58 files changed, 1159 insertions, 592 deletions
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 71791c000..57ac2e9c4 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,10 +1,10 @@
 If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
-If you make a PR for new profiles or changeing profiles please do the following:
+If you submit a PR for new profiles or changing profiles, please do the following:
- - The ordering of options follow the rules descripted in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).  
+ - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template).  
-   > Hint: The profile-template is very new, if you install firejail with your package-manager, it maybe missing, therefore, and to follow the latest rules, it is recommended to use the template from the repository.
+   > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository.
- - Order the arguments of options alphabetical, you can easy do this with the [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).  
+ - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py).  
 The path to it depends on your distro:
   | Distro | Path |
diff --git a/README.md b/README.md
index d7abc77ae..175ba70b6 100644
--- a/README.md
+++ b/README.md
@@ -330,5 +330,6 @@ Stats:
 ### New profiles:
-vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop.
+vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
-avidemux, calligragemini, vmware-player, vmware-workstation, gget
-\ No newline at end of file
+avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop,
+pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2
diff --git a/RELNOTES b/RELNOTES
index b1322e0dc..3b74ebd5a 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -15,7 +15,8 @@ firejail (0.9.65) baseline; urgency=low
  * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng
  * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
  * avidemux, calligragemini, vmware-player, vmware-workstation
-  * gget
+  * gget, com.github.phase1geo.minder, nextcloud-desktop, pcsxr
+  * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2
 -- netblue30 <netblue30@yahoo.com>  Tue, 9 Feb 2021 09:00:00 -0500
 firejail (0.9.64.4) baseline; urgency=low
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index d724e3b52..52534a9e9 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -442,6 +442,7 @@ blacklist ${PATH}/mount
 blacklist ${PATH}/mount.ecryptfs_private
 blacklist ${PATH}/nc
 blacklist ${PATH}/ncat
+blacklist ${PATH}/nmap
 blacklist ${PATH}/newgidmap
 blacklist ${PATH}/newgrp
 blacklist ${PATH}/newuidmap
@@ -452,6 +453,7 @@ blacklist ${PATH}/sg
 blacklist ${PATH}/strace
 blacklist ${PATH}/su
 blacklist ${PATH}/sudo
+blacklist ${PATH}/tcpdump
 blacklist ${PATH}/umount
 blacklist ${PATH}/unix_chkpwd
 blacklist ${PATH}/xev
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index d74d21a9b..ca3fcd216 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -5,6 +5,7 @@ include disable-programs.local
 blacklist ${HOME}/Arduino
 blacklist ${HOME}/i2p
 blacklist ${HOME}/Monero/wallets
+blacklist ${HOME}/Nextcloud
 blacklist ${HOME}/Nextcloud/Notes
 blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
@@ -117,6 +118,7 @@ blacklist ${HOME}/.config/MusE
 blacklist ${HOME}/.config/MuseScore
 blacklist ${HOME}/.config/MusicBrainz
 blacklist ${HOME}/.config/Nathan Osman
+blacklist ${HOME}/.config/Nextcloud
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/PacmanLogViewer
 blacklist ${HOME}/.config/PBE
@@ -266,6 +268,7 @@ blacklist ${HOME}/.config/inkscape
 blacklist ${HOME}/.config/inox
 blacklist ${HOME}/.config/iridium
 blacklist ${HOME}/.config/itch
+blacklist ${HOME}/.config/jami
 blacklist ${HOME}/.config/jd-gui.cfg
 blacklist ${HOME}/.config/k3brc
 blacklist ${HOME}/.config/kaffeinerc
@@ -305,7 +308,6 @@ blacklist ${HOME}/.config/lugaru
 blacklist ${HOME}/.config/lutris
 blacklist ${HOME}/.config/lximage-qt
 blacklist ${HOME}/.config/mailtransports
-blacklist ${HOME}/.local/share/man
 blacklist ${HOME}/.config/mana
 blacklist ${HOME}/.config/mate-calc
 blacklist ${HOME}/.config/mate/eom
@@ -334,6 +336,7 @@ blacklist ${HOME}/.config/nemo
 blacklist ${HOME}/.config/neomutt
 blacklist ${HOME}/.config/netsurf
 blacklist ${HOME}/.config/newsbeuter
+blacklist ${HOME}/.config/newsboat
 blacklist ${HOME}/.config/newsflash
 blacklist ${HOME}/.config/nheko
 blacklist ${HOME}/.config/NitroShare
@@ -345,6 +348,7 @@ blacklist ${HOME}/.config/okularrc
 blacklist ${HOME}/.config/onboard
 blacklist ${HOME}/.config/onionshare
 blacklist ${HOME}/.config/onlyoffice
+blacklist ${HOME}/.config/openmw
 blacklist ${HOME}/.config/opera
 blacklist ${HOME}/.config/opera-beta
 blacklist ${HOME}/.config/orage
@@ -437,6 +441,7 @@ blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
 blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/youtube-dl
+blacklist ${HOME}/.config/youtube-dlg
 blacklist ${HOME}/.config/youtubemusic-nativefier-040164
 blacklist ${HOME}/.config/youtube-music-desktop-app
 blacklist ${HOME}/.config/youtube-viewer
@@ -583,6 +588,7 @@ blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/Kingsoft
 blacklist ${HOME}/.local/share/Mendeley Ltd.
 blacklist ${HOME}/.local/share/Mumble
+blacklist ${HOME}/.local/share/Nextcloud
 blacklist ${HOME}/.local/share/PBE
 blacklist ${HOME}/.local/share/Psi
 blacklist ${HOME}/.local/share/QGIS
@@ -659,6 +665,7 @@ blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
 blacklist ${HOME}/.local/share/i2p
 blacklist ${HOME}/.local/share/IntoTheBreach
+blacklist ${HOME}/.local/share/jami
 blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kalgebra
 blacklist ${HOME}/.local/share/kate
@@ -684,11 +691,13 @@ blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/love
 blacklist ${HOME}/.local/share/lugaru
 blacklist ${HOME}/.local/share/lutris
+blacklist ${HOME}/.local/share/man
 blacklist ${HOME}/.local/share/mana
 blacklist ${HOME}/.local/share/maps-places.json
 blacklist ${HOME}/.local/share/matrix-mirage
 blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/midori
+blacklist ${HOME}/.local/share/minder
 blacklist ${HOME}/.local/share/mirage
 blacklist ${HOME}/.local/share/multimc
 blacklist ${HOME}/.local/share/multimc5
@@ -699,11 +708,14 @@ blacklist ${HOME}/.local/share/nautilus-python
 blacklist ${HOME}/.local/share/nemo
 blacklist ${HOME}/.local/share/nemo-python
 blacklist ${HOME}/.local/share/news-flash
+blacklist ${HOME}/.local/share/newsbeuter
+blacklist ${HOME}/.local/share/newsboat
 blacklist ${HOME}/.local/share/nomacs
 blacklist ${HOME}/.local/share/notes
 blacklist ${HOME}/.local/share/ocenaudio
 blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/onlyoffice
+blacklist ${HOME}/.local/share/openmw
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
 blacklist ${HOME}/.local/share/Paradox Interactive
@@ -787,6 +799,7 @@ blacklist ${HOME}/.opera-beta
 blacklist ${HOME}/.ostrichriders
 blacklist ${HOME}/.paradoxinteractive
 blacklist ${HOME}/.parallelrealities/blobwars
+blacklist ${HOME}/.pcsxr
 blacklist ${HOME}/.penguin-command
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index adca38cb5..2b032e977 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -40,7 +40,7 @@ seccomp
 shell none
 tracelog
-private-bin atril,atril-previewer,atril-thumbnailer
+private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote
 private-dev
 private-etc alternatives,fonts,ld.so.cache
 # atril uses webkit gtk to display epub files
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile
new file mode 100644
index 000000000..8be06a4b3
--- /dev/null
+++ b/etc/profile-a-l/com.github.phase1geo.minder.profile
@@ -0,0 +1,61 @@
+# Firejail profile for com.github.phase1geo.minder
+# Description: Mind-mapping application
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.phase1geo.minder.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/minder
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/minder
+whitelist ${HOME}/.local/share/minder
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin com.github.phase1geo.minder
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,passwd,X11,xdg
+private-tmp
+dbus-user filter
+dbus-user.own com.github.phase1geo.minder
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index 13d830b55..fc920a065 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-write-mnt.inc
 include disable-xdg.inc
 mkdir ${HOME}/.cache/dolphin-emu
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index 6c0892c56..54fe6a0f9 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -17,7 +17,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-net none
 no3d
 nodvd
 nogroups
@@ -36,7 +35,4 @@ tracelog
 private-dev
 # private-tmp
-dbus-user none
 dbus-system none
-memory-deny-write-execute
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index ca7731442..4da087f7f 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -3,11 +3,15 @@
 include firefox-common-addons.local
 ignore include whitelist-runuser-common.inc
+ignore private-cache
+noblacklist ${HOME}/.cache/youtube-dl
 noblacklist ${HOME}/.config/kgetrc
+noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/okularpartrc
 noblacklist ${HOME}/.config/okularrc
 noblacklist ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.kde/share/apps/kget
 noblacklist ${HOME}/.kde/share/apps/okular
 noblacklist ${HOME}/.kde/share/config/kgetrc
@@ -22,15 +26,19 @@ noblacklist ${HOME}/.local/share/kget
 noblacklist ${HOME}/.local/share/kxmlgui5/okular
 noblacklist ${HOME}/.local/share/okular
 noblacklist ${HOME}/.local/share/qpdfview
+noblacklist ${HOME}/.netrc
 whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
 whitelist ${HOME}/.config/gnome-mplayer
 whitelist ${HOME}/.config/kgetrc
+whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.config/okularpartrc
 whitelist ${HOME}/.config/okularrc
 whitelist ${HOME}/.config/pipelight-silverlight5.1
 whitelist ${HOME}/.config/pipelight-widevine
 whitelist ${HOME}/.config/qpdfview
+whitelist ${HOME}/.config/youtube-dl
 whitelist ${HOME}/.kde/share/apps/kget
 whitelist ${HOME}/.kde/share/apps/okular
 whitelist ${HOME}/.kde/share/config/kgetrc
@@ -48,6 +56,7 @@ whitelist ${HOME}/.local/share/kxmlgui5/okular
 whitelist ${HOME}/.local/share/okular
 whitelist ${HOME}/.local/share/qpdfview
 whitelist ${HOME}/.local/share/tridactyl
+whitelist ${HOME}/.netrc
 whitelist ${HOME}/.pentadactyl
 whitelist ${HOME}/.pentadactylrc
 whitelist ${HOME}/.tridactylrc
@@ -57,6 +66,9 @@ whitelist ${HOME}/.wine-pipelight
 whitelist ${HOME}/.wine-pipelight64
 whitelist ${HOME}/.zotero
 whitelist ${HOME}/dwhelper
+whitelist /usr/share/lua
+whitelist /usr/share/lua*
+whitelist /usr/share/vulkan
 # GNOME Shell integration (chrome-gnome-shell) needs dbus and python
 noblacklist ${HOME}/.local/share/gnome-shell
@@ -75,17 +87,5 @@ include allow-python3.inc
 # ff2mpv
 #ignore noexec ${HOME}
-#noblacklist ${HOME}/.config/mpv
-#noblacklist ${HOME}/.config/youtube-dl
-#noblacklist ${HOME}/.netrc
 #include allow-lua.inc
-#include allow-python3.inc
-#mkdir ${HOME}/.config/mpv
-#mkdir ${HOME}/.config/youtube-dl
-#whitelist ${HOME}/.config/mpv
-#whitelist ${HOME}/.config/youtube-dl
-#whitelist ${HOME}/.netrc
-#whitelist /usr/share/lua
-#whitelist /usr/share/lua*
-#whitelist /usr/share/vulkan
 #private-bin env,mpv,python3*,waf,youtube-dl
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index d56d6714e..820d5e694 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -55,5 +55,5 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg
 private-tmp
-dbus-user none
+dbus-user filter
 dbus-system none
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile
new file mode 100644
index 000000000..226bb0008
--- /dev/null
+++ b/etc/profile-a-l/jami-gnome.profile
@@ -0,0 +1,42 @@
+# Firejail profile for jami-gnome
+# Description: An encrypted peer-to-peer messenger
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jami-gnome.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/jami
+noblacklist ${HOME}/.local/share/jami
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+#include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+mkdir ${HOME}/.config/jami
+mkdir ${HOME}/.local/share/jami
+whitelist ${HOME}/.config/jami
+whitelist ${HOME}/.local/share/jami
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+disable-mnt
