74 files changed, 1066 insertions, 391 deletions
diff --git a/README b/README
index 3769b2df4..875147361 100644
--- a/README
+++ b/README
@@ -274,6 +274,10 @@ jrabe (https://github.com/jrabe)
        - Polari profile
        - qTox profile
        - X11 fixes
+juan (https://github.com/nyancat18)
+        - fixed Kdenlive, Shotcut profiles
+        - new profiles for Cinelerra, Cliqz, Bluefish
+        - profile hardening
 Kaan Genç (https://github.com/SeriousBug)
        - dynamic allocation of noblacklist buffer
 KellerFuchs (https://github.com/KellerFuchs)
@@ -355,6 +359,8 @@ Peter Hogg (https://github.com/pigmonkey)
        - fixes for youtube-dl in mpv profile
 Petter Reinholdtsen (pere@hungry.com)
        - Opera profile patch
+PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
+        - fix quiterss profile
 pirate486743186 (https://github.com/pirate486743186)
        - KMail profile
 Pixel Fairy (https://github.com/xahare)
diff --git a/README.md b/README.md
index 26f3dc3c5..303bd3359 100644
--- a/README.md
+++ b/README.md
@@ -180,4 +180,5 @@ calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage,
 calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,
 imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,
 ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
-conky, arch-audit, ffmpeg
+conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool,
+aosp
diff --git a/RELNOTES b/RELNOTES
index 5bc07f000..4c272ccee 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.51) baseline; urgency=low
  * work in progress!
  * enhancement: support Firejail user config directory in firecfg
+  * enhancement: disable DBus activation in firecfg
  * feature: --writable-run-user
  * feature: profile build tool (--build)
 -- netblue30 <netblue30@yahoo.com>  Thu, 14 Sep 2017 20:00:00 -0500
diff --git a/etc/android-studio.profile b/etc/android-studio.profile
index 1e1953780..6be92e1c0 100644
--- a/etc/android-studio.profile
+++ b/etc/android-studio.profile
@@ -9,6 +9,8 @@ noblacklist ${HOME}/.AndroidStudio*
 noblacklist ${HOME}/.android
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.jack-server
+noblacklist ${HOME}/.jack-settings
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/JetBrains
 noblacklist ${HOME}/.ssh
diff --git a/etc/aosp.profile b/etc/aosp.profile
new file mode 100644
index 000000000..5ceef9348
--- /dev/null
+++ b/etc/aosp.profile
@@ -0,0 +1,42 @@
+# Firejail profile for aosp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/aosp.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.android
+noblacklist ${HOME}/.bash_history
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.jack-server
+noblacklist ${HOME}/.jack-settings
+noblacklist ${HOME}/.java
+noblacklist ${HOME}/.repo_.gitconfig.json
+noblacklist ${HOME}/.repoconfig
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.tooling
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+#seccomp
+shell none
+private-tmp
diff --git a/etc/ark.profile b/etc/ark.profile
index 38bd5246e..ba9cb1134 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/atom.profile b/etc/atom.profile
index 8629c3dd8..db3cbc687 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -23,7 +23,11 @@ notv
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+# net none
 shell none
 private-dev
 private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/atril.profile b/etc/atril.profile
index 2e4af9086..052b41655 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 no3d
 nodvd
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 52e701821..7e2b91773 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nogroups
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 9fbc2b16d..88aea243e 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 4e603971f..2c2d70c00 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -17,6 +17,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 no3d
 nodvd
@@ -29,8 +31,10 @@ novideo
 protocol unix
 # Baloo makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
+shell none
 x11 xorg
+private-bin baloo_file,baloo_file_extractor,kbuildsycoca4
 private-dev
 private-tmp
diff --git a/etc/bluefish.profile b/etc/bluefish.profile
new file mode 100644
index 000000000..f7e322838
--- /dev/null
+++ b/etc/bluefish.profile
@@ -0,0 +1,34 @@
+# Firejail profile for bluefish
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/bluefish.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-bin bluefish
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/calligra.profile b/etc/calligra.profile
index e90c8efe8..d2b76d22c 100644
--- a/etc/calligra.profile
+++ b/etc/calligra.profile
@@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc
 caps.drop all
 ipc-namespace
+net none
 nodvd
 nogroups
 nonewprivs
@@ -25,5 +26,5 @@ shell none
 private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch
 private-dev
-noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
diff --git a/etc/cin.profile b/etc/cin.profile
index eeeda476f..6b3e3888b 100644
--- a/etc/cin.profile
+++ b/etc/cin.profile
@@ -24,7 +24,7 @@ protocol unix
 seccomp
 shell none
-#private-bin cin
+private-bin cin,ffmpeg
 private-dev
 noexec ${HOME}
diff --git a/etc/cinelerra.profile b/etc/cinelerra.profile
new file mode 100644
index 000000000..e6a1941b5
--- /dev/null
+++ b/etc/cinelerra.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for cin
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/cin.profile
diff --git a/etc/clamdscan.profile b/etc/clamdscan.profile
index 1fc728206..f6861dfa1 100644
--- a/etc/clamdscan.profile
+++ b/etc/clamdscan.profile
@@ -1,5 +1,6 @@
 # Firejail profile alias for clamav
 # This file is overwritten after every install/update
+quiet
 # Redirect
diff --git a/etc/clamdtop.profile b/etc/clamdtop.profile
index 1fc728206..f6861dfa1 100644
--- a/etc/clamdtop.profile
+++ b/etc/clamdtop.profile
@@ -1,5 +1,6 @@
 # Firejail profile alias for clamav
 # This file is overwritten after every install/update
+quiet
 # Redirect
diff --git a/etc/clamscan.profile b/etc/clamscan.profile
index 1fc728206..f6861dfa1 100644
--- a/etc/clamscan.profile
+++ b/etc/clamscan.profile
@@ -1,5 +1,6 @@
