27 files changed, 513 insertions, 73 deletions

diff --git a/README b/README
index 67d9a555f..687eab4e0 100644
--- a/README
+++ b/README
@@ -83,6 +83,7 @@ Fred-Barclay (https://github.com/Fred-Barclay)
         - added xed and pluma profiles
         - added Cryptocat profile
         - added wireshark profile
+        - uudeview profile fix
 valoq (https://github.com/valoq)
         - lots of profile fixes
         - added support for /srv in --whitelist feature
@@ -97,6 +98,14 @@ valoq (https://github.com/valoq)
         - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
         - added wget profile
         - disable gnupg and systemd directories under /run/user
+Igor Bukanov (https://github.com/ibukanov)
+        - found/fiixed privilege escalation in --hosts-file option
+Cat (https://github.com/ecat3)
+        - prevent tmux connecting to an existing session
+Zack Weinberg (https://github.com/zackw)
+        - sdded support for joining a persistent, named network namespace
+GSI (https://github.com/GSI)
+        - added Uzbl browser profile
 Mike Frysinger (vapier@gentoo.org)
         - Gentoo compile patch
 Jericho (https://github.com/attritionorg)
@@ -113,6 +122,7 @@ thewisenerd (https://github.com/thewisenerd)
 SYN-cook (https://github.com/SYN-cook)
         - keepass/keepassx browser fixes
         - disable-common.inc fixes
+        - blacklist GNOME keyring and Konqueror
 thewisenerd (https://github.com/thewisenerd)
         - appimage: pass commandline arguments
 KOLANICH (https://github.com/KOLANICH)
@@ -224,6 +234,8 @@ KellerFuchs (https://github.com/KellerFuchs)
         - disable-common.inc additions
         - make mutt and msmtp's rc files read-only
         - added support for .local profile files in /etc/firejail
+        - fixed Cryptocat profile
+        - make ~/.local read-only
 ValdikSS (https://github.com/ValdikSS)
         - Psi+, Corebird, Konversation profiles
         - various profile fixes
diff --git a/README.md b/README.md
index f4fa7282f..07de69e42 100644
--- a/README.md
+++ b/README.md
@@ -51,7 +51,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 `````
 
 `````
-## AppImage type 2 support
+## AppImage
+
+Added AppImage type 2 support, and support for passing command line arguments to appimages.
 `````
 
 `````
@@ -75,9 +77,9 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
               Example:
               # firejail --private-srv=www /etc/init.d/apache2 start
 
-       --machine-id
-              Preserve  id  number  in  /etc/machine-id file. By default a new
-              random id is generated inside the sandbox.
+      --machine-id
+              Spoof id number in /etc/machine-id file - a  new  random  id  is
+              generated inside the sandbox.
 
               Example:
               $ firejail --machine-id
@@ -89,7 +91,21 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
               Example:
               $   firejail    --allow-private-blacklist   --private=~/priv-dir
               --blacklist=~/.mozilla
+
+      --hosts-file=file
+              Use file as /etc/hosts.
+
+              Example:
+              $ firejail --hosts-file=~/myhosts firefox
              
+      --writable-var-log
+              Use the real /var/log directory, not  a  clone.  By  default,  a
+              tmpfs  is  mounted  on top of /var/log directory, and a skeleton
+              filesystem is created based on the original /var/log.
+
+              Example:
+              $ sudo firejail --writable-var-log
+
 `````
 ## New Profiles
 xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,
@@ -98,5 +114,5 @@ gjs, gnome-books, gnome-clocks, gnome-documents, gnome-maps, gnome-music, gnome-
 goobox, gpa, gpg, gpg-agent, highlight, img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext,
 simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, w3m, xfburn, xpra, wget,
 xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5,
-PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail
+PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms
 