+private-dev
+private-tmp
+env QT_QPA_PLATFORM=xcb
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
new file mode 100644
index 000000000..b2687ba3c
--- /dev/null
+++ b/etc/profile-m-z/PCSX2.profile
@@ -0,0 +1,57 @@
+# Firejail profile for PCSX2
+# Description: A PlayStation 2 emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PCSX2.local
+# Persistent global definitions
+include globals.local
+# Note: you must whitelist your games folder in a PCSX2.local
+noblacklist ${HOME}/.config/PCSX2
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/PCSX2
+whitelist ${HOME}/.config/PCSX2
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+net none
+netfilter
+# Uncomment the following line if not loading games from disc
+#nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+#seccomp - breaks loading with no logs
+shell none
+#tracelog - 32/64 bit incompatibility
+private-bin PCSX2
+private-cache
+# uncomment the following line if you do not need controller support
+#private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-opt none
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/PPSSPPSDL.profile b/etc/profile-m-z/PPSSPPSDL.profile
new file mode 100644
index 000000000..deb00a436
--- /dev/null
+++ b/etc/profile-m-z/PPSSPPSDL.profile
@@ -0,0 +1,9 @@
+# Firejail profile for PPSSPPSDL
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PPSSPPSDL.local
+# added by included profile
+#include globals.local
+# Redirect
+include ppsspp.profile
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index c6c50cf47..965750bf0 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -57,7 +57,7 @@ disable-mnt
 #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
 private-cache
 private-dev
-private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
+private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index 029d0183d..70e5c72cf 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -14,6 +14,8 @@ include globals.local
 noblacklist ${HOME}/.cache/marker
 noblacklist ${DOCUMENTS}
+include allow-python3.inc
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -48,7 +50,7 @@ seccomp.block-secondary
 shell none
 tracelog
-private-bin marker
+private-bin marker,python3*
 private-cache
 private-dev
 private-etc alternatives,dconfgtk-3.0,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,pango,X11
diff --git a/etc/profile-m-z/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile
index 85581a2f0..6efb19502 100644
--- a/etc/profile-m-z/newsbeuter.profile
+++ b/etc/profile-m-z/newsbeuter.profile
@@ -7,13 +7,23 @@ include newsbeuter.local
 # added by included profile
 #include globals.local
-noblacklist ${HOME}/.config/newsbeuter
+ignore include newsboat.local
-noblacklist ${HOME}/.newsbeuter
+ignore mkdir ${HOME}/.config/newsboat
+ignore mkdir ${HOME}/.local/share/newsboat
+ignore mkdir ${HOME}/.newsboat
+blacklist ${PATH}/newsboat
+blacklist ${HOME}/.config/newsboat
+blacklist ${HOME}/.local/share/newsboat
+blacklist ${HOME}/.newsboat
+nowhitelist ${HOME}/.config/newsboat
+nowhitelist ${HOME}/.local/share/newsboat
+nowhitelist ${HOME}/.newsboat
 mkdir ${HOME}/.config/newsbeuter
+mkdir ${HOME}/.local/share/newsbeuter
 mkdir ${HOME}/.newsbeuter
-whitelist ${HOME}/.config/newsbeuter
-whitelist ${HOME}/.newsbeuter
 private-bin newsbeuter
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index 85b780ced..23c2de43c 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -6,6 +6,11 @@ include newsboat.local
 # Persistent global definitions
 include globals.local
+noblacklist ${HOME}/.config/newsbeuter
+noblacklist ${HOME}/.config/newsboat
+noblacklist ${HOME}/.local/share/newsbeuter
+noblacklist ${HOME}/.local/share/newsboat
+noblacklist ${HOME}/.newsbeuter
 noblacklist ${HOME}/.newsboat
 include disable-common.inc
@@ -16,7 +21,14 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+mkdir ${HOME}/.config/newsboat
+mkdir ${HOME}/.local/share/newsboat
 mkdir ${HOME}/.newsboat
+whitelist ${HOME}/.config/newsbeuter
+whitelist ${HOME}/.config/newsboat
+whitelist ${HOME}/.local/share/newsbeuter
+whitelist ${HOME}/.local/share/newsboat
+whitelist ${HOME}/.newsbeuter
 whitelist ${HOME}/.newsboat
 include whitelist-common.inc
 include whitelist-runuser-common.inc
@@ -38,7 +50,7 @@ seccomp
 shell none
 disable-mnt
-private-bin gzip,lynx,newsboat,sh
+private-bin gzip,lynx,newsboat,sh,w3m
 private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
diff --git a/etc/profile-m-z/nextcloud-desktop.profile b/etc/profile-m-z/nextcloud-desktop.profile
new file mode 100644
index 000000000..e74f9c03f
--- /dev/null
+++ b/etc/profile-m-z/nextcloud-desktop.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for nextcloud
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nextcloud-desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+# Redirect
+include nextcloud.profile
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
new file mode 100644
index 000000000..4e7c902d9
--- /dev/null
+++ b/etc/profile-m-z/nextcloud.profile
@@ -0,0 +1,71 @@
+# Firejail profile for nextcloud
+# Description: Nextcloud desktop synchronization client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nextcloud.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/Nextcloud
+noblacklist ${HOME}/.config/Nextcloud
+noblacklist ${HOME}/.local/share/Nextcloud
+# Uncomment or put in your nextcloud.local to allow sync with more directories.
+#noblacklist ${DOCUMENTS}
+#noblacklist ${MUSIC}
+#noblacklist ${PICTURES}
+#noblacklist ${VIDEOS}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/Nextcloud
+mkdir ${HOME}/.config/Nextcloud
+mkdir ${HOME}/.local/share/Nextcloud
+whitelist ${HOME}/Nextcloud
+whitelist ${HOME}/.config/Nextcloud
+whitelist ${HOME}/.local/share/Nextcloud
+# Uncomment or put in your nextcloud.local to allow sync with more directories.
+#whitelist ${DOCUMENTS}
+#whitelist ${MUSIC}
+#whitelist ${PICTURES}
+#whitelist ${VIDEOS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin nextcloud,nextcloud-desktop
+private-cache
+private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-dev
+private-tmp
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff --git a/etc/profile-m-z/openmw-launcher.profile b/etc/profile-m-z/openmw-launcher.profile
new file mode 100644
index 000000000..c9cc144e4
--- /dev/null
+++ b/etc/profile-m-z/openmw-launcher.profile
@@ -0,0 +1,7 @@
+# Firejail profile for openmw-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openmw-launcher.local
+# Redirect
+include openmw.profile
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile
new file mode 100644
index 000000000..270d64c1e
--- /dev/null
+++ b/etc/profile-m-z/openmw.profile
@@ -0,0 +1,61 @@
+# Firejail profile for openmw
+# Description: Open source engine re-implementation for Morrowind
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openmw.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/openmw
+noblacklist ${HOME}/.local/share/openmw
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/openmw
+mkdir ${HOME}/.local/share/openmw
+whitelist ${HOME}/.config/openmw
+# Copy Morrowind data files into the following directory or load it from /mnt
+# or whitelist it in a openmw.local
+whitelist ${HOME}/.local/share/openmw
+whitelist /usr/share/openmw
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+net none
+netfilter
+# Uncomment the following line if installing from disc
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+private-bin bsatool,esmtool,niftest,openmw,openmw-cs,openmw-essimporter,openmw-iniimporter,openmw-launcher,openmw-wizard
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,drirc,fonts,glvnd,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nvidia,openmw,pango,passwd,pulse,Trolltech.conf,X11,xdg
+private-opt none
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile
new file mode 100644
index 000000000..c25c4ae66
--- /dev/null
+++ b/etc/profile-m-z/pcsxr.profile
@@ -0,0 +1,57 @@
+# Firejail profile for pcsxr
+# Description: A PlayStation emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pcsxr.local
+# Persistent global definitions
+include globals.local
+# Note: you must whitelist your games folder in a pcsxr.local
+noblacklist ${HOME}/.pcsxr
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+mkdir ${HOME}/.pcsxr
+whitelist ${HOME}/.pcsxr
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+net none
+netfilter
+# Uncomment the following line if not loading games from disc
+#nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+private-bin pcsxr
+private-cache
+# uncomment the following line if you do not need controller support
+#private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-opt none
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index c71553bcd..263d99c83 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -1,13 +1,14 @@
 # Firejail profile for ppsspp
-# Description: A PSP emulator written in C++
+# Description: A PSP emulator
 # This file is overwritten after every install/update
 # Persistent local customizations
 include ppsspp.local
 # Persistent global definitions
 include globals.local
+# Note: you must whitelist your games folder in a ppsspp.local
 noblacklist ${HOME}/.config/ppsspp
-noblacklist ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
@@ -15,8 +16,15 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-write-mnt.inc
 include disable-xdg.inc
+mkdir ${HOME}/.config/ppsspp
+whitelist ${HOME}/.config/ppsspp
+whitelist /usr/share/ppsspp
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 caps.drop all
@@ -27,11 +35,13 @@ nogroups
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,netlink
 seccomp
 shell none
+private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL
 # uncomment the following line if you do not need controller support
 #private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
index 7984702f3..6f863d7a1 100644
--- a/etc/profile-m-z/tcpdump.profile
+++ b/etc/profile-m-z/tcpdump.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist /sbin
 noblacklist /usr/sbin
+noblacklist ${PATH}/tcpdump
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index fce7dc461..38d291324 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -36,10 +36,20 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
 disable-mnt
+#private-bin telegram,Telegram,telegram-desktop
 private-cache
 private-dev
 private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-user.talk org.gnome.Mutter.IdleMonitor
+dbus-user.talk org.freedesktop.ScreenSaver
+dbus-system none
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index 232ff8ae4..64d787bfb 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -44,6 +44,7 @@ shell none
 tracelog
 #disable-mnt
+#private-bin basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
 private-cache
 private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
new file mode 100644
index 000000000..c072d6267
--- /dev/null
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -0,0 +1,56 @@
+# Firejail profile for youtube-dl-gui
+# Description: A cross platform front-end GUI of the popular youtube-dl media downloader
+include youtube-dl-gui.local
+# This file is overwritten after every install/update
+include globals.local
+#These are blacklisted by disable-interpreters.inc
+include allow-python2.inc
+include allow-python3.inc
+noblacklist ${HOME}/.config/youtube-dlg
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/youtube-dlg
+whitelist ${HOME}/.config/youtube-dlg
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 17d7f55b2..065245a63 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -1,5 +1,5 @@
 # Firejail profile for PROGRAM_NAME
-# Description: DESCRIPTION
+# Description: DESCRIPTION OF THE PROGRAM
 # This file is overwritten after every install/update
 # --- CUT HERE ---
 # This is a generic template to help you create profiles.
@@ -10,8 +10,8 @@
 #  - lines with two ## are only needed in special situations
 #  - make the profile as restrictive as possible while still keeping the program useful
 #    (e.g. a program that is unable to save user's work is considered bad practice)
-#  - dedicate ample time (based on the complexity of the application) to profile testing before raising
+#  - dedicate ample time (based on the complexity of the application) to profile testing before