 # Firejail profile alias for clamav
 # This file is overwritten after every install/update
+quiet
 # Redirect
diff --git a/etc/cliqz.profile b/etc/cliqz.profile
new file mode 100644
index 000000000..a7c791a02
--- /dev/null
+++ b/etc/cliqz.profile
@@ -0,0 +1,83 @@
+# Firejail profile for cliqz
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/cliqz.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ~/.cache/cliqz
+noblacklist ~/.config/cliqz
+noblacklist ~/.config/okularpartrc
+noblacklist ~/.config/okularrc
+noblacklist ~/.config/qpdfview
+noblacklist ~/.kde/share/apps/okular
+noblacklist ~/.kde/share/config/okularpartrc
+noblacklist ~/.kde/share/config/okularrc
+noblacklist ~/.kde4/share/apps/okular
+noblacklist ~/.kde4/share/config/okularpartrc
+noblacklist ~/.kde4/share/config/okularrc
+noblacklist ~/.local/share/gnome-shell/extensions
+noblacklist ~/.local/share/okular
+noblacklist ~/.local/share/qpdfview
+noblacklist ~/.pki
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+mkdir ~/.cache/mozilla/firefox
+mkdir ~/.mozilla
+mkdir ~/.pki
+whitelist ${DOWNLOADS}
+whitelist ~/.cache/gnome-mplayer/plugin
+whitelist ~/.cache/mozilla/firefox
+whitelist ~/.config/gnome-mplayer
+whitelist ~/.config/okularpartrc
+whitelist ~/.config/okularrc
+whitelist ~/.config/pipelight-silverlight5.1
+whitelist ~/.config/pipelight-widevine
+whitelist ~/.config/qpdfview
+whitelist ~/.kde/share/apps/okular
+whitelist ~/.kde/share/config/okularpartrc
+whitelist ~/.kde/share/config/okularrc
+whitelist ~/.kde4/share/apps/okular
+whitelist ~/.kde4/share/config/okularpartrc
+whitelist ~/.kde4/share/config/okularrc
+whitelist ~/.keysnail.js
+whitelist ~/.lastpass
+whitelist ~/.local/share/gnome-shell/extensions
+whitelist ~/.local/share/okular
+whitelist ~/.local/share/qpdfview
+whitelist ~/.mozilla
+whitelist ~/.pentadactyl
+whitelist ~/.pentadactylrc
+whitelist ~/.pki
+whitelist ~/.vimperator
+whitelist ~/.vimperatorrc
+whitelist ~/.wine-pipelight
+whitelist ~/.wine-pipelight64
+whitelist ~/.zotero
+whitelist ~/dwhelper
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+# private-bin firefox,which,sh,dbus-launch,dbus-send,env
+private-dev
+# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/dia.profile b/etc/dia.profile
index abe83ac8c..800c3bbf1 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -13,7 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-netfilter
+net none
 no3d
 nodvd
 nogroups
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index abce0fe57..d943950d4 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -120,7 +120,8 @@ blacklist /var/lib/mysql/mysql.sock
 blacklist /var/lib/mysqld/mysql.sock
 blacklist /var/lib/pacman
 blacklist /var/lib/upower
-blacklist /var/log
+# blacklist /var/log - a virtual /var/log directory (mostly empty) is buid up by default for
+#          every sandbox, unless --writeble-var-log switch is activated
 blacklist /var/mail
 blacklist /var/opt
 blacklist /var/run/acpid.socket
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 615e28172..064e60294 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -81,6 +81,7 @@ blacklist ${HOME}/.config/chromium
 blacklist ${HOME}/.config/chromium-dev
 blacklist ${HOME}/.config/chromium-flags.conf
 blacklist ${HOME}/.config/clipit
+blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/darktable
@@ -142,6 +143,8 @@ blacklist ${HOME}/.config/opera-beta
 blacklist ${HOME}/.config/orage
 blacklist ${HOME}/.config/org.kde.gwenviewrc
 blacklist ${HOME}/.config/pcmanfm
+blacklist ${HOME}/.config/pdfmod
+blacklist ${HOME}/.config/Pinta
 blacklist ${HOME}/.config/pix
 blacklist ${HOME}/.config/pluma
 blacklist ${HOME}/.config/psi+
@@ -220,6 +223,8 @@ blacklist ${HOME}/.hugin
 blacklist ${HOME}/.icedove
 blacklist ${HOME}/.imagej
 blacklist ${HOME}/.inkscape
+blacklist ${HOME}/.jack-server
+blacklist ${HOME}/.jack-settings
 blacklist ${HOME}/.java
 blacklist ${HOME}/.jitsi
 blacklist ${HOME}/.kde/share/apps/gwenview
@@ -360,6 +365,8 @@ blacklist ${HOME}/.pingus
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
 blacklist ${HOME}/.remmina
+blacklist ${HOME}/.repo_.gitconfig.json
+blacklist ${HOME}/.repoconfig
 blacklist ${HOME}/.retroshare
 blacklist ${HOME}/.scribus
 blacklist ${HOME}/.scribusrc
@@ -376,6 +383,7 @@ blacklist ${HOME}/.synfig
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tooling
+blacklist ${HOME}/.tor-browser-en
 blacklist ${HOME}/.ts3client
 blacklist ${HOME}/.tuxguitar*
 blacklist ${HOME}/.unknow-horizons
@@ -408,6 +416,7 @@ blacklist ${HOME}/.cache/calibre
 blacklist ${HOME}/.cache/champlain
 blacklist ${HOME}/.cache/chromium
 blacklist ${HOME}/.cache/chromium-dev
+blacklist ${HOME}/.cache/cliqz
 blacklist ${HOME}/.cache/darktable
 blacklist ${HOME}/.cache/epiphany
 blacklist ${HOME}/.cache/evolution
@@ -427,6 +436,7 @@ blacklist ${HOME}/.cache/netsurf
 blacklist ${HOME}/.cache/opera
 blacklist ${HOME}/.cache/opera-beta
 blacklist ${HOME}/.cache/org.gnome.Books
+blacklist ${HOME}/.cache/pdfmod
 blacklist ${HOME}/.cache/peek
 blacklist ${HOME}/.cache/qBittorrent
 blacklist ${HOME}/.cache/qupzilla
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 86af9c7b3..6d4f6349a 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
 private-dev
 # mdwe can break modules/plugins
-# memory-deny-write-execute
+memory-deny-write-execute
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index d4cd0530e..2a1302adb 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index 7bc5e7481..c198adba9 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
 no3d
diff --git a/etc/eog.profile b/etc/eog.profile
index e5161b313..5ff926371 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
 no3d
diff --git a/etc/eom.profile b/etc/eom.profile
index 3fb1fcaf4..802578959 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
 no3d
diff --git a/etc/evince.profile b/etc/evince.profile
index f503b9a8e..466260c49 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 caps.drop all
+# net none breaks AppArmor on Ubuntu systems
 netfilter
 no3d
 nodvd
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index e098c95e3..5db39cf61 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -1,4 +1,4 @@
