/backup
 blacklist /home/.ecryptfs
-# system directories    
+# system directories
 blacklist /sbin
 blacklist /usr/sbin
 blacklist /usr/local/sbin
@@ -191,6 +191,7 @@ blacklist ${PATH}/mount.ecryptfs_private
 # other SUID binaries
 blacklist /usr/lib/virtualbox
+blacklist /usr/lib64/virtualbox
 # prevent lxterminal connecting to an existing lxterminal session
 blacklist /tmp/.lxterminal-socket*
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index a9ca487c5..e5eb4f857 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -20,6 +20,7 @@ blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/QuiteRss
 blacklist ${HOME}/.cache/champlain
 blacklist ${HOME}/.cache/chromium
+blacklist ${HOME}/.cache/qupzilla
 blacklist ${HOME}/.cache/chromium-dev
 blacklist ${HOME}/.cache/darktable
 blacklist ${HOME}/.cache/epiphany
@@ -80,6 +81,7 @@ blacklist ${HOME}/.config/brasero
 blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/cherrytree
 blacklist ${HOME}/.config/chromium
+blacklist ${HOME}/.config/qupzilla
 blacklist ${HOME}/.config/chromium-dev
 blacklist ${HOME}/.config/chromium-flags.conf
 blacklist ${HOME}/.config/cmus
@@ -148,7 +150,7 @@ blacklist ${HOME}/.config/xreader
 blacklist ${HOME}/.config/xviewer
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
-blacklist ${HOME}/.conkeror.mozdev.org 
+blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.dillo
 blacklist ${HOME}/.dosbox
 blacklist ${HOME}/.dropbox-dist
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 4f971f330..c3a9b2a62 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -35,14 +35,14 @@ whitelist ~/.config/qpdfview
 whitelist ~/.local/share/qpdfview
 whitelist ~/.kde/share/apps/okular
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 #silverlight
 whitelist ~/.wine-pipelight
 whitelist ~/.wine-pipelight64
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index 7e0eb486b..3c23ff6f6 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -29,10 +29,11 @@ whitelist ~/.cache/slimjet
 mkdir ~/.pki
 whitelist ~/.pki
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index fe870274f..3d483967c 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -19,9 +19,10 @@ mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index f6680ac2d..0189ce40b 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -19,9 +19,10 @@ mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index a9fcebe73..3083c2afd 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -19,10 +19,10 @@ mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
diff --git a/etc/icecat.profile b/etc/icecat.profile
index 0348076da..038afc876 100644
--- a/etc/icecat.profile
+++ b/etc/icecat.profile
@@ -29,14 +29,14 @@ whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 #silverlight
 whitelist ~/.wine-pipelight
 whitelist ~/.wine-pipelight64
diff --git a/etc/inox.profile b/etc/inox.profile
index 49d2f2835..6f6d140e2 100644
--- a/etc/inox.profile
+++ b/etc/inox.profile
@@ -14,10 +14,11 @@ whitelist ~/.cache/inox
 mkdir ~/.pki
 whitelist ~/.pki
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile
new file mode 100644
index 000000000..d8621773f
--- /dev/null
+++ b/etc/keepassx2.profile
@@ -0,0 +1,22 @@
+# keepassx password manager profile
+noblacklist ${HOME}/.config/keepassx
+noblacklist ${HOME}/.keepassx
+noblacklist ${HOME}/keepassx.kdbx
+ 
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+netfilter
+shell none
+private-tmp
+private-dev 
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
index 2071e5519..644a1605b 100644
--- a/etc/netsurf.profile
+++ b/etc/netsurf.profile
@@ -19,10 +19,11 @@ whitelist ~/.config/netsurf
 mkdir ~/.cache/netsurf
 whitelist ~/.cache/netsurf
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 12c91c744..4cdb0a9eb 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -16,10 +16,10 @@ mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
diff --git a/etc/opera.profile b/etc/opera.profile
index e0c89a195..a337ccc5b 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -19,10 +19,10 @@ mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index 71deec6bc..1476369a1 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -44,11 +44,11 @@ private-tmp
 #whitelist ~/.config/pipelight-widevine
 #whitelist ~/.config/pipelight-silverlight5.1
+# lastpass, keepass
-# lastpass, keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.keepassx