diff --git a/RELNOTES b/RELNOTES
index 7d0bbaf61..16360bc64 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -14,23 +14,26 @@ firejail (0.9.45) baseline; urgency=low
   * security: split file copying in private option in a separate executable
   * security: root exploit found by Sebastian Krahmer (CVE-2017-5180)
   * feature: disable gnupg and systemd directories under /run/user
-  * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
-  * feature: AppImage type 2 support
   * feature: test coverage (gcov) support
+  * feature: allow root user access to /dev/shm (--noblacklist=/dev/shm)
   * feature: private /opt directory (--private-opt, profile support)
   * feature: private /srv directory (--private-srv, profile support)
-  * feature: spoof machine-id
+  * feature: spoof machine-id (--machine-id, profile support)
+  * feature: allow blacklists under --private (--allow-private-blacklist, profile support)
+  * feature: user-defined /etc/hosts file (--hosts-file, profile support)
+  * feature: support for the real /var/log directory (--writable-var-log, profile support)
   * feature: config support for firejail prompt in terminals
+  * feature: AppImage type 2 support
   * feature: pass command line arguments to appimages
-  * feature: --allow-private-blacklist option
-  * feature: allow non-seccomp setup for OverlayFS sandboxes
+  * feature: allow non-seccomp setup for OverlayFS sandboxes - more work to come
   * feature: added a number o Python scripts for handling sandboxes
   * feature: allow local customization using .local files under /etc/firejail
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
   * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
   * new profiles: Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos,
-  * new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail
+  * new profies: Xonotic, wireshark, keepassx2, QupZilla, FossaMail,
+  * new profiles: Uzbl browser
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Sun, 23 Oct 2016 08:00:00 -0500
 
diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile
index 3db34c03c..b61b88f68 100644
--- a/etc/Cryptocat.profile
+++ b/etc/Cryptocat.profile
@@ -1,4 +1,4 @@
-# Firejail profile for 
+# Firejail profile for Cryptocat
 noblacklist ${HOME}/.config/Cryptocat
 
 include /etc/firejail/disable-common.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 5a281a91f..64a39296e 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -75,12 +75,9 @@ blacklist /etc/profile.d
 blacklist /etc/rc.local
 blacklist /etc/anacrontab
 
-# General startup files
+# Startup files
 read-only ${HOME}/.xinitrc
 read-only ${HOME}/.xserverrc
-read-only ${HOME}/.profile
-
-# Shell startup files
 read-only ${HOME}/.antigen
 read-only ${HOME}/.bash_login
 read-only ${HOME}/.bashrc
@@ -99,6 +96,12 @@ read-only ${HOME}/.tcshrc
 read-only ${HOME}/.cshrc
 read-only ${HOME}/.csh_files
 read-only ${HOME}/.profile
+read-only ${HOME}/.forward
+read-only ${HOME}/.login
+read-only ${HOME}/.logout
+read-only ${HOME}/.pgpkey
+read-only ${HOME}/.plan
+read-only ${HOME}/.project
 
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
@@ -124,8 +127,16 @@ read-only ${HOME}/.reportbugrc
 read-only ${HOME}/.xmonad
 read-only ${HOME}/.xscreensaver
 
-# The user ~/bin directory can override commands such as ls
+# Make directories commonly found in $PATH read-only
 read-only ${HOME}/bin
+read-only ${HOME}/.gem
+read-only ${HOME}/.luarocks
+read-only ${HOME}/.npm-packages
+
+# Make the contents of ~/.local read-only,
+#  except the commonly-used ~/.local/share
+read-only  ${HOME}/.local
+read-write ${HOME}/.local/share
 
 # top secret
 blacklist ${HOME}/.ecryptfs
@@ -133,6 +144,7 @@ blacklist ${HOME}/.Private
 blacklist ${HOME}/.ssh
 blacklist ${HOME}/.cert
 blacklist ${HOME}/.gnome2/keyrings
+blacklist ${HOME}/.local/share/keyrings
 blacklist ${HOME}/.kde4/share/apps/kwallet
 blacklist ${HOME}/.kde/share/apps/kwallet
 blacklist ${HOME}/.local/share/kwalletd
@@ -202,6 +214,8 @@ blacklist /usr/lib64/virtualbox
 
 # prevent lxterminal connecting to an existing lxterminal session
 blacklist /tmp/.lxterminal-socket*
+# prevent tmux connecting to an existing session
+blacklist /tmp/tmux-*
 