-# Firejail profile for default
+# Firejail profile for ffmpeg
 # This file is overwritten after every install/update
 quiet
 # Persistent local customizations
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 net none
 no3d
@@ -23,11 +25,11 @@ noroot
 # protocol none - needs to be implemented!
 seccomp
 # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
-# memory-deny-write-execute - it breaks old versions of ffmpeg
 shell none
 tracelog
-private-tmp
-private-dev
 private-bin ffmpeg
-include /etc/firejail/whitelist-var-common.inc
+private-dev
+private-tmp
+# memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 8484aa162..01e689b9d 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
 no3d
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 3d7af1496..e17d94da0 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -5,9 +5,10 @@ include /etc/firejail/gedit.local
 # Persistent global definitions
 include /etc/firejail/globals.local
-# when gedit is started via gnome-shell, firejail is not applied because systemd will start it
-noblacklist ~/.config/gedit
+noblacklist ${HOME}/.config/enchant
+noblacklist ${HOME}/.config/gedit
+noblacklist ${HOME}/.gitconfig
 include /etc/firejail/disable-common.inc
 # include /etc/firejail/disable-devel.inc
diff --git a/etc/gitter.profile b/etc/gitter.profile
index 5a172fcc4..0a47bf888 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -25,6 +25,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
-private-bin gitter
+private-bin bash,env,gitter
+private-opt Gitter
 private-dev
 private-tmp
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 326222426..9e70a563a 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -28,10 +28,8 @@ seccomp
 shell none
 disable-mnt
-private
 private-bin gnome-calculator
 private-dev
-# private-etc fonts
 private-tmp
 memory-deny-write-execute
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 7f1577afe..2b025e56c 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -19,6 +19,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 nodvd
 nogroups
diff --git a/etc/hugin.profile b/etc/hugin.profile
index ff88e0d5c..64b6e0c69 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -13,7 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile
index 928ec7327..caec416e9 100644
--- a/etc/idea.sh.profile
+++ b/etc/idea.sh.profile
@@ -9,6 +9,8 @@ noblacklist ${HOME}/.IdeaIC*
 noblacklist ${HOME}/.android
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.jack-server
+noblacklist ${HOME}/.jack-settings
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/JetBrains
 noblacklist ${HOME}/.ssh
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index c062ab8ef..04c1020ab 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -27,7 +27,7 @@ protocol unix
 seccomp
 shell none
-#private-bin inkscape
+private-bin inkscape,potrace
 private-dev
 private-tmp
diff --git a/etc/inox.profile b/etc/inox.profile
index 6273c4de6..de4d6205b 100644
--- a/etc/inox.profile
+++ b/etc/inox.profile
@@ -21,6 +21,10 @@ whitelist ~/.config/inox
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
+caps.keep sys_chroot,sys_admin
 netfilter
 nodvd
+nogroups
+noroot
 notv
+shell none
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index a1a5f957c..10c2909a0 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -26,5 +26,5 @@ private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvda
 private-dev
 #private-etc fonts,alternatives,X11,pulse,passwd
-noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
diff --git a/etc/konversation.profile b/etc/konversation.profile
index 8ffc43487..7d09857ba 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
index c0b37df3c..e95bc23ca 100644
--- a/etc/ktorrent.profile
+++ b/etc/ktorrent.profile
@@ -31,6 +31,7 @@ whitelist ~/.kde4/share/apps/ktorrent
 whitelist ~/.kde4/share/config/ktorrentrc
 whitelist ~/.local/share/ktorrent
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index caf3095a5..c59b2dcc7 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -12,8 +12,15 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+whitelist ${HOME}/.cache/mate-calc
+whitelist ${HOME}/.config/caja
+whitelist ${HOME}/.config/gtk-3.0
+whitelist ${HOME}/.config/dconf
+whitelist ${HOME}./config/mate-menu
+whitelist ${HOME}/.themes
 caps.drop all
-netfilter
+net none
 no3d
 nodvd
 nogroups
@@ -27,8 +34,12 @@ seccomp
 shell none
 disable-mnt
+private-bin mate-calc,mate-calculator
+private-etc fonts
 private-dev
+private-opt none
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile
index 26ce42fbf..7df7d7faa 100644
--- a/etc/mate-color-select.profile
+++ b/etc/mate-color-select.profile
@@ -11,6 +11,11 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+whitelist ${HOME}/.config/gtk-3.0
+whitelist ${HOME}/.fonts
+whitelist ${HOME}/.icons
+whitelist ${HOME}/.themes
 caps.drop all
 netfilter
 no3d
@@ -26,9 +31,11 @@ seccomp
 shell none
 disable-mnt
-private
+private-bin mate-color-select
+private-etc fonts
 private-dev
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index f0de57e0d..3f85addaf 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -12,6 +12,12 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+whitelist ${HOME}/.config/mate/mate-dictionary
+whitelist ${HOME}/.config/gtk-3.0
+whitelist ${HOME}/.fonts
+whitelist ${HOME}/.icons
+whitelist ${HOME}/.themes
 caps.drop all
 netfilter
 no3d
@@ -27,8 +33,12 @@ seccomp
 shell none
 disable-mnt
+private-bin mate-dictionary
+private-etc fonts,resolv.conf
+private-opt mate-dictionary
 private-dev
 private-tmp
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index 1cda5022d..dc9946794 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -21,6 +21,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/musescore.profile b/etc/musescore.profile
index b039d07b2..b3d04c08f 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/natron.profile b/etc/natron.profile
index d77539d83..b76649605 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -26,6 +26,7 @@ notv
 protocol unix,inet,inet6
 seccomp
 shell none
+net none
 private-bin natron,Natron,NatronRenderer
diff --git a/etc/okular.profile b/etc/okular.profile
index 94736fbae..60390e4d8 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -36,7 +36,7 @@ seccomp
 shell none
 tracelog
-# private-bin okular,kbuildsycoca4,lpr
+# private-bin okular,kbuildsycoca4,kdeinit4,lpr
 private-dev
 # private-etc fonts,X11
 private-tmp
diff --git a/etc/openshot-qt.profile b/etc/openshot-qt.profile
new file mode 100644
index 000000000..cbd1f8fe8
--- /dev/null
+++ b/etc/openshot-qt.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for openshot
+# This file is overwritten after every install/update
+# Redirect
+include /etc/firejail/openshot.profile
diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile
new file mode 100644
index 000000000..8489e79a6
--- /dev/null
+++ b/etc/pdfmod.profile
@@ -0,0 +1,38 @@
+# Firejail profile for pdfmod
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/pdfmod.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.cache/pdfmod
+noblacklist ${HOME}/.config/pdfmod
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/pinta.profile b/etc/pinta.profile
new file mode 100644
index 000000000..cb6e05d35
--- /dev/null
+++ b/etc/pinta.profile
@@ -0,0 +1,34 @@
+# Firejail profile for pinta
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/pinta.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/Pinta
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+ipc-namespace
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/scribus.profile b/etc/scribus.profile
index dd06fa59f..1b2d0c0b8 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -26,7 +26,10 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
+net none
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/server.profile b/etc/server.profile
index edd4666e1..860e0056d 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -13,7 +13,6 @@ blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
-# noblacklist /var/log
 # noblacklist /var/opt
 include /etc/firejail/disable-common.inc
@@ -29,6 +28,8 @@ notv
 novideo
 seccomp
+# netfilter /etc/firejail/webserver.net
 # disable-mnt
 private
 # private-bin program
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index e30bc1f46..4e8b1da05 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -27,5 +27,5 @@ shell none
 #private-bin shotcut,melt,qmelt,nice
 private-dev
-noexec ${HOME}
+#noexec ${HOME}
 noexec /tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index b4b9ede70..33c082533 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -46,5 +46,6 @@ shell none
 # private-dev should be commented for controllers
 private-dev
-private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl
+# private-etc breaks some games
+#private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index b0014ace6..2617c0e51 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -14,7 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
@@ -26,7 +26,7 @@ protocol unix
 seccomp
 shell none
-#private-bin synfigstudio
+#private-bin synfigstudio,synfig,ffmpeg
 private-dev
 private-tmp
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index fbc198cc3..30e2a619d 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
diff --git a/etc/uefitool.profile b/etc/uefitool.profile
new file mode 100644
index 000000000..138f69aa8
--- /dev/null
+++ b/etc/uefitool.profile
@@ -0,0 +1,33 @@
+# Firejail profile for uefitool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/uefitool.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+private-dev
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 2a38aa7c6..d380b5698 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
 noblacklist /sbin
 noblacklist /usr/sbin
-noblacklist /var/log
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
 private-dev
 # mdwe can break modules/plugins
-# memory-deny-write-execute
+memory-deny-write-execute
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
index 2322c1fae..67995f345 100644
--- a/etc/waterfox.profile
+++ b/etc/waterfox.profile
@@ -65,6 +65,7 @@ whitelist ~/.wine-pipelight64
 whitelist ~/.zotero
 whitelist ~/dwhelper
 include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 netfilter
@@ -78,7 +79,8 @@ seccomp
 shell none
 tracelog
-# private-bin waterfox,which,sh,dbus-launch,dbus-send,env
+# waterfox requires a shell to launch on Arch. We can possibly remove sh though.