+whitelist ~/.keepass
-whitelist ~/.config/keepassx
+whitelist ~/.config/keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile
new file mode 100644
index 000000000..387ddeffa
--- /dev/null
+++ b/etc/qupzilla.profile
@@ -0,0 +1,22 @@
+# Firejail profile for Qupzilla web browser
+noblacklist ${HOME}/.config/qupzilla
+noblacklist ${HOME}/.cache/qupzilla
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+caps.drop all
+seccomp
+protocol unix,inet,inet6,netlink
+netfilter
+tracelog
+noroot
+whitelist ${DOWNLOADS}
+whitelist ~/.config/qupzilla
+whitelist ~/.cache/qupzilla
+include /etc/firejail/whitelist-common.inc
+# experimental features
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index b981d9516..5d817acce 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -31,10 +31,11 @@ whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 4dcfa64d9..667b775c8 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -11,10 +11,10 @@ nonewprivs
 noroot
 nosound
 shell none
-#seccomp
+seccomp
-protocol unix,inet,inet6
+# protocol unix,inet,inet6
-private-bin skanlite
+# private-bin skanlite
 # private-dev
 # private-tmp
 # private-etc
diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile
index 36a1e0704..1e765b89b 100644
--- a/etc/virtualbox.profile
+++ b/etc/virtualbox.profile
@@ -1,12 +1,22 @@
-# VirtualBox profile
+# virtualbox profile
 noblacklist ${HOME}/.VirtualBox
 noblacklist ${HOME}/VirtualBox VMs
 noblacklist ${HOME}/.config/VirtualBox
-noblacklist /usr/bin/virtualbox
+mkdir ~/VirtualBox VMs
+whitelist ~/VirtualBox VMs
+mkdir ~/.config/VirtualBox
+whitelist ~/.config/VirtualBox
+# noblacklist /usr/bin/virtualbox
+noblacklist /usr/lib/virtualbox
+noblacklist /usr/lib64/virtualbox
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/whitelist-common.inc
 caps.drop all
+netfilter
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 08b046847..b3a096069 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -14,10 +14,10 @@ mkdir ~/.cache/vivaldi
 whitelist ~/.cache/vivaldi
 include /etc/firejail/whitelist-common.inc
-# lastpass, keepassx
+# lastpass, keepass
-whitelist ~/.keepassx
+# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.config/keepassx
+whitelist ~/.keepass
-whitelist ~/keepassx.kdbx
+whitelist ~/.config/keepass
+whitelist ~/.config/KeePass
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 97e7cf884..9afe42be8 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -111,6 +111,7 @@
 /etc/firejail/keepass.profile
 /etc/firejail/keepass2.profile
 /etc/firejail/keepassx.profile
+/etc/firejail/keepassx2.profile
 /etc/firejail/kmail.profile
 /etc/firejail/konversation.profile
 /etc/firejail/less.profile
@@ -237,3 +238,5 @@
 /etc/firejail/xonotic-glx.profile
 /etc/firejail/xonotic-sdl.profile
 /etc/firejail/xonotic.profile
+/etc/firejail/VirtualBox.profile
+/etc/firejail/qupzilla.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index c4f52e256..fe65a5077 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -190,6 +190,7 @@ ranger
 keepass
 keepass2
 keepassx
+keepassx2
 pluma
 tracker
 wireshark
@@ -204,4 +205,3 @@ gnome-weather
 ark
 atool
 file-roller
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index cadf4795d..dcb0a5424 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -157,3 +157,47 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
        assert(*command_line);
        assert(*window_title);
 }
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path) {
+        // index == -1 could happen if we have --shell=none and no program was specified
+        // the program should exit with an error before entering this function
+        assert(index != -1);
+        unsigned argcount = argc - index;
+        int len1 = cmdline_length(argc, argv, index);  // length of argv w/o changes
+        int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage
+        int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/.appimage-23304/AppRun
+        int len4 = (len1 - len2 + len3) + 1;           // apptest.AppImage is replaced by /path/to/AppRun
+        if (len4 > ARG_MAX) {
+                errno = E2BIG;
+                errExit("cmdline_length");
+        }
+        // save created apprun in cfg.command_line
+        char *tmp1 = strdup(*command_line);
+        if (!tmp1)
+                errExit("strdup");
+        // TODO: deal with extra allocated memory.