-#    a pull request
+#    submitting a pull request
 #  - keep the sections structure, use a single empty line as separator
 #  - entries within sections are alphabetically sorted
 #  - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
@@ -203,7 +203,7 @@ include globals.local
 #  - Some features like native notifications are implemented as portal too.
 #  - In order to make dconf work (when used by the app) you need to allow
 #    'ca.desrt.dconf' even when not allowed by flatpak.
-# Notes and Policiy about addresses can be found at
+# Notes and policies about addresses can be found at
 # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
 #dbus-user filter
 #dbus-user.own com.github.netblue30.firejail
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index a9ede3217..6cef32249 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -20,7 +20,9 @@ Maelstrom
 Maps
 Mathematica
 Natron
+PCSX2
 PPSSPPQt
+PPSSPPSDL
 QMediathekView
 QOwnNotes
 Screenshot
@@ -147,6 +149,7 @@ cola
 com.github.bleakgrey.tootle
 com.github.dahenson.agenda
 com.github.johnfactotum.Foliate
+com.github.phase1geo.minder
 com.gitlab.newsflash
 conkeror
 conky
@@ -554,6 +557,8 @@ neverputt
 newsbeuter
 newsboat
 newsflash
+nextcloud
+nextcloud-desktop
 nheko
 nicotine
 nitroshare
@@ -580,6 +585,8 @@ openarena
 openarena_ded
 opencity
 openclonk
+openmw
+openmw-launcher
 openoffice.org
 openshot
 openshot-qt
@@ -596,6 +603,7 @@ parole
 patch
 pavucontrol
 pavucontrol-qt
+pcsxr
 pdfchain
 pdfmod
 pdfsam
@@ -873,6 +881,7 @@ yandex-browser
 yelp
 youtube
 youtube-dl
+youtube-dl-gui
 youtube-viewer
 youtubemusic-nativefier
 ytmdesktop
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 40e53f44d..59758bf2d 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -29,7 +29,7 @@
 #include <errno.h>
 static char *devloop = NULL;    // device file
-static char *mntdir = NULL;     // mount point in /tmp directory
+static long unsigned size = 0;  // offset into appimage file
 #ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
 static void err_loop(void) {
@@ -44,27 +44,27 @@ void appimage_set(const char *appimage) {
        EUID_ASSERT();
 #ifdef LOOP_CTL_GET_FREE
-        // check appimage file
+        // open appimage file
        invalid_filename(appimage, 0); // no globbing
-        if (access(appimage, R_OK) == -1) {
+        int ffd = open(appimage, O_RDONLY|O_CLOEXEC);
-                fprintf(stderr, "Error: cannot access AppImage file\n");
+        if (ffd == -1) {
+                fprintf(stderr, "Error: cannot read AppImage file\n");
+                exit(1);
+        }
+        struct stat s;
+        if (fstat(ffd, &s) == -1)
+                errExit("fstat");
+        if (!S_ISREG(s.st_mode)) {
+                fprintf(stderr, "Error: invalid AppImage file\n");
                exit(1);
        }
        // get appimage type and ELF size
        // a value of 0 means we are dealing with a type1 appimage
-        long unsigned int size = appimage2_size(appimage);
+        size = appimage2_size(ffd);
        if (arg_debug)
                printf("AppImage ELF size %lu\n", size);
-        // open appimage file
-        /* coverity[toctou] */
-        int ffd = open(appimage, O_RDONLY|O_CLOEXEC);
-        if (ffd == -1) {
-                fprintf(stderr, "Error: cannot open AppImage file\n");
-                exit(1);
-        }
        // find or allocate a free loop device to use
        EUID_ROOT();
        int cfd = open("/dev/loop-control", O_RDWR);
@@ -77,6 +77,7 @@ void appimage_set(const char *appimage) {
        if (asprintf(&devloop, "/dev/loop%d", devnr) == -1)
                errExit("asprintf");
+        // associate loop device with appimage
        int lfd = open(devloop, O_RDONLY);
        if (lfd == -1)
                err_loop();
@@ -90,64 +91,24 @@ void appimage_set(const char *appimage) {
                if (ioctl(lfd,  LOOP_SET_STATUS64, &info) == -1)
                        err_loop();
        }
        close(lfd);
        close(ffd);
        EUID_USER();
-        // creates appimage mount point perms 0700
+        // set environment
-        if (asprintf(&mntdir, "%s/.appimage-%u",  RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1)
-                errExit("asprintf");
-        EUID_ROOT();
-        mkdir_attr(mntdir, 0700, getuid(), getgid());
-        EUID_USER();
-        // mount
-        char *mode;
-        if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1)
-                errExit("asprintf");
-        unsigned long flags = MS_MGC_VAL|MS_RDONLY;
-        if (getuid())
-                flags |= MS_NODEV|MS_NOSUID;
-        EUID_ROOT();
-        if (size == 0) {
-                fmessage("Mounting appimage type 1\n");
-                if (mount(devloop, mntdir, "iso9660", flags, mode) < 0)
-                        errExit("mounting appimage");
-        }
-        else {
-                fmessage("Mounting appimage type 2\n");
-                if (mount(devloop, mntdir, "squashfs", flags, NULL) < 0)
-                        errExit("mounting appimage");
-        }
-        if (arg_debug)
-                printf("appimage mounted on %s\n", mntdir);
-        EUID_USER();
        char* abspath = realpath(appimage, NULL);
        if (abspath == NULL)
                errExit("Failed to obtain absolute path");
-        // set environment
        env_store_name_val("APPIMAGE", abspath, SETENV);
+        free(abspath);
-        if (mntdir)
+        env_store_name_val("APPDIR", RUN_FIREJAIL_APPIMAGE_DIR, SETENV);
-                env_store_name_val("APPDIR", mntdir, SETENV);
        if (size != 0)
                env_store_name_val("ARGV0", appimage, SETENV);
        if (cfg.cwd)
                env_store_name_val("OWD", cfg.cwd, SETENV);
-        // build new command line
-        if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1)
-                errExit("asprintf");
-        free(abspath);
-        free(mode);
 #ifdef HAVE_GCOV
        __gcov_flush();
 #endif
@@ -157,44 +118,38 @@ void appimage_set(const char *appimage) {
 #endif
 }
-void appimage_clear(void) {
+// mount appimage into sandbox file system
-        int rv;
+void appimage_mount(void) {
+        if (!devloop)
+                return;
-        EUID_ROOT();
+        unsigned long flags = MS_MGC_VAL|MS_RDONLY;
-        if (mntdir) {
+        if (getuid())
-                int i;
+                flags |= MS_NODEV|MS_NOSUID;
-                int rv = 0;
-                for (i = 0; i < 5; i++) {
-                        rv = umount2(mntdir, MNT_FORCE);
-                        if (rv == 0) {
-                                fmessage("AppImage unmounted\n");
-                                break;
-                        }
-                        if (rv == -1 && errno == EBUSY) {
-                                fwarning("EBUSY error trying to unmount %s\n", mntdir);
-                                sleep(2);
-                                continue;
-                        }
-                        // rv = -1
-                        if (!arg_quiet) {
-                                fwarning("error trying to unmount %s\n", mntdir);
-                                perror("umount");
-                        }
-                }
-                if (rv == 0) {
+        if (size == 0) {
-                        rmdir(mntdir);
+                fmessage("Mounting appimage type 1\n");
-                        free(mntdir);
+                char *mode;
-                }
+                if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1)
+                        errExit("asprintf");
+                if (mount(devloop, RUN_FIREJAIL_APPIMAGE_DIR, "iso9660", flags, mode) < 0)
+                        errExit("mounting appimage");
+                free(mode);
        }
+        else {
+                fmessage("Mounting appimage type 2\n");
+                if (mount(devloop, RUN_FIREJAIL_APPIMAGE_DIR, "squashfs", flags, NULL) < 0)
+                        errExit("mounting appimage");
+        }
+}
+void appimage_clear(void) {
+        EUID_ROOT();
        if (devloop) {
                int lfd = open(devloop, O_RDONLY);
                if (lfd != -1) {
-                        rv = ioctl(lfd, LOOP_CLR_FD, 0);
+                        if (ioctl(lfd, LOOP_CLR_FD, 0) != -1)
-                        (void) rv;
+                                fmessage("AppImage detached\n");
                        close(lfd);
                }
        }
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c
index 4640cb8a5..43ca501da 100644
--- a/src/firejail/appimage_size.c
+++ b/src/firejail/appimage_size.c
@@ -132,22 +132,20 @@ static long unsigned int read_elf64(int fd) {
 // return 0 if error
 // return 0 if this is not an appimgage2 file
-long unsigned int appimage2_size(const char *fname) {
+long unsigned int appimage2_size(int fd) {
        ssize_t ret;
-        int fd;
        long unsigned int size = 0;
-        fd = open(fname, O_RDONLY);
        if (fd < 0)
                return 0;
        ret = pread(fd, ehdr.e_ident, EI_NIDENT, 0);
        if (ret != EI_NIDENT)
-                goto getout;
+                return 0;
        if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) &&
             (ehdr.e_ident[EI_DATA] != ELFDATA2MSB))
-                goto getout;
+                return 0;
        if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) {
                size = read_elf32(fd);
@@ -156,23 +154,19 @@ long unsigned int appimage2_size(const char *fname) {
                size = read_elf64(fd);
        }
        else {
-                goto getout;
+                return 0;
        }
        if (size == 0)
-                goto getout;
+                return 0;
        // look for a LZMA header at this location
        unsigned char buf[4];
        ret = pread(fd, buf, 4, size);
-        if (ret != 4) {
+        if (ret != 4)
-                size = 0;
+                return 0;
-                goto getout;
-        }
        if (memcmp(buf, "hsqs", 4) != 0)
-                size = 0;
+                return 0;
-getout:
-        close(fd);
        return size;
 }
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index 0cdcb32bf..f902c4e1c 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -161,18 +161,16 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
        assert(*window_title);
 }
-void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path) {
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) {
        // index == -1 could happen if we have --shell=none and no program was specified
        // the program should exit with an error before entering this function
        assert(index != -1);
-        if (arg_debug)
+        char *apprun_path = RUN_FIREJAIL_APPIMAGE_DIR "/AppRun";
-                printf("Building AppImage command line: %s\n", *command_line);
        int len1 = cmdline_length(argc, argv, index);  // length of argv w/o changes
        int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage
-        int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/.appimage-23304/AppRun
+        int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/AppRun
        int len4 = (len1 - len2 + len3) + 1;           // apptest.AppImage is replaced by /path/to/AppRun
        if (len4 > ARG_MAX) {
@@ -180,11 +178,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
                errExit("cmdline_length");
        }
-        // save created apprun in cfg.command_line
-        char *tmp1 = strdup(*command_line);
-        if (!tmp1)
-                errExit("strdup");
        // TODO: deal with extra allocated memory.
        char *command_line_tmp = malloc(len1 + len3 + 1);
        if (!command_line_tmp)
@@ -200,13 +193,12 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
        assert(*window_title);
        // 'fix' command_line now
-        if (asprintf(command_line, "'%s' %s", tmp1, command_line_tmp + len2) == -1)
+        if (asprintf(command_line, "'%s' %s", apprun_path, command_line_tmp + len2) == -1)
                errExit("asprintf");
        if (arg_debug)
                printf("AppImage quoted command line: %s\n", *command_line);
        // free strdup
-        free(tmp1);
        free(command_line_tmp);
 }
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index b21b5bef6..ca4c988fa 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -798,15 +798,15 @@ void print_compiletime_support(void);
 // appimage.c
 void appimage_set(const char *appimage_path);
+void appimage_mount(void);
 void appimage_clear(void);
-const char *appimage_getdir(void);
 // appimage_size.c
-long unsigned int appimage2_size(const char *fname);
+long unsigned int appimage2_size(int fd);
 // cmdline.c
 void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
-void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path);
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
 // sbox.c
 // programs
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index fe79daa70..fc67a15f3 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -170,6 +170,7 @@ static void disable_file(OPERATION op, const char *filename) {
                                }
                        }
                        fs_tmpfs(fname, getuid());
+                        selinux_relabel_path(fname, fname);
                        last_disable = SUCCESSFUL;
                }
                else
@@ -800,8 +801,6 @@ void disable_config(void) {
                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR);
        if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0)
                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
-        if (!arg_appimage && stat(RUN_FIREJAIL_APPIMAGE_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_APPIMAGE_DIR);
 }
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 2c5ea8be0..46f32d7ad 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -31,7 +31,7 @@
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 static void skel(const char *homedir, uid_t u, gid_t g) {
@@ -384,7 +384,6 @@ void fs_private(void) {
                        if (chown(homedir, u, g) < 0)
                                errExit("chown");
-                        selinux_relabel_path(homedir, homedir);
                        fs_logger2("mkdir", homedir);
                        fs_logger2("tmpfs", homedir);
                }
@@ -392,6 +391,8 @@ void fs_private(void) {
                        // mask user home directory
                        // the directory should be owned by the current user
                        fs_tmpfs(homedir, 1);
+                selinux_relabel_path(homedir, homedir);
        }
        skel(homedir, u, g);
@@ -549,7 +550,7 @@ void fs_private_home_list(void) {
        // create /run/firejail/mnt/home directory
        mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
-        selinux_relabel_path(RUN_HOME_DIR, "/home");
+        selinux_relabel_path(RUN_HOME_DIR, homedir);
        fs_logger_print();      // save the current log
        if (arg_debug)
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 7e9666fc0..0491fd9b1 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -23,7 +23,8 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
-#include <dirent.h>
+#include <fcntl.h>
+#include <errno.h>
 #include <glob.h>
 #define MAXBUF 4096
@@ -34,6 +35,31 @@ extern void fslib_install_system(void);
 static int lib_cnt = 0;
 static int dir_cnt = 0;
+static const char *masked_lib_dirs[] = {
+        "/usr/lib64",
+        "/lib64",
+        "/usr/lib",
+        "/lib",
+        "/usr/local/lib64",
+        "/usr/local/lib",
+        NULL,
+};
+// return 1 if the file is in masked_lib_dirs[]
+static int valid_full_path(const char *full_path) {
+        if (strstr(full_path, ".."))