+# private-bin waterfox,which,sh,dbus-launch,dbus-send,env,dash,bash
 private-dev
 # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse
 private-tmp
diff --git a/etc/xreader.profile b/etc/xreader.profile
index c02b9a014..bebcb262f 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 no3d
 nodvd
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index b9ff3948a..53f2a0c82 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
 no3d
diff --git a/mkdeb.sh b/mkdeb.sh
index 6c3eeb1f3..68f0e12d4 100755
--- a/mkdeb.sh
+++ b/mkdeb.sh
@@ -19,7 +19,7 @@ tar -xJvf $CODE_ARCHIVE
 #mkdir -p $INSTALL_DIR
 cd $CODE_DIR
 ./configure --prefix=/usr --enable-git-install
-make
+make -j2
 mkdir debian
 DESTDIR=debian make install-strip
@@ -43,7 +43,7 @@ cp platform/debian/conffiles $DEBIAN_CTRL_DIR/.
 find $INSTALL_DIR  -type d | xargs chmod 755
 cd $CODE_DIR
 fakeroot dpkg-deb --build debian
-lintian debian.deb
+lintian --no-tag-display-limit debian.deb
 mv debian.deb ../firejail_$2_1_amd64.deb
 echo "if building a 32bit package, rename the deb file manually"
 cd ..
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 27623aee3..cee008786 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -358,4 +358,60 @@
 /etc/firejail/yandex-browser.profile
 /etc/firejail/itch.profile
 /etc/firejail/whitelist-var-common.inc
-/etc/firejail/ffmpeg
+/etc/firejail/ffmpeg.profile
+/etc/firejail/Natron.profile
+/etc/firejail/Viber.profile
+/etc/firejail/amule.profile
+/etc/firejail/arch-audit.profile
+/etc/firejail/ardour4.profile
+/etc/firejail/ardour5.profile
+/etc/firejail/bluefish.profile
+/etc/firejail/brackets.profile
+/etc/firejail/calligra.profile
+/etc/firejail/calligraauthor.profile
+/etc/firejail/calligraconverter.profile
+/etc/firejail/calligraflow.profile
+/etc/firejail/calligraplan.profile
+/etc/firejail/calligraplanwork.profile
+/etc/firejail/calligrasheets.profile
+/etc/firejail/cin.profile
+/etc/firejail/calligrastage.profile
+/etc/firejail/calligrawords.profile
+/etc/firejail/cinelerra.profile
+/etc/firejail/clamav.profile
+/etc/firejail/clamdscan.profile
+/etc/firejail/clamdtop.profile
+/etc/firejail/clamscan.profile
+/etc/firejail/cliqz.profile
+/etc/firejail/conky.profile
+/etc/firejail/dooble-qt4.profile
+/etc/firejail/dooble.profile
+/etc/firejail/fetchmail.profile
+/etc/firejail/freecad.profile
+/etc/firejail/freecadcmd.profile
+/etc/firejail/freshclam.profile
+/etc/firejail/google-earth.profile
+/etc/firejail/imagej.profile
+/etc/firejail/karbon.profile
+/etc/firejail/kdenlive.profile
+/etc/firejail/krita.profile
+/etc/firejail/linphone.profile
+/etc/firejail/lmms.profile
+/etc/firejail/macrofusion.profile
+/etc/firejail/mpd.profile
+/etc/firejail/natron.profile
+/etc/firejail/openshot-qt.profile
+/etc/firejail/pinta.profile
+/etc/firejail/ricochet.profile
+/etc/firejail/rocketchat.profile
+/etc/firejail/shotcut.profile
+/etc/firejail/smtube.profile
+/etc/firejail/surf.profile
+/etc/firejail/teamspeak3.profile
+/etc/firejail/terasology.profile
+/etc/firejail/tor-browser-en.profile
+/etc/firejail/tor.profile
+/etc/firejail/uefitool.profile
+/etc/firejail/x-terminal-emulator.profile
+/etc/firejail/xmr-stak-cpu.profile
+/etc/firejail/zart.profile
diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
index 50f9f0512..13049f736 100755
--- a/platform/rpm/old-mkrpm.sh
+++ b/platform/rpm/old-mkrpm.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-VERSION="0.9.50"
+VERSION="0.9.51"
 rm -fr ~/rpmbuild
 rm -f firejail-$VERSION-1.x86_64.rpm
@@ -33,6 +33,7 @@ install -m 755 /usr/lib/firejail/fnet  firejail-$VERSION/usr/lib/firejail/.
 install -m 755 /usr/lib/firejail/fseccomp  firejail-$VERSION/usr/lib/firejail/.
 install -m 755 /usr/lib/firejail/fshaper.sh  firejail-$VERSION/usr/lib/firejail/.
 install -m 755 /usr/lib/firejail/ftee  firejail-$VERSION/usr/lib/firejail/.
+install -m 755 /usr/lib/firejail/fbuilder  firejail-$VERSION/usr/lib/firejail/.
 install -m 644 /usr/lib/firejail/libtracelog.so  firejail-$VERSION/usr/lib/firejail/.
 install -m 644 /usr/lib/firejail/libtrace.so  firejail-$VERSION/usr/lib/firejail/.
 install -m 644 /usr/lib/firejail/libpostexecseccomp.so  firejail-$VERSION/usr/lib/firejail/.