+        char *command_line_tmp = malloc(len1 + len3 + 1);
+        if (!command_line_tmp)
+                        errExit("malloc");
+        *window_title = malloc(len1 + len3 + 1);
+        if (!*window_title)
+                        errExit("malloc");
+        // run default quote_cmdline
+        quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index);
+        assert(command_line_tmp);
+        assert(*window_title);
+        // 'fix' command_line now
+        if (asprintf(command_line, "'%s' %s", tmp1, command_line_tmp + len2) == -1)
+                errExit("asprintf");
+        // free strdup
+        free(tmp1);
+}
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8fede5a69..36cf47435 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -208,7 +208,7 @@ typedef struct config_t {
        char *bin_private_keep; // keep list for private bin directory
        char *cwd;              // current working directory
        char *overlay_dir;
-   char *private_template; // template dir for tmpfs home
+        char *private_template; // template dir for tmpfs home
        // networking
        char *name;             // sandbox name
@@ -285,6 +285,7 @@ void clear_run_files(pid_t pid);
 extern int arg_private;         // mount private /home
 extern int arg_private_template; // private /home template
+extern int arg_allow_private_blacklist;  // blacklist things in private directories
 extern int arg_debug;           // print debug messages
 extern int arg_debug_check_filename;            // print debug messages for filename checking
 extern int arg_debug_blacklists;        // print debug messages for blacklists
@@ -564,6 +565,7 @@ void network_del_run_file(pid_t pid);
 void network_set_run_file(pid_t pid);
 // fs_etc.c
+void fs_machineid(void);
 void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list);
 // no_sandbox.c
@@ -681,6 +683,7 @@ long unsigned int appimage2_size(const char *fname);
 // cmdline.c
 void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path);
 // sbox.c
 // programs
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index adddf626b..e2fc09533 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -216,6 +216,15 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
                                exit(1);
                        }
                }
+                // We don't usually need to blacklist things in private home directories
+                if (okay_to_blacklist
+                 && cfg.homedir
+                 && arg_private
+                 && (!arg_allow_private_blacklist)
+                 && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0))
+                        okay_to_blacklist = false;
                if (okay_to_blacklist)
                        disable_file(op, path);
                else if (arg_debug)
@@ -532,29 +541,35 @@ void fs_proc_sys_dev_boot(void) {
        disable_file(BLACKLIST_FILE, "/dev/port");
        
-        // disable various ipc sockets
-        struct stat s; 
-        // disable /run/user/{uid}/gnupg
+        // disable various ipc sockets in /run/user
-        char *fnamegpg;
+        struct stat s; 
-        if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
+        
-                errExit("asprintf");
+        char *fname;
-        if (stat(fnamegpg, &s) == -1) 
+        if (asprintf(&fname, "/run/usr/%d", getuid()) == -1)
-            mkdir_attr(fnamegpg, 0700, getuid(), getgid());
-        if (stat(fnamegpg, &s) == 0)
-                disable_file(BLACKLIST_FILE, fnamegpg);
-        free(fnamegpg);
-        // disable /run/user/{uid}/systemd
-        char *fnamesysd;
-        if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
                errExit("asprintf");
-        if (stat(fnamesysd, &s) == -1) 
+        if (is_dir(fname)) { // older distros don't have this directory
-                mkdir_attr(fnamesysd, 0755, getuid(), getgid());
+                // disable /run/user/{uid}/gnupg
-        if (stat(fnamesysd, &s) == 0)
+                char *fnamegpg;
-                disable_file(BLACKLIST_FILE, fnamesysd);
+                if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
-        free(fnamesysd);
+                        errExit("asprintf");
+                if (stat(fnamegpg, &s) == -1) 
+                    mkdir_attr(fnamegpg, 0700, getuid(), getgid());
+                if (stat(fnamegpg, &s) == 0)
+                        disable_file(BLACKLIST_FILE, fnamegpg);
+                free(fnamegpg);
+                
+                // disable /run/user/{uid}/systemd
+                char *fnamesysd;
+                if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
+                        errExit("asprintf");
+                if (stat(fnamesysd, &s) == -1) 
+                        mkdir_attr(fnamesysd, 0755, getuid(), getgid());
+                if (stat(fnamesysd, &s) == 0)