+                return 0;
+        int i = 0;
+        while (masked_lib_dirs[i]) {
+                if (strncmp(full_path, masked_lib_dirs[i], strlen(masked_lib_dirs[i])) == 0 &&
+                    full_path[strlen(masked_lib_dirs[i])] == '/')
+                        return 1;
+                i++;
+        }
+        return 0;
+}
 char *find_in_path(const char *program) {
        EUID_ASSERT();
        if (arg_debug)
@@ -45,9 +71,10 @@ char *find_in_path(const char *program) {
                errExit("readlink");
        self[len] = '\0';
-        char *path = getenv("PATH");
+        const char *path = env_get("PATH");
        if (!path)
                return NULL;
        char *dup = strdup(path);
        if (!dup)
                errExit("strdup");
@@ -80,22 +107,6 @@ char *find_in_path(const char *program) {
        return NULL;
 }
-static void report_duplication(const char *full_path) {
-        char *fname = strrchr(full_path, '/');
-        if (fname && *(++fname) != '\0') {
-                // report the file on all bin paths
-                int i = 0;
-                while (default_lib_paths[i]) {
-                        char *p;
-                        if (asprintf(&p, "%s/%s", default_lib_paths[i], fname) == -1)
-                                errExit("asprintf");
-                        fs_logger2("clone", p);
-                        free(p);
-                        i++;
-                }
-        }
-}
 static char *build_dest_dir(const char *full_path) {
        assert(full_path);
        if (strstr(full_path, "/x86_64-linux-gnu/"))
@@ -103,56 +114,107 @@ static char *build_dest_dir(const char *full_path) {
        return RUN_LIB_DIR;
 }
-// copy fname in private_run_dir
+// return name of mount target in allocated memory
-void fslib_duplicate(const char *full_path) {
+static char *build_dest_name(const char *full_path) {
        assert(full_path);
+        char *fname = strrchr(full_path, '/');
+        assert(fname);
+        fname++;
+        assert(*fname != '\0');
-        struct stat s;
+        char *dest;
-        if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK))
+        if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), fname) == -1)
-                return;
+                errExit("asprintf");
+        return dest;
+}
-        char *dest_dir = build_dest_dir(full_path);
+static void fslib_mount_dir(const char *full_path) {
+        // create new directory and mount the original on top of it
+        char *dest = build_dest_name(full_path);
+        if (mkdir(dest, 0755) == -1) {
+                if (errno == EEXIST) { // directory has been mounted already, nothing to do
+                        free(dest);
+                        return;
+                }
+                errExit("mkdir");
+        }
-        // don't copy it if the file is already there
+        if (arg_debug || arg_debug_private_lib)
-        char *ptr = strrchr(full_path, '/');
+                printf("    mounting %s on %s\n", full_path, dest);
-        if (!ptr)
+        // if full_path is a symbolic link, mount will follow it
-                return;
+        if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0)
-        ptr++;
+                errExit("mount bind");
-        if (*ptr == '\0')
+        free(dest);
-                return;
+        dir_cnt++;
+}
-        char *name;
+static void fslib_mount_file(const char *full_path) {
-        if (asprintf(&name, "%s/%s", dest_dir, ptr) == -1)
+        // create new file and mount the original on top of it
-                errExit("asprintf");
+        char *dest = build_dest_name(full_path);
-        if (stat(name, &s) == 0) {
+        int fd = open(dest, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
-                free(name);
+        if (fd == -1) {
-                return;
+                if (errno == EEXIST) { // file has been mounted already, nothing to do
+                        free(dest);
+                        return;
+                }
+                errExit("open");
        }
-        free(name);
+        close(fd);
        if (arg_debug || arg_debug_private_lib)
-                printf("    copying %s to private %s\n", full_path, dest_dir);
+                printf("    mounting %s on %s\n", full_path, dest);
+        // if full_path is a symbolic link, mount will follow it
-        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, dest_dir);
+        if (mount(full_path, dest, NULL, MS_BIND, NULL) < 0)
-        report_duplication(full_path);
+                errExit("mount bind");
+        free(dest);
        lib_cnt++;
 }
+void fslib_mount(const char *full_path) {
+        assert(full_path);
+        struct stat s;
+        if (!valid_full_path(full_path) ||
+            access(full_path, F_OK) != 0 ||
+            stat(full_path, &s) != 0 ||
+            s.st_uid != 0)
+                return;
+        if (S_ISDIR(s.st_mode))
+                fslib_mount_dir(full_path);
+        else if (S_ISREG(s.st_mode) && is_lib_64(full_path))
+                fslib_mount_file(full_path);
+}
 // requires full path for lib
 // it could be a library or an executable
 // lib is not copied, only libraries used by it
-static void fslib_copy_libs(const char *full_path, unsigned mask) {
+void fslib_mount_libs(const char *full_path, unsigned user) {
+        assert(full_path);
+        // if library/executable does not exist or the user does not have read access to it
+        // print a warning and exit the function.
+        if (user && access(full_path, R_OK)) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("Cannot read %s, skipping...\n", full_path);
+                return;
+        }
+        if (arg_debug || arg_debug_private_lib)
+                printf("    fslib_mount_libs %s (parse as %s)\n", full_path, user ? "user" : "root");
        // create an empty RUN_LIB_FILE and allow the user to write to it
        unlink(RUN_LIB_FILE);                     // in case is there
        create_empty_file_as_root(RUN_LIB_FILE, 0644);
-        if (mask & SBOX_USER) {
+        if (user && chown(RUN_LIB_FILE, getuid(), getgid()))
-                if (chown(RUN_LIB_FILE, getuid(), getgid()))
+                errExit("chown");
-                        errExit("chown");
-        }
        // run fldd to extract the list of files
        if (arg_debug || arg_debug_private_lib)
                printf("    running fldd %s\n", full_path);
+        unsigned mask;
+        if (user)
+                mask = SBOX_USER;
+        else
+                mask = SBOX_ROOT;
        sbox_run(mask | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE);
        // open the list of libraries and install them on by one
@@ -166,96 +228,30 @@ static void fslib_copy_libs(const char *full_path, unsigned mask) {
                char *ptr = strchr(buf, '\n');
                if (ptr)
                        *ptr = '\0';
-                fslib_duplicate(buf);
+                fslib_mount(buf);
        }
        fclose(fp);
        unlink(RUN_LIB_FILE);
 }
-void fslib_copy_libs_parse_as_root(const char *full_path) {
+// fname should be a valid full path at this point
-        assert(full_path);
-        if (arg_debug || arg_debug_private_lib)
-                printf("    fslib_copy_libs_parse_as_root %s\n", full_path);
-        struct stat s;
-        if (stat(full_path, &s)) {
-                if (arg_debug || arg_debug_private_lib)
-                        printf("cannot find %s for private-lib, skipping...\n", full_path);
-                return;
-        }
-        fslib_copy_libs(full_path, SBOX_ROOT);
-}
-// if library/executable does not exist or the user does not have read access to it
-// print a warning and exit the function.
-void fslib_copy_libs_parse_as_user(const char *full_path) {
-        assert(full_path);
-        if (arg_debug || arg_debug_private_lib)
-                printf("    fslib_copy_libs_parse_as_user %s\n", full_path);
-        if (access(full_path, R_OK)) {
-                if (arg_debug || arg_debug_private_lib)
-                        printf("cannot find %s for private-lib, skipping...\n", full_path);
-                return;
-        }
-        fslib_copy_libs(full_path, SBOX_USER);
-}
-void fslib_copy_dir(const char *full_path) {
-        assert(full_path);
-        if (arg_debug || arg_debug_private_lib)
-                printf("    fslib_copy_dir %s\n", full_path);
-        // do nothing if the directory does not exist or is not owned by root
-        struct stat s;
-        if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK))
-                return;
-        char *dir_name = strrchr(full_path, '/');
-        assert(dir_name);
-        dir_name++;
-        assert(*dir_name != '\0');
-        // do nothing if the directory is already there
-        char *dest;
-        if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), dir_name) == -1)
-                errExit("asprintf");
-        if (stat(dest, &s) == 0) {
-                free(dest);
-                return;
-        }
-        // create new directory and mount the original on top of it
-        mkdir_attr(dest, 0755, 0, 0);
-        if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
-                errExit("mount bind");
-        fs_logger2("clone", full_path);
-        fs_logger2("mount", full_path);
-        dir_cnt++;
-        free(dest);
-}
-// fname should be a vallid full path at this point
 static void load_library(const char *fname) {
        assert(fname);
        assert(*fname == '/');
-        // existing file owned by root, read access
+        // existing file owned by root
        struct stat s;
-        if (stat(fname, &s) == 0 && s.st_uid == 0 && !access(fname, R_OK)) {
+        if (!access(fname, F_OK) && stat(fname, &s) == 0 && s.st_uid == 0) {
                // load directories, regular 64 bit libraries, and 64 bit executables
-                if (is_dir(fname) || is_lib_64(fname)) {
+                if (S_ISDIR(s.st_mode))
-                        if (is_dir(fname))
+                        fslib_mount(fname);
-                                fslib_copy_dir(fname);
+                else if (S_ISREG(s.st_mode) && is_lib_64(fname)) {
-                        else {
+                        if (strstr(fname, ".so") ||
-                                if (strstr(fname, ".so") ||
+                            access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries
-                                    access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries
+                                fslib_mount(fname);
-                                        fslib_duplicate(fname);
+                        fslib_mount_libs(fname, 1); // parse as user
-                                fslib_copy_libs_parse_as_user(fname);
-                        }
                }
        }
 }
@@ -311,7 +307,6 @@ static void install_list_entry(const char *lib) {
        return;
 }
 void fslib_install_list(const char *lib_list) {
        assert(lib_list);
        if (arg_debug || arg_debug_private_lib)
@@ -334,34 +329,20 @@ void fslib_install_list(const char *lib_list) {
        fs_logger_print();
 }
 static void mount_directories(void) {
-        if (arg_debug || arg_debug_private_lib)
+        fs_remount(RUN_LIB_DIR, MOUNT_READONLY, 1); // should be redundant except for RUN_LIB_DIR itself
-                printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR);
+        int i = 0;
-        if (is_dir("/lib")) {
+        while (masked_lib_dirs[i]) {
-                if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
+                if (is_dir(masked_lib_dirs[i])) {
-                        mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
+                        if (arg_debug || arg_debug_private_lib)
-                        errExit("mount bind");
+                                printf("Mount-bind %s on top of %s\n", RUN_LIB_DIR, masked_lib_dirs[i]);
-                fs_logger2("tmpfs", "/lib");
+                        if (mount(RUN_LIB_DIR, masked_lib_dirs[i], NULL, MS_BIND|MS_REC, NULL) < 0)
-                fs_logger("mount /lib");
+                                errExit("mount bind");
-        }
+                        fs_logger2("tmpfs", masked_lib_dirs[i]);
+                        fs_logger2("mount", masked_lib_dirs[i]);
-        if (is_dir("/lib64")) {
+                }
-                if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 ||
+                i++;