@@ -470,11 +471,66 @@ rm -rf %{buildroot}
 %{_sysconfdir}/%{name}/itch.profile
 %{_sysconfdir}/%{name}/minetest.profile
 %{_sysconfdir}/%{name}/yandex-browser.profile
+# 0.9.51
+%{_sysconfdir}/%{name}/Natron.profile
+%{_sysconfdir}/%{name}/Viber.profile
+%{_sysconfdir}/%{name}/amule.profile
+%{_sysconfdir}/%{name}/arch-audit.profile
+%{_sysconfdir}/%{name}/ardour4.profile
+%{_sysconfdir}/%{name}/ardour5.profile
+%{_sysconfdir}/%{name}/bluefish.profile
+%{_sysconfdir}/%{name}/brackets.profile
+%{_sysconfdir}/%{name}/calligra.profile
+%{_sysconfdir}/%{name}/calligraauthor.profile
+%{_sysconfdir}/%{name}/calligraconverter.profile
+%{_sysconfdir}/%{name}/calligraflow.profile
+%{_sysconfdir}/%{name}/calligraplan.profile
+%{_sysconfdir}/%{name}/calligraplanwork.profile
+%{_sysconfdir}/%{name}/calligrasheets.profile
+%{_sysconfdir}/%{name}/calligrastage.profile
+%{_sysconfdir}/%{name}/calligrawords.profile
+%{_sysconfdir}/%{name}/cin.profile
+%{_sysconfdir}/%{name}/cinelerra.profile
+%{_sysconfdir}/%{name}/clamav.profile
+%{_sysconfdir}/%{name}/clamdscan.profile
+%{_sysconfdir}/%{name}/clamdtop.profile
+%{_sysconfdir}/%{name}/clamscan.profile
+%{_sysconfdir}/%{name}/cliqz.profile
+%{_sysconfdir}/%{name}/conky.profile
+%{_sysconfdir}/%{name}/dooble-qt4.profile
+%{_sysconfdir}/%{name}/dooble.profile
+%{_sysconfdir}/%{name}/fetchmail.profile
+%{_sysconfdir}/%{name}/ffmpeg.profile
+%{_sysconfdir}/%{name}/freecad.profile
+%{_sysconfdir}/%{name}/freecadcmd.profile
+%{_sysconfdir}/%{name}/freshclam.profile
+%{_sysconfdir}/%{name}/google-earth.profile
+%{_sysconfdir}/%{name}/imagej.profile
+%{_sysconfdir}/%{name}/karbon.profile
+%{_sysconfdir}/%{name}/kdenlive.profile
+%{_sysconfdir}/%{name}/krita.profile
+%{_sysconfdir}/%{name}/linphone.profile
+%{_sysconfdir}/%{name}/lmms.profile
+%{_sysconfdir}/%{name}/macrofusion.profile
+%{_sysconfdir}/%{name}/mpd.profile
+%{_sysconfdir}/%{name}/natron.profile
+%{_sysconfdir}/%{name}/openshot-qt.profile
+%{_sysconfdir}/%{name}/pinta.profile
+%{_sysconfdir}/%{name}/ricochet.profile
+%{_sysconfdir}/%{name}/rocketchat.profile
+%{_sysconfdir}/%{name}/shotcut.profile
+%{_sysconfdir}/%{name}/smtube.profile
+%{_sysconfdir}/%{name}/surf.profile
+%{_sysconfdir}/%{name}/teamspeak3.profile
+%{_sysconfdir}/%{name}/terasology.profile
+%{_sysconfdir}/%{name}/tor-browser-en.profile
+%{_sysconfdir}/%{name}/tor.profile
+%{_sysconfdir}/%{name}/uefitool.profile
+%{_sysconfdir}/%{name}/whitelist-var-common.inc
+%{_sysconfdir}/%{name}/x-terminal-emulator.profile
+%{_sysconfdir}/%{name}/xmr-stak-cpu.profile
+%{_sysconfdir}/%{name}/zart.profile
+ 
 /usr/bin/firejail
 /usr/bin/firemon
 /usr/bin/firecfg
@@ -484,6 +540,7 @@ rm -rf %{buildroot}
 /usr/lib/firejail/libpostexecseccomp.so
 /usr/lib/firejail/faudit
 /usr/lib/firejail/ftee
+/usr/lib/firejail/fbuilder
 /usr/lib/firejail/firecfg.config
 /usr/lib/firejail/fshaper.sh
 /usr/lib/firejail/fcopy
@@ -519,6 +576,8 @@ rm -rf %{buildroot}
 chmod u+s /usr/bin/firejail
 %changelog
+* Sat Sep 23 2017  netblue30 <netblue30@yahoo.com> 0.9.51-1
 * Fri Sep 8 2017  netblue30 <netblue30@yahoo.com> 0.9.50-1
 * Mon Jun 12 2017  netblue30 <netblue30@yahoo.com> 0.9.48-1
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
index 7d0e2cb7c..31b6ba8e8 100644
--- a/src/fbuilder/build_bin.c
+++ b/src/fbuilder/build_bin.c
@@ -82,7 +82,11 @@ static void process_bin(const char *fname) {
                if (!ptr2)
                        continue;
                *ptr2 = '\0';
-                
+                // skip strace
+                if (strcmp(ptr, "strace") == 0)
+                        continue;
                bin_out = filedb_add(bin_out, ptr);
        }
        
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 3f5fe48ca..0f71fe7ad 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -75,7 +75,8 @@ void build_profile(int argc, char **argv, int index) {
        int len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1;
        if (arg_debug)
                printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index);
-        char *cmd[len]; 
+        char *cmd[len];
+        cmd[0] = cmdlist[0];    // explicit assignemnt to clean scan-build error
        
        // build command
        int i = 0;
@@ -89,6 +90,7 @@ void build_profile(int argc, char **argv, int index) {
        int i2 = index;
        for (; i < (len - 1); i++, i2++)
                cmd[i] = argv[i2];
+        assert(i < len);
        cmd[i] = NULL;
        if (arg_debug) {
@@ -101,7 +103,9 @@ void build_profile(int argc, char **argv, int index) {
        if (child == -1)
                errExit("fork");
        if (child == 0) {
+                assert(cmd[0]);
                int rv = execvp(cmd[0], cmd);
+                (void) rv;
                errExit("execv");
        }
        
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
new file mode 100644
index 000000000..c1d456147
--- /dev/null
+++ b/src/firecfg/desktop_files.c
@@ -0,0 +1,295 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firecfg.h"
+#include <ctype.h>
+static int check_profile(const char *name, const char *homedir) {
+        // build profile name
+        char *profname1;
+        char *profname2;
+        if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, name) == -1)
+                errExit("asprintf");
+        if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, name) == -1)
+                errExit("asprintf");
+        int rv = 0;
+        if (access(profname1, R_OK) == 0) {
+                if (arg_debug)
+                        printf("found %s\n", profname1);
+                rv = 1;
+        }
+        else if (access(profname2, R_OK) == 0) {
+                if (arg_debug)
+                        printf("found %s\n", profname2);
+                rv = 1;
+        }
+                
+        free(profname1);
+        free(profname2);
+        return rv;
+}
+// look for a profile file in /etc/firejail diectory and in homedir/.config/firejail directory
+static int have_profile(const char *filename, const char *homedir) {
+        assert(filename);
+        assert(homedir);
+        if (arg_debug)
+                printf("checking profile for %s\n", filename);
+        // we get strange names here, such as .org.gnom.gedit.desktop, com.uploadedlobster.peek.desktop,
+        // or io.github.Pithos.desktop; extract the word before .desktop
+        
+        char *tmpfname = strdup(filename);
+        if (!tmpfname)
+                errExit("strdup");
+                
+        // check .desktop extension
+        int len = strlen(tmpfname);
+        if (len <= 8)
+                return 0;
+        if (strcmp(tmpfname + len - 8, ".desktop"))
+                return 0;
+        tmpfname[len - 8] = '\0';
+        
+        // extract last word
+        char *last_word = strrchr(tmpfname, '.');
+        if (last_word)
+                last_word++;
+        else
+                last_word = tmpfname;
+        
+        // try lowercase
+        last_word[0] = tolower(last_word[0]);
+        int rv = check_profile(last_word, homedir);
+        if (rv) {
+                free(tmpfname);
+                return rv;
+        }
+        
+        // try uppercase
+        last_word[0] = toupper(last_word[0]);
+        rv = check_profile(last_word, homedir);
+        free(tmpfname);
+        return rv;
+}
+void fix_desktop_files(char *homedir) {
+        assert(homedir);
+        struct stat sb;
+        // check user
+        if (getuid() == 0) {
+                fprintf(stderr, "Error: this option is not supported for root user; please run as a regular user.\n");
+                exit(1);
+        }
+        // destination
+        // create ~/.local/share/applications directory if necessary
+        char *user_apps_dir;
+        if (asprintf(&user_apps_dir, "%s/.local/share/applications", homedir) == -1)
+                errExit("asprintf");
+        if (stat(user_apps_dir, &sb) == -1) {
+                int rv = mkdir(user_apps_dir, 0700);
+                if (rv) {
+                        fprintf(stderr, "Error: cannot create ~/.local/application directory\n");
+                        perror("mkdir");
+                        exit(1);
+                }
+                rv = chmod(user_apps_dir, 0700);
+                (void) rv;
+        }
+        // source
+        DIR *dir = opendir("/usr/share/applications");
+        if (!dir) {
+                perror("Error: cannot open /usr/share/applications directory");
+                exit(1);
+        }
+        if (chdir("/usr/share/applications")) {
+                perror("Error: cannot chdir to /usr/share/applications");