+                        disable_file(BLACKLIST_FILE, fnamesysd);
+                free(fnamesysd);
+        }
+        free(fname);
        
 // todo: investigate
 #if 0
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index a27c0e41b..479383af2 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -21,6 +21,7 @@
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
+#include <time.h>
 #include <unistd.h>
 // spoof /etc/machine_id
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b25bad9f2..15820f7dd 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -112,6 +112,7 @@ int arg_x11_block = 0;				// block X11
 int arg_x11_xorg = 0;                           // use X11 security extention
 int arg_allusers = 0;                           // all user home directories visible
 int arg_machineid = 0;                          // preserve /etc/machine-id
+int arg_allow_private_blacklist = 0;  // blacklist things in private directories
 int login_shell = 0;
@@ -1463,6 +1464,9 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--machine-id") == 0) {
                        arg_machineid = 1;
                }
+                else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
+                        arg_allow_private_blacklist = 1;
+                }
                else if (strcmp(argv[i], "--private") == 0) {
                        arg_private = 1;
                }
@@ -2156,7 +2160,7 @@ int main(int argc, char **argv) {
                if (arg_debug)
                        printf("Configuring appimage environment\n");
                appimage_set(cfg.command_name);
-                cfg.window_title = "appimage";
+                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, cfg.command_line);
        }
        else {
                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index db3c25a5a..9f4dfd44c 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -30,12 +30,14 @@ void usage(void) {
        printf("Options:\n");
        printf("    -- - signal the end of options and disables further option processing.\n");
        printf("    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
+        printf("    --allow-private-blacklist - allow blacklisting files in private\n");
+        printf("\thome directories.\n");
        printf("    --allusers - all user home directories are visible inside the sandbox.\n");
        printf("    --apparmor - enable AppArmor confinement.\n");
        printf("    --appimage - sandbox an AppImage application.\n");
        printf("    --audit[=test-program] - audit the sandbox.\n");
 #ifdef HAVE_NETWORK     
-        printf("    --bandwidth=name|pid - set  bandwidth  limits\n");
+        printf("    --bandwidth=name|pid - set bandwidth limits.\n");
 #endif
 #ifdef HAVE_BIND                
        printf("    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 5b43b1ca5..60c21cbc1 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -84,6 +84,15 @@ Example:
 .br
 $ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
+\fB\-\-allow-private-blacklist
+Allow blacklisting files in private home directory. By default these blacklists are disabled.
+.br
+.br
+Example:
+.br
+$ firejail  --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla
+.TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
 .br
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
new file mode 100755
index 000000000..93dba69ad
--- /dev/null
+++ b/test/appimage/appimage-args.exp
@@ -0,0 +1,97 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "execvp argument 2"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "AppRun"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "testfile"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "appimage Leafpad"
+}
+after 100
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        "appimage Leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 9 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "appimage Leafpad"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "name=blablabla"
+}
+after 100
+spawn $env(SHELL)
+send -- "firejail --shutdown=appimage-test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh
index db221ec8a..bb646e189 100755
--- a/test/appimage/appimage.sh
+++ b/test/appimage/appimage.sh
@@ -13,4 +13,8 @@ echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)"
 ./appimage-v2.exp
 echo "TESTING: AppImage file name (test/appimage/filename.exp)";
-./filename.exp
-\ No newline at end of file
+./filename.exp
+echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)"
+./appimage-args.exp
diff --git a/test/fcopy/dircopy.exp b/test/fcopy/dircopy.exp
index 00b0204ae..dc8c80569 100755
--- a/test/fcopy/dircopy.exp
+++ b/test/fcopy/dircopy.exp
@@ -21,30 +21,58 @@ expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "dest/"
 }
+after 100
+send -- "find dest\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "dest/"