-                        mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-                fs_logger2("tmpfs", "/lib64");
-                fs_logger("mount /lib64");
-        }
-        if (is_dir("/usr/lib")) {
-                if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                        mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-                fs_logger2("tmpfs", "/usr/lib");
-                fs_logger("mount /usr/lib");
        }
        // for amd64 only - we'll deal with i386 later
@@ -431,7 +412,6 @@ void fs_private_lib(void) {
                fslib_install_list(cfg.shell);
                // a shell is useless without some basic commands
                fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm");
        }
        // for the listed libs and directories
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index d46cfed86..c69bf7c98 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -21,10 +21,8 @@
 #include <dirent.h>
 #include <sys/stat.h>
-extern void fslib_duplicate(const char *full_path);
+extern void fslib_mount_libs(const char *full_path, unsigned user);
-extern void fslib_copy_libs_parse_as_user(const char *full_path);
+extern void fslib_mount(const char *full_path);
-extern void fslib_copy_libs_parse_as_root(const char *full_path);
-extern void fslib_copy_dir(const char *full_path);
 //***************************************************************
 // Standard C library
@@ -98,7 +96,8 @@ static void stdc(const char *dirname) {
                                if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1)
                                        errExit("asprintf");
-                                fslib_duplicate(fname);
+                                fslib_mount(fname);
+                                free(fname);
                        }
                }
                closedir(dir);
@@ -119,7 +118,7 @@ void fslib_install_stdc(void) {
        // install locale
        if (stat("/usr/lib/locale", &s) == 0)
-                fslib_copy_dir("/usr/lib/locale");
+                fslib_mount("/usr/lib/locale");
        fmessage("Standard C library installed in %0.2f ms\n", timetrace_end());
 }
@@ -129,7 +128,8 @@ void fslib_install_stdc(void) {
 //***************************************************************
 static void fdir(void) {
-        fslib_copy_dir(LIBDIR "/firejail");
+        // firejail directory itself
+        fslib_mount(LIBDIR "/firejail");
        // executables and libraries from firejail directory
        static const char * const fbin[] = {
@@ -143,30 +143,28 @@ static void fdir(void) {
                NULL,
        };
-        // need to run fldd as root user, unprivileged users have no read permission on executables
+        // need to parse as root user, unprivileged users have no read permission on executables
        int i;
        for (i = 0; fbin[i]; i++)
-                fslib_copy_libs_parse_as_root(fbin[i]);
+                fslib_mount_libs(fbin[i], 0);
 }
 void fslib_install_firejail(void) {
        timetrace_start();
        // bring in firejail executable libraries, in case we are redirected here
        // by a firejail symlink from /usr/local/bin/firejail
-        fslib_copy_libs_parse_as_user(PATH_FIREJAIL);
+        fslib_mount_libs(PATH_FIREJAIL, 1); // parse as user
        // bring in firejail directory
        fdir();
        // bring in dhclient libraries
        if (any_dhcp())
-                fslib_copy_libs_parse_as_user(RUN_MNT_DIR "/dhclient");
+                fslib_mount_libs(RUN_MNT_DIR "/dhclient", 1); // parse as user
-#ifdef HAVE_X11
        // bring in xauth libraries
        if (arg_x11_xorg)
-                fslib_copy_libs_parse_as_user("/usr/bin/xauth");
+                fslib_mount_libs("/usr/bin/xauth", 1); // parse as user
-#endif
        fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
 }
@@ -315,8 +313,8 @@ void fslib_install_system(void) {
                        if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1)
                                errExit("asprintf");
                        if (access(name, R_OK) == 0) {
-                                fslib_copy_libs_parse_as_user(name);
+                                fslib_mount_libs(name, 1); // parse as user
-                                fslib_copy_dir(name);
+                                fslib_mount(name);
                        }
                        else {
                                free(name);
@@ -324,8 +322,8 @@ void fslib_install_system(void) {
                                if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1)
                                        errExit("asprintf");
                                if (access(name, R_OK) == 0) {
-                                        fslib_copy_libs_parse_as_user(name);
+                                        fslib_mount_libs(name, 1); // parse as user
-                                        fslib_copy_dir(name);
+                                        fslib_mount(name);
                                }
                        }
                        free(name);
@@ -335,8 +333,8 @@ void fslib_install_system(void) {
                                if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1)
                                        errExit("asprintf");
                                if (access(name, R_OK) == 0) {
-                                        fslib_copy_libs_parse_as_user(name);
+                                        fslib_mount_libs(name, 1); // parse as user
-                                        fslib_copy_dir(name);
+                                        fslib_mount(name);
                                }
                                else {
                                        free(name);
@@ -344,8 +342,8 @@ void fslib_install_system(void) {
                                        if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1)
                                                errExit("asprintf");
                                        if (access(name, R_OK) == 0) {
-                                                fslib_copy_libs_parse_as_user(name);
+                                                fslib_mount_libs(name, 1); // parse as user
-                                                fslib_copy_dir(name);
+                                                fslib_mount(name);
                                        }
                                }
                                free(name);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9705c2436..b3524fcf5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2790,7 +2790,7 @@ int main(int argc, char **argv, char **envp) {
                if (arg_debug)
                        printf("Configuring appimage environment\n");
                appimage_set(cfg.command_name);
-                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, cfg.command_line);
+                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
        }
        else {
                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index f3266c23e..351b760df 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -157,6 +157,10 @@ static int check_nosound(void) {
        return arg_nosound != 0;
 }
+static int check_private(void) {
+        return arg_private;
+}
 static int check_x11(void) {
        return (arg_x11_block || arg_x11_xorg || env_get("FIREJAIL_X11"));
 }
@@ -174,6 +178,7 @@ Cond conditionals[] = {
        {"HAS_NET", check_netoptions},
        {"HAS_NODBUS", check_nodbus},
        {"HAS_NOSOUND", check_nosound},
+        {"HAS_PRIVATE", check_private},
        {"HAS_X11", check_x11},
        {"BROWSER_DISABLE_U2F", check_disable_u2f},
        {"BROWSER_ALLOW_DRM", check_allow_drm},
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 0dfd9ca1c..a0ca4c02c 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -72,7 +72,7 @@ static void sanitize_home(void) {
        if (arg_debug)
                printf("Cleaning /home directory\n");
-        // keep a copy of the user home directory
+        // open user home directory in order to keep it around
        int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
        if (fd == -1)
                goto errout;
@@ -82,47 +82,38 @@ static void sanitize_home(void) {
                close(fd);
                goto errout;
        }
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1)
-                errExit("mkdir");
-        if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
-        free(proc);
-        close(fd);
-        // mount tmpfs in the new home
+        // mount tmpfs on /home
        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                errExit("mount tmpfs");
        selinux_relabel_path("/home", "/home");
        fs_logger("tmpfs /home");
-        // create user home directory
+        // create new user home directory
        if (mkdir(cfg.homedir, 0755) == -1) {
-                if (mkpath_as_root(cfg.homedir))
+                if (mkpath_as_root(cfg.homedir) == -1)
                        errExit("mkpath");
                if (mkdir(cfg.homedir, 0755) == -1)
                        errExit("mkdir");
-                selinux_relabel_path(cfg.homedir, cfg.homedir);
        }
        fs_logger2("mkdir", cfg.homedir);
        // set mode and ownership
        if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode))
                errExit("set_perms");
+        selinux_relabel_path(cfg.homedir, cfg.homedir);
-        // mount user home directory
+        // bring back real user home directory
-        if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
+        free(proc);
+        close(fd);
-        // mask home dir under /run
-        if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                errExit("mount tmpfs");
-        fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR);
        if (!arg_private)
                fs_logger2("whitelist", cfg.homedir);
        return;
 errout:
@@ -137,22 +128,15 @@ static void sanitize_run(void) {
        if (asprintf(&runuser, "/run/user/%u", getuid()) == -1)
                errExit("asprintf");
-        struct stat s;
+        // open /run/user/$UID directory in order to keep it around
-        if (stat(runuser, &s) == -1) {
+        int fd = open(runuser, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                // cannot find /user/run/$UID directory, just return
+        if (fd == -1) {
                if (arg_debug)
-                        printf("Cannot find %s directory\n", runuser);
+                        printf("Cannot open %s directory\n", runuser);
                free(runuser);
                return;
        }
-        if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1)
-                errExit("mkdir");
-        // keep a copy of the /run/user/$UID directory
-        if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
        // mount tmpfs on /run/user
        if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                errExit("mount tmpfs");
@@ -162,22 +146,23 @@ static void sanitize_run(void) {
        // create new user directory
        if (mkdir(runuser, 0700) == -1)
                errExit("mkdir");
-        selinux_relabel_path(runuser, runuser);
        fs_logger2("mkdir", runuser);
        // set mode and ownership
        if (set_perms(runuser, getuid(), getgid(), 0700))
                errExit("set_perms");
+        selinux_relabel_path(runuser, runuser);
-        // mount /run/user/$UID directory
+        // bring back real run/user/$UID directory
-        if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0)
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0)
                errExit("mount bind");
+        free(proc);
+        close(fd);
-        // mask mirrored /run/user/$UID directory
+        fs_logger2("whitelist", runuser);
-        if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                errExit("mount tmpfs");
-        fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR);
        free(runuser);
 }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b6e0468c6..743d84b43 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -825,6 +825,11 @@ int sandbox(void* sandbox_arg) {
                fs_basic_fs();
        //****************************
+        // appimage
+        //****************************
+        appimage_mount();
+        //****************************