+                exit(1);
+        }
+        printf("\nFixing desktop files in %s\n", user_apps_dir);
+        // copy
+        struct dirent *entry;
+        while ((entry = readdir(dir)) != NULL) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+                // skip if not regular file or link
+                // d_type is not available on some file systems
+                if (entry->d_type != DT_REG && entry->d_type != DT_LNK && entry->d_type != DT_UNKNOWN)
+                        continue;
+                // skip if not .desktop file
+                if (strstr(entry->d_name,".desktop") != (entry->d_name+strlen(entry->d_name)-8))
+                        continue;
+                char *filename = entry->d_name;
+                // skip links
+                if (is_link(filename))
+                        continue;
+                if (stat(filename, &sb) == -1)
+                        errExit("stat");
+                // no profile in /etc/firejail, no desktop file fixing
+                if (!have_profile(filename, homedir))
+                        continue;
+                //****************************************************
+                // load the file in memory and do some basic checking
+                //****************************************************
+                /* coverity[toctou] */
+                int fd = open(filename, O_RDONLY);
+                if (fd == -1) {
+                        fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename);
+                        continue;
+                }
+                char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+                if (buf == MAP_FAILED)
+                        errExit("mmap");
+                close(fd);
+                // check format
+                if (strstr(buf, "[Desktop Entry]\n") == NULL) {
+                        if (arg_debug)
+                                printf("   %s - skipped: wrong format?\n", filename);
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                // get executable name
+                char *ptr = strstr(buf,"\nExec=");
+                if (!ptr || strlen(ptr) < 7) {
+                        if (arg_debug)
+                                printf("   %s - skipped: wrong format?\n", filename);
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                char *execname = ptr + 6;
+                // executable name can be quoted, this is rare and currently unsupported, TODO
+                if (execname[0] == '"') {
+                        if (arg_debug)
+                                printf("   %s - skipped: path quoting unsupported\n", filename);
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                // try to decide if we need to covert this file
+                char *change_exec = NULL;
+                int change_dbus = 0;
+                if (strstr(buf, "\nDBusActivatable=true"))
+                        change_dbus = 1;
+                // https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html
+                // The executable program can either be specified with its full path
+                // or with the name of the executable only
+                if (execname[0] == '/') {
+                        // mark end of line
+                        char *end = strchr(execname, '\n');
+                        if (end)
+                                *end = '\0';
+                        end = strchr(execname, ' ');
+                        if (end)
+                                *end = '\0';
+                        char *start_name = strrchr(execname, '/');
+                        if (start_name) {
+                                start_name++;
+                                // check if we have the executable on the regular path
+                                if (which(start_name)) {
+                                        change_exec = strdup(start_name);
+                                        if (!change_exec)
+                                                errExit("strdup");
+                                }
+                        }
+                }
+                
+                if (change_exec == NULL && change_dbus == 0) {
+                        munmap(buf, sb.st_size + 1);
+                        continue;
+                }
+                
+                munmap(buf, sb.st_size + 1);
+                //****************************************************
+                // generate output file
+                //****************************************************
+                char *outname;
+                if (asprintf(&outname ,"%s/%s", user_apps_dir, filename) == -1)
+                        errExit("asprintf");
+                if (stat(outname, &sb) == 0) {
+                        printf("   %s skipped: file exists\n", filename);
+                        continue;
+                }
+                
+                FILE *fpin = fopen(filename, "r");
+                if (!fpin) {
+                        fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename);
+                        continue;
+                }
+                
+                FILE *fpout = fopen(outname, "w");
+                if (!fpout) {
+                        fprintf(stderr, "Error: cannot open ~/.local/share/applications/%s\n", outname);
+                        fclose(fpin);
+                        continue;
+                }
+                fprintf(fpout, "# converted by firecfg\n");
+                free(outname);
+                char fbuf[MAX_BUF];
+                while (fgets(fbuf, MAX_BUF, fpin)) {
+                        if (change_dbus && strcmp(fbuf, "DBusActivatable=true\n") == 0)
+                                fprintf(fpout, "DBusActivatable=false\n");
+                        else if (change_exec && strncmp(fbuf, "Exec=", 5) == 0) {
+                                char *start_params = strchr(fbuf + 5, ' ');
+                                if (start_params) {
+                                        start_params++;
+                                        fprintf(fpout, "Exec=%s %s", change_exec, start_params);
+                                }
+                                else
+                                        fprintf(fpout, "Exec=%s\n", change_exec);
+                        }
+                        else
+                                fprintf(fpout, "%s", fbuf);     
+                }
+                
+                if (change_exec)
+                        free(change_exec);
+                fclose(fpin);
+                fclose(fpout);
+                printf("   %s created\n", filename);
+        }
+        closedir(dir);
+        free(user_apps_dir);
+}
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 5a36f5e3e..9baa6a6e4 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -40,6 +40,7 @@ bitlbee
 bleachbit
 blender
 bless
+bluefish
 brackets
 brasero
 brave
@@ -58,12 +59,14 @@ cherrytree
 chromium
 chromium-browser
 cin
+cinelerra
 clamdscan
 clamdtop
 clamscan
 claws-mail
 clementine
 clipit
+cliqz
 cmus
 conkeror
 conky
@@ -241,17 +244,20 @@ odt2txt
 okular
 open-invaders
 openshot
+openshot-qt
 opera
 opera-beta
 orage
 palemoon
 parole
+pdfmod
 pdfsam
 pdftotext
 peek
 picard
 pidgin
 pingus
+pinta
 pithos
 pix
 pluma
@@ -314,6 +320,7 @@ transmission-qt
 transmission-show
 truecraft
 tuxguitar
+uefitool
 uget-gtk
 unbound
 unknown-horizons
diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h
new file mode 100644
index 000000000..c4640feb8
--- /dev/null
+++ b/src/firecfg/firecfg.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <grp.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <pwd.h>
+#include <dirent.h>
+#include "../include/common.h"
+#define MAX_BUF 4096
+// main.c
+extern int arg_debug;
+// util.c
+int which(const char *program);
+int is_link(const char *fname);
+// sound.c
+void sound(void);
+// desktop_files.c
+void fix_desktop_files(char *homedir);
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 5928b9ae5..1cdd39c1f 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -18,24 +18,8 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#define _GNU_SOURCE
+#include "firecfg.h"
-#include <stdio.h>
+int arg_debug = 0;
-#include <sys/types.h>
-#include <dirent.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <grp.h>
-#include <string.h>
-#include <errno.h>
-#include <sys/mman.h>
-#include <pwd.h>
-#include <dirent.h>
-#include "../include/common.h"
-static int arg_debug = 0;
-#define MAX_BUF 1024