+}
+after 100
+send -- "find dest\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "dest/a"
 }
+after 100
+send -- "find dest\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "dest/a/b"
 }
+after 100
+send -- "find dest\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "dest/a/b/file4"
 }
+after 100
+send -- "find dest\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "dest/a/file3"
 }
+after 100
+send -- "find dest\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "dest/dircopy.exp"
 }
+after 100
+send -- "find dest\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
        "dest/file2"
 }
+after 100
+send -- "find dest\r"
 expect {
        timeout {puts "TESTING ERROR 7\n";exit}
        "dest/file1"
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp
index 5491be834..f85a939b1 100755
--- a/test/fs/private-home-dir.exp
+++ b/test/fs/private-home-dir.exp
@@ -21,6 +21,8 @@ if {[file exists ~/.Xauthority]} {
        send -- "touch ~/.Xauthority\r"
 }
 after 100
+send -- "rm -fr ~/_firejail_test_dir_\r"
+after 100
 send -- "mkdir ~/_firejail_test_dir_\r"
 sleep 1
@@ -65,6 +67,64 @@ expect {
        "private directory should be owned by the current user"
 }
 sleep 1
+send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r"
+after 100
+send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r"
+sleep 1
+send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Not blacklist"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "test_dir_2"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "find ~\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "testfile"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --debug --noprofile --allow-private-blacklist --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Disable"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "test_dir_2"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls ~/test_dir_2\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "cannot open directory"
+}
+after 100
+send "exit\r"
+sleep 1
+send -- "rm -fr ~/_firejail_test_dir_\r"
+after 100
-puts "all done\n"
+puts "\nall done\n"
diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp
index 4dadeacb1..6a1ad535c 100755
--- a/test/fs/private-whitelist.exp
+++ b/test/fs/private-whitelist.exp
@@ -34,6 +34,7 @@ expect {
        "3" {puts "3\n"}
        "4" {puts "4\n"}
        "5" {puts "5\n"}
+        "6" {puts "6\n"}
 }
 sleep 1
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp
index a19d5cedf..a2002bc0a 100755
--- a/test/fs/whitelist-dev.exp
+++ b/test/fs/whitelist-dev.exp
@@ -14,7 +14,7 @@ expect {
 }
 sleep 1
-send -- "ls -l /dev | find /dev | wc -l\r"
+send -- "find /dev | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "2"
@@ -23,17 +23,17 @@ after 100
 send -- "exit\r"
 sleep 1
-send -- "firejail --whitelist=/var/tmp --debug\r"
+send -- "firejail --private-dev --debug\r"
 expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "Child process initialized"
 }
 sleep 1
-send -- "ls -l /dev | find /dev | wc -l\r"
+send -- "ls -l /dev | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
-        "2"
+        "13"
 }
 after 100
 send -- "exit\r"
diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp
index ca2e57313..0a6f46102 100755
--- a/test/utils/cpu-print.exp
+++ b/test/utils/cpu-print.exp
@@ -7,18 +7,34 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --name=test --cpu=1,2\r"
+send -- "firejail --name=test --cpu=0\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Child process initialized"
 }
-sleep 2
+sleep 1
+send -- "cat /proc/self/status | grep Cpus\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Cpus_allowed_list:     0"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --name=test --cpu=1\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
 spawn $env(SHELL)
 send -- "firejail --cpu.print=test\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
-        "Cpus_allowed_list:     1-2"
+        "Cpus_allowed_list:     1"
 }
 after 100
 puts "\nall done\n"
diff --git a/test/utils/trace.exp b/test/utils/trace.exp
index 78a04b273..eedc0f23f 100755
--- a/test/utils/trace.exp
+++ b/test/utils/trace.exp
@@ -53,15 +53,15 @@ expect {
 sleep 1
 send -- "firejail --trace wget -q debian.org\r"
-expect {
+#expect {
-        timeout {puts "TESTING ERROR 8.1\n";exit}
+#       timeout {puts "TESTING ERROR 8.1\n";exit}
-        "Child process initialized"
+#       "Child process initialized"
-}
+#}
-expect {
+#expect {
-        timeout {puts "TESTING ERROR 8.2\n";exit}
+#       timeout {puts "TESTING ERROR 8.2\n";exit}
-        "bash:open /dev/tty" {puts "OK\n";}
+#       "bash:open /dev/tty" {puts "OK\n";}
-        "bash:open64 /dev/tty" {puts "OK\n";}
+#       "bash:open64 /dev/tty" {puts "OK\n";}
-}
+#}
 expect {
        timeout {puts "TESTING ERROR 8.3\n";exit}
        "wget:fopen64 /etc/wgetrc" {puts "OK\n";}