        // private mode
        //****************************
        if (arg_private) {
@@ -1029,23 +1034,11 @@ int sandbox(void* sandbox_arg) {
                fs_dev_disable_video();
        //****************************
-        // install trace
-        //****************************
-        if (need_preload)
-                fs_trace();
-        //****************************
        // set dns
        //****************************
        fs_resolvconf();
        //****************************
-        // fs post-processing
-        //****************************
-        fs_logger_print();
-        fs_logger_change_owner();
-        //****************************
        // start dhcp client
        //****************************
        dhcp_start();
@@ -1094,6 +1087,12 @@ int sandbox(void* sandbox_arg) {
        save_umask();
        //****************************
+        // fs post-processing
+        //****************************
+        fs_logger_print();
+        fs_logger_change_owner();
+        //****************************
        // set security filters
        //****************************
        // save state of nonewprivs
@@ -1150,13 +1149,21 @@ int sandbox(void* sandbox_arg) {
        fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0);
        seccomp_debug();
+        //****************************
+        // install trace - still need capabilities
+        //****************************
+        if (need_preload)
+                fs_trace();
+        //****************************
+        // continue security filters
+        //****************************
        // set capabilities
        set_caps();
        //****************************************
        // relay status information to join option
        //****************************************
        char *set_sandbox_status = create_join_file();
        //****************************************
@@ -1217,7 +1224,6 @@ int sandbox(void* sandbox_arg) {
        //****************************************
        // set cpu affinity
        //****************************************
        if (cfg.cpus)
                set_cpu_affinity();
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 53c671794..2ad85acd6 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -441,35 +441,22 @@ int is_dir(const char *fname) {
        return 0;
 }
 // return 1 if the file is a link
 int is_link(const char *fname) {
        assert(fname);
        if (*fname == '\0')
                return 0;
-        char *dup = NULL;
+        char *dup = strdup(fname);
-        struct stat s;
+        if (!dup)
-        if (lstat(fname, &s) == 0) {
+                errExit("strdup");
-                if (S_ISLNK(s.st_mode))
+        trim_trailing_slash_or_dot(dup);
-                        return 1;
-                if (S_ISDIR(s.st_mode)) {
+        char c;
-                        // remove trailing slashes and single dots and try again
+        ssize_t rv = readlink(dup, &c, 1);
-                        dup = strdup(fname);
-                        if (!dup)
-                                errExit("strdup");
-                        trim_trailing_slash_or_dot(dup);
-                        if (lstat(dup, &s) == 0) {
-                                if (S_ISLNK(s.st_mode)) {
-                                        free(dup);
-                                        return 1;
-                                }
-                        }
-                }
-        }
        free(dup);
-        return 0;
+        return (rv != -1);
 }
 // remove all slashes and single dots from the end of a path
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 5749c66e4..d14f6782f 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -84,8 +84,6 @@
 #define RUN_DEVLOG_FILE                 RUN_MNT_DIR "/devlog"
 #define RUN_WHITELIST_X11_DIR           RUN_MNT_DIR "/orig-x11"
-#define RUN_WHITELIST_HOME_DIR          RUN_MNT_DIR "/orig-home"                // default home directory masking
-#define RUN_WHITELIST_RUN_DIR           RUN_MNT_DIR "/orig-run"         // default run directory masking
 #define RUN_WHITELIST_HOME_USER_DIR     RUN_MNT_DIR "/orig-home-user"           // home directory whitelisting
 #define RUN_WHITELIST_RUN_USER_DIR      RUN_MNT_DIR "/orig-run-user"            // run directory whitelisting
 #define RUN_WHITELIST_TMP_DIR           RUN_MNT_DIR "/orig-tmp"
diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h
index 10174cc9a..0c4883061 100644
--- a/src/jailtest/jailtest.h
+++ b/src/jailtest/jailtest.h
@@ -38,6 +38,10 @@ void access_destroy(void);
 void noexec_setup(void);
 void noexec_test(const char *msg);
+// sysfiles.c
+void sysfiles_setup(const char *file);
+void sysfiles_test(void);
 // virtual.c
 void virtual_setup(const char *directory);
 void virtual_destroy(void);
diff --git a/src/jailtest/main.c b/src/jailtest/main.c
index 850277bc5..3369dca39 100644
--- a/src/jailtest/main.c
+++ b/src/jailtest/main.c
@@ -114,8 +114,32 @@ int main(int argc, char **argv) {
        virtual_setup("/bin");
        virtual_setup("/usr/share");
        virtual_setup(user_run_dir);
+        // basic sysfiles
+        sysfiles_setup("/etc/shadow");
+        sysfiles_setup("/etc/gshadow");
+        sysfiles_setup("/usr/bin/mount");
+        sysfiles_setup("/usr/bin/su");
+        sysfiles_setup("/usr/bin/ksu");
+        sysfiles_setup("/usr/bin/sudo");
+        sysfiles_setup("/usr/bin/strace");
+        // X11
+        sysfiles_setup("/usr/bin/xev");
+        sysfiles_setup("/usr/bin/xinput");
+        // compilers
+        sysfiles_setup("/usr/bin/gcc");
+        sysfiles_setup("/usr/bin/clang");
+        // networking
+        sysfiles_setup("/usr/bin/dig");
+        sysfiles_setup("/usr/bin/nslookup");
+        sysfiles_setup("/usr/bin/resolvectl");
+        sysfiles_setup("/usr/bin/nc");
+        sysfiles_setup("/usr/bin/ncat");
+        sysfiles_setup("/usr/bin/nmap");
+        sysfiles_setup("/usr/sbin/tcpdump");
+        // terminals
+        sysfiles_setup("/usr/bin/gnome-terminal");
+        sysfiles_setup("/usr/bin/xfce4-terminal");
+        sysfiles_setup("/usr/bin/lxterminal");
        // print processes
        pid_read(0);
@@ -145,6 +169,7 @@ int main(int argc, char **argv) {
                                        noexec_test("/var/tmp");
                                        noexec_test(user_run_dir);
                                        access_test();
+                                        sysfiles_test();
                                }
                                else {
                                        printf("   Error: I cannot join the process mount space\n");
diff --git a/src/jailtest/sysfiles.c b/src/jailtest/sysfiles.c
new file mode 100644
index 000000000..7e4709453
--- /dev/null
+++ b/src/jailtest/sysfiles.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include <dirent.h>
+#include <sys/wait.h>
+typedef struct {
+        char *tfile;
+} TestFile;
+#define MAX_TEST_FILES 32
+TestFile tf[MAX_TEST_FILES];
+static int files_cnt = 0;
+void sysfiles_setup(const char *file) {
+        // I am root!
+        assert(file);
+        if (files_cnt >= MAX_TEST_FILES) {
+                fprintf(stderr, "Error: maximum number of system test files exceded\n");
+                exit(1);
+        }
+        if (access(file, F_OK)) {
+                // no such file
+                return;
+        }
+        char *fname = strdup(file);
+        if (!fname)
+                errExit("strdup");
+        tf[files_cnt].tfile = fname;
+        files_cnt++;
+}
+void sysfiles_test(void) {
+        // I am root in sandbox mount namespace
+        assert(user_uid);
+        int i;
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+        if (child == 0) { // child
+                // drop privileges
+                if (setgid(user_gid) != 0)
+                        errExit("setgid");
+                if (setuid(user_uid) != 0)
+                        errExit("setuid");
+                for (i = 0; i < files_cnt; i++) {
+                        assert(tf[i].tfile);
+                        // try to open the file for reading
+                        FILE *fp = fopen(tf[i].tfile, "r");
+                        if (fp) {
+                                printf("   Warning: I can access %s\n", tf[i].tfile);
+                                fclose(fp);
+                        }
+                }
+                exit(0);
+        }
+        // wait for the child to finish
+        int status;
+        wait(&status);
+}
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c
index adde4a9b9..cd60d74e4 100644
--- a/src/lib/ldd_utils.c
+++ b/src/lib/ldd_utils.c
@@ -23,13 +23,16 @@
 #include <sys/stat.h>
 #include <fcntl.h>
+// todo: resolve overlap with masked_lib_dirs[] array from fs_lib.c
 const char * const default_lib_paths[] = {
        "/usr/lib/x86_64-linux-gnu",    // Debian & friends
        "/lib/x86_64-linux-gnu",                // CentOS, Fedora
+        "/usr/lib64",
+        "/lib64",
        "/usr/lib",
        "/lib",
-        "/lib64",
        LIBDIR,
+        "/usr/local/lib64",
        "/usr/local/lib",
        "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory
        "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index ce27729b7..1b8a4931c 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -3,7 +3,7 @@
 login.users \- Login file syntax for Firejail
 .SH DESCRIPTION
-/etc/firejail/login.users file describes additional arguments passed to firejail executable
+/etc/firejail/login.users file describes additional arguments passed to the firejail executable
 upon user logging into a Firejail restricted shell. Each user entry in the file consists of
 a user name followed by the arguments passed to firejail. The format is as follows:
@@ -19,8 +19,8 @@ Wildcard patterns are accepted in the user name field:
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
-/etc/passwd file for each user that needs to be restricted. Alternatively,
+the /etc/passwd file for each user that needs to be restricted. Alternatively,
-you can specify /usr/bin/firejail  using adduser or usermod commands:
+you can specify /usr/bin/firejail using the `adduser` or `usermod` commands:
 adduser \-\-shell /usr/bin/firejail username
 .br
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index b25fc9181..b0b390507 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -103,7 +103,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
-Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
+Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
 can be enabled or disabled globally in Firejail's configuration file.
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 68deb85ec..0b9b403f8 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -433,7 +433,7 @@ org.freedesktop.Notifications.*@/org/freedesktop/Notifications
 .TP
 \fB\-\-dbus-system.log
-Turn on DBus logging for the system DBus. This option requires --dbus-system=log.
+Turn on DBus logging for the system DBus. This option requires --dbus-system=filter.
 .br
 Example:
@@ -560,7 +560,7 @@ org.freedesktop.Notifications.*@/org/freedesktop/Notifications
 .TP
 \fB\-\-dbus-user.log
-Turn on DBus logging for the session DBus. This option requires --dbus-user=log.
+Turn on DBus logging for the session DBus. This option requires --dbus-user=filter.
 .br
 Example:
@@ -821,6 +821,16 @@ $ firejail \-\-ignore=shell --ignore=seccomp firefox
 $ firejail \-\-ignore="net eth0" firefox
 #endif
+.TP
+\fB\-\-\include=file.profile
+Include a profile file before the regular profiles are used.
+.br
+.br
+Example:
+.br
+$ firejail --include=/etc/firejail/disable-devel.inc gedit
 #ifdef HAVE_NETWORK
 .TP
 \fB\-\-interface=interface
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index f58f0d4b9..fd27bb35f 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -1,5 +1,8 @@
 #compdef firejail
+# Documentation: man 1 zshcompsys
+# HowTo: https://github.com/zsh-users/zsh-completions/blob/master/zsh-completions-howto.org
 _all_firejails() {
    local -a _all_firejails_list
    for jail in ${(f)"$(_call_program modules_tag "firejail --list 2> /dev/null | cut -d: -f1")"}; do
@@ -16,7 +19,7 @@ _all_cpus() {
 }
 _profiles() {
-    print $1/*.profile | sed -E "s;^$1/;;g;s;\.profile$;;g;"
+    print $1/*.profile | sed -E "s;$1/;;g;s;\.profile;;g;"
 }
 _profiles_with_ext() {
    print $1/*.profile
@@ -26,15 +29,40 @@ _all_profiles() {
    _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .)