 static void usage(void) {
        printf("firecfg - version %s\n\n", VERSION);
@@ -71,113 +55,6 @@ static void usage(void) {
        printf("Homepage: http://firejail.wordpress.com\n\n");
 }
-static void sound(void) {
-        struct passwd *pw = getpwuid(getuid());
-        if (!pw) {
-                goto errexit;
-        }
-        char *home = pw->pw_dir;
-        if (!home) {
-                goto errexit;
-        }
-        // the input file is /etc/pulse/client.conf
-        FILE *fpin = fopen("/etc/pulse/client.conf", "r");
-        if (!fpin) {
-                fprintf(stderr, "PulseAudio is not available on this platform, there is nothing to fix...\n");
-                return;
-        }
-        // the dest is PulseAudio user config file
-        char *fname;
-        if (asprintf(&fname, "%s/.config/pulse/client.conf", home) == -1)
-                errExit("asprintf");
-        FILE *fpout = fopen(fname, "w");
-        free(fname);
-        if (!fpout)
-                goto errexit;
-        // copy default config
-        char buf[MAX_BUF];
-        while (fgets(buf, MAX_BUF, fpin))
-                fputs(buf, fpout);
-        // disable shm
-        fprintf(fpout, "\nenable-shm = no\n");
-        fclose(fpin);
-        fclose(fpout);
-        printf("PulseAudio configured, please logout and login back again\n");
-        return;
-errexit:
-        fprintf(stderr, "Error: cannot configure sound file\n");
-        exit(1);
-}
-// return 1 if the program is found
-static int find(const char *program, const char *directory) {
-        int retval = 0;
-        char *fname;
-        if (asprintf(&fname, "/%s/%s", directory, program) == -1)
-                errExit("asprintf");
-        struct stat s;
-        if (stat(fname, &s) == 0) {
-                if (arg_debug)
-                        printf("found %s in directory %s\n", program, directory);
-                retval = 1;
-        }
-        free(fname);
-        return retval;
-}
-// return 1 if program is installed on the system
-static int which(const char *program) {
-        // check some well-known paths
-        if (find(program, "/bin") || find(program, "/usr/bin") ||
-             find(program, "/sbin") || find(program, "/usr/sbin") ||
-             find(program, "/usr/games"))
-                return 1;
-        // check environment
-        char *path1 = getenv("PATH");
-        if (path1) {
-                char *path2 = strdup(path1);
-                if (!path2)
-                        errExit("strdup");
-                // use path2 to count the entries
-                char *ptr = strtok(path2, ":");
-                while (ptr) {
-                        if (find(program, ptr)) {
-                                free(path2);
-                                return 1;
-                        }
-                        ptr = strtok(NULL, ":");
-                }
-                free(path2);
-        }
-        return 0;
-}
-// return 1 if the file is a link
-static int is_link(const char *fname) {
-        assert(fname);
-        if (*fname == '\0')
-                return 0;
-        struct stat s;
-        if (lstat(fname, &s) == 0) {
-                if (S_ISLNK(s.st_mode))
-                        return 1;
-        }
-        return 0;
-}
 static void list(void) {
        DIR *dir = opendir("/usr/local/bin");
@@ -388,221 +265,6 @@ static void set_links_homedir(const char *homedir) {
        free(firejail_exec);
 }
-// look for a profile file in /etc/firejail diectory and in homedir/.config/firejail directory
-static int have_profile(const char *filename, const char *homedir) {
-        assert(filename);
-        assert(homedir);
-        if (arg_debug)
-                printf("checking profile for %s\n", filename);
-        // remove .desktop extension
-        char *f1 = strdup(filename);
-        if (!f1)
-                errExit("strdup");
-        f1[strlen(filename) - 8] = '\0';
-        // build profile name
-        char *profname1;
-        char *profname2;
-        if (asprintf(&profname1, "%s/%s.profile", SYSCONFDIR, f1) == -1)
-                errExit("asprintf");
-        if (asprintf(&profname2, "%s/.config/firejail/%s.profile", homedir, f1) == -1)
-                errExit("asprintf");
-        int rv = 0;
-        if (access(profname1, R_OK) == 0) {
-                if (arg_debug)
-                        printf("found %s\n", profname1);
-                rv = 1;
-        }
-        else if (access(profname2, R_OK) == 0) {
-                if (arg_debug)
-                        printf("found %s\n", profname2);
-                rv = 1;
-        }
-                
-        free(f1);
-        free(profname1);
-        free(profname2);
-        return rv;
-}
-static void fix_desktop_files(char *homedir) {
-        assert(homedir);
-        struct stat sb;
-        // check user
-        if (getuid() == 0) {
-                fprintf(stderr, "Error: this option is not supported for root user; please run as a regular user.\n");
-                exit(1);
-        }
-        // destination
-        // create ~/.local/share/applications directory if necessary
-        char *user_apps_dir;
-        if (asprintf(&user_apps_dir, "%s/.local/share/applications", homedir) == -1)
-                errExit("asprintf");
-        if (stat(user_apps_dir, &sb) == -1) {
-                int rv = mkdir(user_apps_dir, 0700);
-                if (rv) {
-                        fprintf(stderr, "Error: cannot create ~/.local/application directory\n");
-                        perror("mkdir");
-                        exit(1);
-                }
-                rv = chmod(user_apps_dir, 0700);
-                (void) rv;
-        }
-        // source
-        DIR *dir = opendir("/usr/share/applications");
-        if (!dir) {
-                perror("Error: cannot open /usr/share/applications directory");
-                exit(1);
-        }
-        if (chdir("/usr/share/applications")) {
-                perror("Error: cannot chdir to /usr/share/applications");
-                exit(1);
-        }
-        printf("\nFixing desktop files in %s\n", user_apps_dir);
-        // copy
-        struct dirent *entry;
-        while ((entry = readdir(dir)) != NULL) {
-                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
-                        continue;
-                // skip if not regular file or link
-                // d_type is not available on some file systems
-                if (entry->d_type != DT_REG && entry->d_type != DT_LNK && entry->d_type != DT_UNKNOWN)
-                        continue;
-                // skip if not .desktop file
-                if (strstr(entry->d_name,".desktop") != (entry->d_name+strlen(entry->d_name)-8))
-                        continue;
-                char *filename = entry->d_name;
-                // skip links
-                if (is_link(filename))
-                        continue;
-                if (stat(filename, &sb) == -1)
-                        errExit("stat");
-                // no profile in /etc/firejail, no desktop file fixing
-                if (!have_profile(filename, homedir))
-                        continue;
-                /* coverity[toctou] */
-                int fd = open(filename, O_RDONLY);
-                if (fd == -1)
-                        errExit("open");
-                char *buf = mmap(NULL, sb.st_size + 1, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-                if (buf == MAP_FAILED)
-                        errExit("mmap");
-                close(fd);
-                // check format
-                if (strstr(buf, "[Desktop Entry]\n") == NULL) {
-                        if (arg_debug)
-                                printf("   %s - SKIPPED: wrong format?\n", filename);
-                        munmap(buf, sb.st_size + 1);
-                        continue;
-                }
-                // get executable name
-                char *ptr1 = strstr(buf,"\nExec=");
-                if (!ptr1 || strlen(ptr1) < 7) {
-                        if (arg_debug)
-                                printf("   %s - SKIPPED: wrong format?\n", filename);
-                        munmap(buf, sb.st_size + 1);
-                        continue;
-                }
-                char *execname = ptr1 + 6;
-                // https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html
-                // The executable program can either be specified with its full path
-                // or with the name of the executable only
-                if (execname[0] != '/') {
-                        if (arg_debug)
-                                printf("   %s - already OK\n", filename);
-                        continue;
-                }
-                // executable name can be quoted, this is rare and currently unsupported, TODO
-                if (execname[0] == '"') {
-                        if (arg_debug)
-                                printf("   %s - skipped: path quoting unsupported\n", filename);
-                        continue;
-                }
-                // put '\0' at end of filename
-                char *tail = NULL;
-                char endchar = ' ';
-                if (execname[0] == '/') {
-                        char *ptr2 = index(execname, ' ');
-                        char *ptr3 = index(execname, '\n');
-                        if (ptr2 && (!ptr3 || (ptr2 < ptr3))) {
-                                endchar = ptr2[0];
-                                ptr2[0] = '\0';
-                                tail = ptr2 + 1;
-                        } else if (ptr3 && (!ptr2 || (ptr3 < ptr2))) {
-                                endchar = ptr3[0];
-                                ptr3[0] = '\0';
-                                tail = ptr3 + 1;
-                        }
-                        ptr1[5] = '\0';
-                }
-                char *bname = basename(execname);
-                assert(bname);
-                // check if basename in PATH
-                if (!which(bname)) {
-                        printf("   %s - skipped, %s not in PATH\n", filename, bname);
-                        continue;
-                }
-                char *outname;
-                if (asprintf(&outname ,"%s/%s", user_apps_dir, filename) == -1)
-                        errExit("asprintf");
-                int fd1 = open(outname, O_CREAT | O_WRONLY | O_EXCL, S_IRUSR | S_IWUSR);
-                free(outname);
-                if (fd1 == -1) {
-                        printf("   %s skipped: %s\n", filename, strerror(errno));
-                        munmap(buf, sb.st_size + 1);
-                        continue;
-                }
-                FILE *outfile = fdopen(fd1, "w");
-                if (!outfile) {
-                        printf("   %s skipped: %s\n", filename, strerror(errno));
-                        munmap(buf, sb.st_size + 1);
-                        close(fd1);
-                        continue;
-                }
-                if (fprintf(outfile,\
-                "# Converted by firecfg --fix from /usr/share/applications/%s\n\n%s=%s%c%s",\
-                filename, buf, bname, endchar, tail) < 0) {
-                        fprintf(stderr, "Unable to write %s/%s: %s\n", user_apps_dir, filename, strerror(errno));
-                        munmap(buf, sb.st_size + 1);
-                        fclose(outfile);
-                        continue;
-                }
-                fclose(outfile);
-                munmap(buf, sb.st_size + 1);
-                printf("   %s created\n", filename);
-        }
-        closedir(dir);
-        free(user_apps_dir);
-}
 int main(int argc, char **argv) {
        int i;
diff --git a/src/firecfg/sound.c b/src/firecfg/sound.c
new file mode 100644
index 000000000..9dfb305cd
--- /dev/null
+++ b/src/firecfg/sound.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firecfg.h"
+void sound(void) {
+        struct passwd *pw = getpwuid(getuid());
+        if (!pw) {
+                goto errexit;
+        }
+        char *home = pw->pw_dir;
+        if (!home) {
+                goto errexit;
+        }
+        // the input file is /etc/pulse/client.conf
+        FILE *fpin = fopen("/etc/pulse/client.conf", "r");
+        if (!fpin) {
+                fprintf(stderr, "PulseAudio is not available on this platform, there is nothing to fix...\n");
+                return;
+        }
+        // the dest is PulseAudio user config file
+        char *fname;
+        if (asprintf(&fname, "%s/.config/pulse/client.conf", home) == -1)
+                errExit("asprintf");
+        FILE *fpout = fopen(fname, "w");
+        free(fname);
+        if (!fpout)
+                goto errexit;
+        // copy default config
+        char buf[MAX_BUF];
+        while (fgets(buf, MAX_BUF, fpin))
+                fputs(buf, fpout);
+        // disable shm
+        fprintf(fpout, "\nenable-shm = no\n");
+        fclose(fpin);
+        fclose(fpout);
+        printf("PulseAudio configured, please logout and login back again\n");
+        return;
+errexit:
+        fprintf(stderr, "Error: cannot configure sound file\n");
+        exit(1);
+}
diff --git a/src/firecfg/util.c b/src/firecfg/util.c
new file mode 100644
index 000000000..4520e75e8
--- /dev/null
+++ b/src/firecfg/util.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "firecfg.h"
+// return 1 if the program is found
+static int find(const char *program, const char *directory) {
+        int retval = 0;
+        char *fname;
+        if (asprintf(&fname, "/%s/%s", directory, program) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(fname, &s) == 0) {
+                if (arg_debug)
+                        printf("found %s in directory %s\n", program, directory);
+                retval = 1;
+        }
+        free(fname);
+        return retval;
+}
+// return 1 if program is installed on the system
+int which(const char *program) {
+        // check some well-known paths
+        if (find(program, "/bin") || find(program, "/usr/bin") ||
+             find(program, "/sbin") || find(program, "/usr/sbin") ||
+             find(program, "/usr/games"))
+                return 1;
+        // check environment
+        char *path1 = getenv("PATH");
+        if (path1) {
+                char *path2 = strdup(path1);
+                if (!path2)
+                        errExit("strdup");
+                // use path2 to count the entries
+                char *ptr = strtok(path2, ":");
+                while (ptr) {
+                        if (find(program, ptr)) {
+                                free(path2);
+                                return 1;
+                        }
+                        ptr = strtok(NULL, ":");
+                }
+                free(path2);
+        }
+        return 0;
+}
+// return 1 if the file is a link
+int is_link(const char *fname) {
+        assert(fname);
+        if (*fname == '\0')
+                return 0;
+        struct stat s;
+        if (lstat(fname, &s) == 0) {
+                if (S_ISLNK(s.st_mode))
+                        return 1;
+        }
+        return 0;
+}
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 0ea71e6ba..0a6f40959 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1111,10 +1111,20 @@ void fs_check_chroot_dir(const char *rootdir) {
                        exit(1);
                }
        }
-        if (is_link(name)) {
+        else {
-                fprintf(stderr, "Error: invalid %s file\n", name);
+                fprintf(stderr, "Error: chroot /etc/resolv.conf not found\n");
                exit(1);
        }
+        // on Arch /etc/resolv.conf could be a symlink to /run/systemd/resolve/resolv.conf
+        // on Ubuntu 17.04 /etc/resolv.conf could be a symlink to /run/resolveconf/resolv.conf
+        if (is_link(name)) {
+                // check the link points in chroot
+                char *rname = realpath(name, NULL);
+                if (!rname || strncmp(rname, rootdir, strlen(rootdir)) != 0) {
+                        fprintf(stderr, "Error: chroot /etc/resolv.conf is pointing outside chroot\n");
+                        exit(1);
+                }
+        }
        free(name);
        // check x11 socket directory
@@ -1186,17 +1196,11 @@ void fs_chroot(const char *rootdir) {
                        errExit("mount bind");
                // copy /etc/resolv.conf in chroot directory
-                // if resolv.conf in chroot is a symbolic link, this will fail
-                // no exit on error, let the user deal with the problem
                char *fname;
                if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1)
                        errExit("asprintf");
                if (arg_debug)
                        printf("Updating /etc/resolv.conf in %s\n", fname);
-                if (is_link(fname)) {
-                        fprintf(stderr, "Error: invalid %s file\n", fname);
-                        exit(1);
-                }
                if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed
                        fwarning("/etc/resolv.conf not initialized\n");
        }