 }
+_session_bus_names() {
+    _values names $(busctl --user list --no-legend --activatable | cut -d" " -f1)
+    # Alternatives to hack on for non-systemd systems:
+    #  dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply=literal /org/freedesktop/DBus org.freedesktop.DBus.ListNames
+    #  ls /usr/share/dbus-1/services | xargs -I FILENAME basename FILENAME .service
+}
+_system_bus_names() {
+    _values names $(busctl --system list --no-legend --activatable | cut -d" " -f1)
+}
+_caps() {
+    _values -s "," caps $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')
+}
 _firejail_args=(
    '*::arguments:_normal'
-    '(--profile)'{--profile=,--profile=}'[use a custom profile]: :_all_profiles'
-    '--caps[enable default Linux capabilities filter]'
+    '--appimage[sandbox an AppImage application]'
-    '(--caps.drop)'{--caps.drop=,--caps.drop=}'[drop capabilities: all|cap1,cap2,...]: :->caps_drop'
+    '--build[build a whitelisted profile for the application and print it on stdout]'
-    '(--caps.keep)'{--caps.keep=,--caps.keep=}'[keep capabilities: cap1,cap2,...]: :->caps_keep'
+    '--build=-[build a whitelisted profile for the application and save it]: :_files'
-    '(--caps.print)'{--caps.print=,--caps.print=}'[print the caps filter name|pid]:firejail:_all_firejails'
+    # Ignore that you can do -? too as it's the only short option
-    '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]'
+    '--help[this help screen]'
-    '(--debug)'{--debug,--debug}'[print sandbox debug messages]'
+    '--join=-[join the sandbox name|pid]: :_all_firejails'
+    '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails'
+    '--list[list all sandboxes]'
+    '(--profile)--noprofile[do not use a security profile]'
+    '(--noprofile)--profile=-[use a custom profile]: :_all_profiles'
+    '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails'
+    '--top[monitor the most CPU-intensive sandboxes]'
+    '--tree[print a tree of all sandboxed processes]'
+    '--version[print program version and exit]'
+    '--debug[print sandbox debug messages]'
    '--debug-blacklists[debug blacklisting]'
    '--debug-caps[print all recognized capabilities]'
    '--debug-errnos[print all recognized error numbers]'
@@ -43,197 +71,200 @@ _firejail_args=(
    '--debug-syscalls[print all recognized system calls]'
    '--debug-syscalls32[print all recognized 32 bit system calls]'
    '--debug-whitelists[debug whitelisting]'
-    # Ignore that you can do -? too as it's the only short option
-    '(--help)'{--help,--help}'[this help screen]'
+    '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails'
+    '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails'
+    '--fs.print=-[print the filesystem log name|pid]: :_all_firejails'
+    '--profile.print=-[print the name of profile file name|pid]: :_all_firejails'
+    '--protocol.print=-[print the protocol filter name|pid]: :_all_firejails'
+    '--seccomp.print=-[print the seccomp filter for the sandbox identified by name|pid]: :_all_firejails'
+    '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]'
    '--allusers[all user home directories are visible inside the sandbox]'
-    '--appimage[sandbox an AppImage application]'
+    # Should be _files, a comma and files or files -/
-    '--private[temporary home directory]'
+    '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'
-    '(--private)'{--private=,--private=}'[use directory as user home]: : _files -/'
+    '*--blacklist=-[blacklist directory or file]: :_files'
-    '--seccomp[enable seccomp filter and apply the default blacklist]'
+    '--caps[enable default Linux capabilities filter]'
-    '(--seccomp=)'{--seccomp=,--seccomp=}'[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:'
+    '--caps.drop=all[drop all capabilities]'
-    '(--seccomp.print)'{--seccomp.print=,--seccomp.print=}'[print the seccomp filter for the sandbox identified by name|pid]: : _all_firejails'
+    '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps'
-    '--seccomp.block-secondary[build only the native architecture filters]'
+    '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'
-    '(--seccomp.drop)'{--seccomp.drop=,--seccomp.drop=}'[enable seccomp filter, and blacklist the syscalls specified by the command]: :'
+    '--cgroup=-[place the sandbox in the specified control group]: :'
-    '(--seccomp.keep)'{--seccomp.keep=,--seccomp.keep=}'[enable seccomp filter, and whitelist the syscalls specified by the command]: :'
+    '--cpu=-[set cpu affinity]: :->cpus'
-    '(--seccomp.32.drop)'{--seccomp.32.drop=,--seccomp.32.drop=}'[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :'
+    "--deterministic-exit-code[always exit with first child's status code]"
-    '(--seccomp.32.keep)'{--seccomp.32.keep=,--seccomp.32.keep=}'[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :'
+    '*--dns=-[set DNS server]: :'
-    '(--seccomp-error-action)'{--seccomp-error-action=,--seccomp-error-action=}'[change error code, kill process or log the attempt]: :(ERRNO kill log)'
+    '*--env=-[set environment variable]: :'
+    '--hostname=-[set sandbox hostname]: :'
+    '--hosts-file=-[use file as /etc/hosts]: :_files'
+    '*--ignore=-[ignore command in profile files]: :'
+    '--ipc-namespace[enable a new IPC namespace]'
+    '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails'
+    '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
+    '--keep-var-tmp[/var/tmp directory is untouched]'
+    '--machine-id[preserve /etc/machine-id]'
    '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]'
-    '*'{--blacklist=,--blacklist=}'[blacklist directory or file]: : _files'
-    '--writable-etc[/etc directory is mounted read-write]'
-    '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]'
-    '--writable-var[/var directory is mounted read-write]'
-    '--writable-var-log[use the real /var/log directory, not a clone]'
-    '--build[build a whitelisted profile for the application and print it on stdout]'
-    '(--build)'{--build=,--build=}'[build a whitelisted profile for the application and save it]: : _files'
-    '(--fs.print)'{--fs.print=,--fs.print=}'[print the filesystem log name|pid]: : _all_firejails'
-    '(--join)'{--join=,--join=}'[join the sandbox name|pid]: : _all_firejails'
-    '(--join-filesystem)'{--join-filesystem=,--join-filesystem=}'[join the mount namespace name|pid]: : _all_firejails'
-    '(--profile.print)'{--profile.print=,--profile.print=}'[print the name of profile file name|pid]: : _all_firejails'
-    '(--protocol.print)'{--protocol.print=,--protocol.print=}'[print the protocol filter name|pid]: : _all_firejails'
-    '(--shutdown)'{--shutdown=,--shutdown=}'[shutdown the sandbox identified by name|pid]: : _all_firejails'
-    '(--cat)'{--cat=,--cat=}'[print content of file from sandbox container name|pid]: : _all_firejails'
-    '(--cpu.print)'{--cpu.print=,--cpu.print=}'[print the cpus in use name|pid]: : _all_firejails'
-    '--list[list all sandboxes]'
-    '(--dns)'{--dns=,--dns=}'[set DNS server]: :'
    '*--mkdir=-[create a directory]:'
    '*--mkfile=-[create a file]:'
-    '(--protocol)'{--protocol=,--protocol=}'[enable protocol filter]: :'
+    '--name=-[set sandbox name]: :'
-    '(--join-or-start)'{--join-or-start=,--join-or-start=}'[join the sandbox or start a new one name|pid]: : _all_firejails'
+    '--net=none[enable a new, unconnected network namespace]'
-    '(--hosts-file)'{--hosts-file=,--hosts-file=}'[use file as /etc/hosts]: : _files'
+    # Sample values as I don't think
-    '--shell=none[run the program directly without a user shell]'
+    # many would enjoy getting a list from -20..20
-    '(--shell)'{--shell=,--shell=}'[set default user shell]: : _files -g "*(*)"'
+    '--nice=-[set nice value]: :(1 10 15 20)'
-    '(--output)'{--output=,--output=}'[stdout logging and log rotation]: : _files'
-    '(--output-stderr)'{--output-stderr=,--output-stderr=}'[stdout and stderr logging and log rotation]: : _files'
    '--no3d[disable 3D hardware acceleration]'
+    '--noautopulse[disable automatic ~/.config/pulse init]'
+    '--noblacklist=-[disable blacklist for file or directory]: :_files'
+    '--nodbus[disable D-Bus access]'
    '--nodvd[disable DVD and audio CD devices]'
+    '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files'
    '--nogroups[disable supplementary groups]'
    '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
-    '--noprofile[do not use a security profile]'
+    '--nosound[disable sound system]'
-    '(--noexec)'{--noexec=,--noexec=}'[remount the file or directory noexec nosuid and nodev]: : _files'
+    '--nou2f[disable U2F devices]'
-    '--ipc-namespace[enable a new IPC namespace]'
+    '--novideo[disable video devices]'
-    '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
+    '--private[temporary home directory]'
-    '--keep-var-tmp[/var/tmp directory is untouched]'
+    '--private=-[use directory as user home]: :_files -/'
-    '--top[monitor the most CPU-intensive sandboxes]'
+    '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :_files -W /usr/bin'
-    '--trace[trace open, access and connect system calls]'
+    '--private-cwd[do not inherit working directory inside jail]'
-    '--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]'
+    '--private-cwd=-[set working directory inside jail]: :_files -/'
-    '--tree[print a tree of all sandboxed processes]'
-    '(--cpu)'{--cpu=,--cpu=}'[set cpu affinity]: :->cpus'
    '--private-dev[create a new /dev directory with a small number of common device files]'
+    '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files -W /etc'
+    '--private-opt=-[build a new /opt in a temporary filesystem]: :_files -W /opt'
+    '--private-srv=-[build a new /srv in a temporary filesystem]: :_files -W /srv'
    '--private-tmp[mount a tmpfs on top of /tmp directory]'
-    '--private-cwd[do not inherit working directory inside jail]'
+    '*--protocol=-[enable protocol filter]: :_values -s , protocols unix inet inet6 netlink packet bluetooth'
-    '(--private-cwd)'{--private-cwd=,--private-cwd=}'[set working directory inside jail]: : _files -/'
-    '*'{--read-only=,--read-only=}'[set directory or file read-only]: : _files'
-    '*'{--read-write=,--read-write=}'[set directory or file read-write]: : _files'
-    '(--tmpfs)'{--tmpfs=,--tmpfs=}'[mount a tmpfs filesystem on directory dirname]: : _files -/'
-    '(--private-etc)'{--private-etc=,--private-etc=}'[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: : _files'
-    "--deterministic-exit-code[always exit with first child's status code]"
-    '--machine-id[preserve /etc/machine-id]'
-    # Sample values as I don't think
-    # many would enjoy getting a list from -20..20
-    '(--nice)'{--nice=,--nice=}'[set nice value]: :(1 10 15 20)'
-    # Should be _files, a comma and files or files -/
-    '*'{--bind=,--bind=}'[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'
-    '(--cgroup)'{--cgroup=,--cgroup=}'[place the sandbox in the specified control group]: :'
-    '*'{--env=,--env=}'[set environment variable]: :'
-    '(--hostname)'{--hostname=,--hostname=}'[set sandbox hostname]: :'
-    '(--ignore)'{--ignore=,--ignore=}'[ignore command in profile files]: :'
-    '(--name)'{--name=,--name=}'[set sandbox name]: :'
-    '(--rlimit-as)'{--rlimit-as=,--rlimit-as=}"[set the maximum size of the process's virtual memory (address space) in bytes]: :"
-    '(--rlimit-cpu)'{--rlimit-cpu=,--rlimit-cpu=}'[set the maximum CPU time in seconds]: :'
-    '(--rlimit-fsize)'{--rlimit-fsize=,--rlimit-fsize=}'[set the maximum file size that can be created by a process]: :'
-    '(--rlimit-nofile)'{--rlimit-nofile=,--rlimit-nofile=}'[set the maximum number of files that can be opened by a process]: :'
-    '(--rlimit-nproc)'{--rlimit-nproc=,--rlimit-nproc=}'[set the maximum number of processes that can be created for the real user ID of the calling process]: :'
-    '(--rlimit-sigpending)'{--rlimit-sigpending=,--rlimit-sigpending=}'[set the maximum number of pending signals for a process]: :'
-    '*'{--rmenv=,--rmenv=}'[remove environment variable in the new sandbox]: :'
-    '(--timeout)'{--timeout=,--timeout=}'[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)'
    "--quiet[turn off Firejail's output.]"
-    '--version[print program version and exit]'
+    '*--read-only=-[set directory or file read-only]: :_files'
+    '*--read-write=-[set directory or file read-write]: :_files'
+    "--rlimit-as=-[set the maximum size of the process's virtual memory (address space) in bytes]: :"
+    '--rlimit-cpu=-[set the maximum CPU time in seconds]: :'
+    '--rlimit-fsize=-[set the maximum file size that can be created by a process]: :'
+    '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :'
+    '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :'
+    '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :'
+    '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)'
+    '--seccomp[enable seccomp filter and apply the default blacklist]: :'
+    '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp'
+    '--seccomp.block-secondary[build only the native architecture filters]'
+    '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :'
+    '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :'
+    # FIXME: Add errnos
+    '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)'
+    '--shell=none[run the program directly without a user shell]'
+    '--shell=-[set default user shell]: :_values $(cat /etc/shells)'
+    '--timeout=-[kill the sandbox automatically after the time has elapsed]: :'
+    #'(--tracelog)--trace[trace open, access and connect system calls]'
+    '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files'
+    '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]'
+    '(--private-etc)--writable-etc[/etc directory is mounted read-write]'
+    '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]'
+    '--writable-var[/var directory is mounted read-write]'
+    '--writable-var-log[use the real /var/log directory, not a clone]'
 #ifdef HAVE_APPARMOR
    '--apparmor[enable AppArmor confinement]'
-    '(--apparmor.print=)'{--apparmor.print=,--apparmor.print=}'[print apparmor status name|pid]:firejail:_all_firejails'
+    '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails'
 #endif
 #ifdef HAVE_CHROOT
-    '(--chroot)'{--chroot=,--chroot=}'[chroot into directory]: : _files -/'
+    '(--noroot --overlay --overlay-named --overlay-tmpfs)--chroot=-[chroot into directory]: :_files -/'
 #endif
+#ifdef HAVE_DBUSPROXY
+    # FIXME: _xx_bus_names is actually wrong for --dbus-*.{broadcast,call}.
+    # We can steal some function from https://github.com/systemd/systemd/blob/main/shell-completion/zsh/_busctl
+    '--dbus-log=-[set DBus log file location]: :_files'
+    '--dbus-system=-[set system DBus access policy]: :(filter none)'
+    '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :_system_bus_names'
+    '--dbus-system.call=-[allow calls on the system DBus according to rule]: :_system_bus_names'
+    '--dbus-system.own=-[allow ownership of name on the system DBus]: :_system_bus_names'
+    '--dbus-system.see=-[allow seeing name on the system DBus]: :_system_bus_names'
+    '--dbus-system.talk=-[allow talking to name on the system DBus]: :_system_bus_names'
+    '--dbus-user=-[set session DBus access policy or none]: :(filter none)'
+    '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :_session_bus_names'
+    '--dbus-user.call=-[allow calls on the session DBus according to rule]: :_session_bus_names'
+    '--dbus-user.own=-[allow ownership of name on the session DBus]: :_session_bus_names'
+    '--dbus-user.see=-[allow seeing name on the session DBus]: :_session_bus_names'
+    '--dbus-user.talk=-[allow talking to name on the session DBus]: :_session_bus_names'
+#endif
 #ifdef HAVE_FILE_TRANSFER
-    '(--get)'{--get=,--get=}'[get a file from sandbox container name|pid]: : _all_firejails'
+    '--cat=-[print content of file from sandbox container name|pid]: :_all_firejails'
+    '--get=-[get a file from sandbox container name|pid]: :_all_firejails'
    # --put=name|pid src-filename dest-filename - put a file in sandbox container.
-    '(--put)'{--put=,--put=}'[put a file in sandbox container]: :'
+    '--put=-[put a file in sandbox container]: :'
-    '(--ls)'{--ls=,--ls=}'[list files in sandbox container name|pid]: : _all_firejails'
+    '--ls=-[list files in sandbox container name|pid]: :_all_firejails'
+#endif
+#ifdef HAVE_FIRETUNNEL
+    '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :'
 #endif
 #ifdef HAVE_NETWORK
-    # '--net=none[enable a new, unconnected network namespace]'
+    '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails'
-    '(--net)'{--net=,--net=}'[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none'
+    '--defaultgw=[configure default gateway]: :'
-    '(--net.print)'{--net.print=,--net.print=}'[print network interface configuration name|pid]: : _all_firejails'
+    '--dns.print=-[print DNS configuration name|pid]: :_all_firejails'
-    '(--netfilter.print)'{--netfilter.print=,--netfilter.print=}'[print the firewall name|pid]: : _all_firejails'
+    '--join-network=-[join the network namespace name|pid]: :_all_firejails'
-    '(--netfilter6.print)'{--netfilter6.print=,--netfilter6.print=}'[print the IPv6 firewall name|pid]: : _all_firejails'
+    '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)'
+    '--mtu=-[set interface MTU]: :'
+    '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none'
+    '--net.print=-[print network interface configuration name|pid]: :_all_firejails'
+    '--netfilter=-[enable firewall]: :'
+    '--netfilter.print=-[print the firewall name|pid]: :_all_firejails'
+    '--netfilter6=-[enable IPv6 firewall]: :'
+    '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails'
+    '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :'
+    '--netns=-[Run the program in a named, persistent network namespace]: :'
    '--netstats[monitor network statistics]'
-    '(--netmask)'{--netmask=,--netmask=}'[define a network mask when dealing with unconfigured parrent interfaces]: :'
+    '--interface=-[move interface in sandbox]: :'
-    '(--netns)'{--netns=,--netns=}'[Run the program in a named, persistent network namespace]: :'
+    '--ip=-[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)'
-    '(--netfilter)'{--netfilter=,--netfilter=}'[enable firewall]: :'
+    '--ip6=-[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)'
-    '(--netfilter6)'{--netfilter6=,--netfilter6=}'[enable IPv6 firewall]: :'
+    '--iprange=-[configure an IP address in this range]: :'
-    '(--veth-name)'{--veth-name=,--veth-name=}'[use this name for the interface connected to the bridge]: :'
-    '(--join-network)'{--join-network=,--join-network=}'[join the network namespace name|pid]: : _all_firejails'
-    '(--defaultgw)'{--defaultgw=,--defaultgw=}'[configure default gateway]: :'
-    '(--ip)'{--ip=,--ip=}'[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)'
-    '(--dns.print)'{--dns.print=,--dns.print=}'[print DNS configuration name|pid]: : _all_firejails'
-    '(--interface)'{--interface=,--interface=}'[move interface in sandbox]: :'
-    '(--ip6)'{--ip6=,--ip6=}'[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)'
-    '(--iprange)'{--iprange=,--iprange=}'[configure an IP address in this range]: :'
-    '(--mac)'{--mac=,--mac=}'[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)'
-    '(--mtu)'{--mtu=,--mtu=}'[set interface MTU]: :'
    '--scan[ARP-scan all the networks from inside a network namespace]'
-    '(--bandwidth)'{--bandwidth=,--bandwidth=}'[set bandwidth limits name|pid]: : _all_firejails'
+    '--veth-name=-[use this name for the interface connected to the bridge]: :'
-#endif
-#ifdef HAVE_X11
-    '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
-    '(--x11)'{--x11=,--x11=}'[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)'
-    '(--xephyr-screen)'{--xephyr-screen=,--xephyr-screen=}'[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)'
 #endif
-#ifdef HAVE_USERNS
-    '--noroot[install a user namespace with only the current user]'
+#ifdef HAVE_OUTPUT
+    '--output=-[stdout logging and log rotation]: :_files'
+    '--output-stderr=-[stdout and stderr logging and log rotation]: :_files'
 #endif
-    '--nosound[disable sound system]'
-    '--noautopulse[disable automatic ~/.config/pulse init]'
-    '--novideo[disable video devices]'
-    '--nou2f[disable U2F devices]'
 #ifdef HAVE_OVERLAYFS
-    '--overlay[mount a filesystem overlay on top of the current filesystem]'
+    '(--chroot --noroot)--overlay[mount a filesystem overlay on top of the current filesystem]'
-    '(--overlay-named)'{--overlay-named=,--overlay-named=}'[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: : _files -/'
-    '--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]'
    '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]'
+    '(--chroot --noroot)--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/'
+    '(--chroot --noroot)--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]'
 #endif
-#ifdef HAVE_WHITELIST
-    '(--nowhitelist)'{--nowhitelist=,--nowhitelist=}'[disable whitelist for file or directory]: : _files'
-    '*'{--whitelist=,--whitelist=}'[whitelist directory or file]: : _files'
-#endif
-    '(--noblacklist)'{--noblacklist=,--noblacklist=}'[disable blacklist for file or directory]: : _files'
-#ifdef HAVE_DBUSPROXY
-    '(--dbus-system)'{--dbus-system=,--dbus-system=}'[set system DBus access policy or none]: :'
-    '(--dbus-system.broadcast)'{--dbus-system.broadcast=,--dbus-system.broadcast=}'[allow signals on the system DBus according to rule]: :'
-    '(--dbus-system.call)'{--dbus-system.call=,--dbus-system.call=}'[allow calls on the system DBus according to rule]: :'
-    '(--dbus-system.own)'{--dbus-system.own=,--dbus-system.own=}'[allow ownership of name on the system DBus]: :'
-    '(--dbus-system.see)'{--dbus-system.see=,--dbus-system.see=}'[allow seeing name on the system DBus]: :'
-    '(--dbus-system.talk)'{--dbus-system.talk=,--dbus-system.talk=}'[allow talking to name on the system DBus]: :'
-    '(--dbus-user)'{--dbus-user=,--dbus-user=}'[set session DBus access policy or none]: :'
-    '(--dbus-user.broadcast)'{--dbus-user.broadcast=,--dbus-user.broadcast=}'[allow signals on the session DBus according to rule]: :'
-    '(--dbus-user.call)'{--dbus-user.call=,--dbus-user.call=}'[allow calls on the session DBus according to rule]: :'
-    '(--dbus-user.see)'{--dbus-user.see=,--dbus-user.see=}'[allow seeing name on the session DBus]: :'
-    '(--dbus-user.talk)'{--dbus-user.talk=,--dbus-user.talk=}'[allow talking to name on the session DBus]: :'
-    '(--dbus-log)'{--dbus-log=,--dbus-log=}'[set DBus log file location]: : _files'
-    '(--dbus-system)'{--dbus-system=,--dbus-system=}'[set system DBus access policy]: :(filter none)'
-    '--dbus-user.log[turn on logging for the user DBus]'
-    '(--dbus-user.own)'{--dbus-user.own=,--dbus-user.own=}'[allow ownership of name on the session DBus]: :'
-    '--dbus-system.log[turn on logging for the system DBus]'
-    '--nodbus[disable D-Bus access]'
-#endif
 #ifdef HAVE_PRIVATE_HOME
-    '(--private-home)'{--private-home=,--private-home=}'[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :'
+    '--private-home=-[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :_files'
+#endif
+#ifdef HAVE_USERNS
+    '(--chroot --overlay --overlay-named --overlay-tmpfs)--noroot[install a user namespace with only the current user]'
 #endif
-    '(--private-bin)'{--private-bin=,--private-bin=}'[build a new /bin in a temporary filesystem, and copy the programs in the list]: :'
-    '(--private-opt)'{--private-opt=,--private-opt=}'[build a new /opt in a temporary filesystem]: :'
-    '(--private-srv)'{--private-srv=,--private-srv=}'[build a new /srv in a temporary filesystem]: :'
 #ifdef HAVE_USERTMPFS
    '--private-cache[temporary ~/.cache directory]'
+    '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'
 #endif
-#ifdef HAVE_FIRETUNNEL
-    '(--tunnel)'{--tunnel=,--tunnel=}'[connect the sandbox to a tunnel created by firetunnel utility]: :'
+#ifdef HAVE_WHITELIST
+    '*--nowhitelist=-[disable whitelist for file or directory]: :_files'
+    '*--whitelist=-[whitelist directory or file]: :_files'
 #endif
-    )
+#ifdef HAVE_X11
+    '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
+    '--x11=-[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)'
+    '--xephyr-screen=-[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)'
+#endif
+)
 _firejail() {
    _arguments -S $_firejail_args
    case "$state" in
-        caps_drop)
-            local caps_and_all=(all $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}'))
-            _values -s "," 'caps_drop' $caps_and_all
-            ;;
-        caps_keep)
-            local caps=($(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}'))
-            _values -s "," 'caps_keep' $caps
-            ;;
        cpus)
            _values -s "," 'cpus' $(_all_cpus)
            ;;
@@ -242,5 +273,11 @@ _firejail() {
            local net_and_none=(none $netdevs)
            _values 'net' $net_and_none
            ;;
+        seccomp)
+            # TODO: syscall groups
+            _values -s "," 'syscalls' $(firejail --debug-syscalls | cut -d" " -f2)
+            ;;
    esac
 }
+# vim: ft=zsh sw=4 ts=4 et sts=4 ai
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
index 16ab7f54d..eecb9bf82 100755
--- a/test/appimage/appimage-args.exp
+++ b/test/appimage/appimage-args.exp
@@ -96,7 +96,7 @@ send -- "firejail --shutdown=appimage-test\r"
 set spawn_id $appimage_id
 expect {
        timeout {puts "shutdown\n";exit}
-        "AppImage unmounted"
+        "AppImage detached"
 }
 after 100
diff --git a/test/appimage/appimage-trace.exp b/test/appimage/appimage-trace.exp
index 5f05e2846..2f67eb531 100755
--- a/test/appimage/appimage-trace.exp
+++ b/test/appimage/appimage-trace.exp
@@ -31,7 +31,7 @@ expect {
 }
 expect {
        timeout {puts "shutdown\n"}
-        "AppImage unmounted"
+        "AppImage detached"
 }
 sleep 1
@@ -58,7 +58,7 @@ expect {
 }
 expect {
        timeout {puts "shutdown\n"}
-        "AppImage unmounted"
+        "AppImage detached"
 }
 sleep 1
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
index d90793bb3..b8b6e0c96 100755
--- a/test/appimage/appimage-v1.exp
+++ b/test/appimage/appimage-v1.exp
@@ -84,7 +84,7 @@ send -- "firejail --shutdown=appimage-test\r"
 set spawn_id $appimage_id
 expect {
        timeout {puts "shutdown\n"}
-        "AppImage unmounted"
+        "AppImage detached"
 }
 after 100
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp
index b606c7a77..243824f75 100755
--- a/test/appimage/appimage-v2.exp
+++ b/test/appimage/appimage-v2.exp
@@ -83,7 +83,7 @@ send -- "firejail --shutdown=appimage-test\r"
 set spawn_id $appimage_id
 expect {
        timeout {puts "shutdown\n"}
-        "AppImage unmounted"
+        "AppImage detached"
 }
 after 100
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh
index 548cd7fdf..e766b1acd 100755
--- a/test/appimage/appimage.sh
+++ b/test/appimage/appimage.sh
@@ -20,4 +20,4 @@ echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)"
 ./appimage-args.exp
 echo "TESTING: AppImage trace (test/appimage/appimage-trace.exp)"
-./appimage-args.exp
+./appimage-trace.exp
diff --git a/test/appimage/filename.exp b/test/appimage/filename.exp
index 7b64129b7..54d8d722d 100755
--- a/test/appimage/filename.exp
+++ b/test/appimage/filename.exp
@@ -17,7 +17,7 @@ after 100
 send -- "firejail --appimage /etc/shadow\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "cannot access"
+        "cannot read"
 }
 after 100