 # disable terminals running as server resulting in sandbox escape
 blacklist ${PATH}/gnome-terminal
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 96bf1464b..b307978da 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -177,8 +177,17 @@ blacklist ${HOME}/.icedove
 blacklist ${HOME}/.inkscape
 blacklist ${HOME}/.jitsi
 blacklist ${HOME}/.kde/share/apps/gwenview
+blacklist ${HOME}/.kde/share/apps/kcookiejar
+blacklist ${HOME}/.kde/share/apps/khtml
+blacklist ${HOME}/.kde/share/apps/konqsidebartng
+blacklist ${HOME}/.kde/share/apps/konqueror
 blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/config/gwenviewrc
+blacklist ${HOME}/.kde/share/config/kcookiejarrc
+blacklist ${HOME}/.kde/share/config/khtmlrc
+blacklist ${HOME}/.kde/share/config/konq_history
+blacklist ${HOME}/.kde/share/config/konqsidebartngrc
+blacklist ${HOME}/.kde/share/config/konquerorrc
 blacklist ${HOME}/.kde/share/config/okularpartrc
 blacklist ${HOME}/.kde/share/config/okularrc
 blacklist ${HOME}/.killingfloor
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index 488c7e0b8..25d2da085 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -12,6 +12,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
-private-bin gnome-mplayer,mplayer
+# private-bin gnome-mplayer,mplayer
 private-dev
 private-tmp
diff --git a/etc/login.users b/etc/login.users
index bc6ac4b09..81f12c6b1 100644
--- a/etc/login.users
+++ b/etc/login.users
@@ -9,6 +9,12 @@
 #
 #       netblue:--net=none --protocol=unix
 #
+# Wildcard patterns are accepted in the user name field:
+#
+#       user*: --private
+#
+# The example will do --private for user1, user2, and so on.
+#
 # The extra arguments are inserted into program command line if firejail
 # was started as a login shell.
 
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index ee19cee25..16ef754f6 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -14,7 +14,7 @@ seccomp
 shell none
 tracelog
 
-private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
+private-bin bash,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
 private-etc fonts
 private-dev
 private-tmp
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index d5b750a13..d4b54067d 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -3,7 +3,6 @@ quiet
 ignore noroot
 include /etc/firejail/default.profile
 
-blacklist /etc
 
 hostname uudeview
 net none
@@ -13,3 +12,4 @@ tracelog
 
 private-bin uudeview
 private-dev
+private-etc ld.so.preload
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
new file mode 100644
index 000000000..8dc90982e
--- /dev/null
+++ b/etc/uzbl-browser.profile
@@ -0,0 +1,29 @@
+# Firejail profile for uzbl-browser
+
+noblacklist ~/.config/uzbl
+noblacklist ~/.gnupg
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+tracelog
+
+mkdir ~/.config/uzbl
+whitelist ~/.config/uzbl
+mkdir ~/.local/share/uzbl
+whitelist ~/.local/share/uzbl
+
+whitelist ${DOWNLOADS}
+
+mkdir ~/.gnupg
+whitelist ~/.gnupg
+mkdir ~/.password-store
+whitelist ~/.password-store
+
+include /etc/firejail/whitelist-common.inc
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 2fd763f25..df9fcab03 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -8,7 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
-nogroups
+# nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
diff --git a/etc/xmms.profile b/etc/xmms.profile
new file mode 100644
index 000000000..0d57f2f90
--- /dev/null
+++ b/etc/xmms.profile
@@ -0,0 +1,18 @@
+# Firejail profile for XMMS
+noblacklist ${HOME}/.xmms
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp
+shell none
+
+private-bin xmms
+private-dev
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 56a5c8e7e..61e72583e 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -242,3 +242,5 @@
 /etc/firejail/qupzilla.profile
 /etc/firejail/FossaMail.profile
 /etc/firejail/fossamail.profile
+/etc/firejail/uzbl-browser.profile
+/etc/firejail/xmms.profile
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion
index d3dcd57d0..0f71c74dc 100644
--- a/src/bash_completion/firejail.bash_completion
+++ b/src/bash_completion/firejail.bash_completion
@@ -23,6 +23,10 @@ _firejail()
             _filedir
             return 0
             ;;
+        --hosts-file)
+            _filedir
+            return 0
+            ;;
         --chroot)
             _filedir -d
             return 0
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 722d5c05e..7e5412630 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -213,6 +213,7 @@ typedef struct config_t {
         // networking
         char *name;             // sandbox name
         char *hostname; // host name
+        char *hosts_file;               // hosts file to be installed in the sandbox
         uint32_t defaultgw;     // default gateway
         Bridge bridge0;
         Bridge bridge1;
@@ -317,6 +318,7 @@ extern int arg_netfilter;	// enable netfilter
 extern int arg_netfilter6;      // enable netfilter6
 extern char *arg_netfilter_file;        // netfilter file
 extern char *arg_netfilter6_file;       // netfilter file
+extern char *arg_netns;         // "ip netns"-created network namespace to use
 extern int arg_doubledash;      // double dash
 extern int arg_shell_none;      // run the program directly without a shell
 extern int arg_private_dev;     // private dev directory
@@ -336,6 +338,7 @@ extern int arg_nice;		// nice value configured
 extern int arg_ipc;             // enable ipc namespace
 extern int arg_writable_etc;    // writable etc
 extern int arg_writable_var;    // writable var
+extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;        // appimage
 extern int arg_audit;           // audit
 extern char *arg_audit_prog;    // audit
@@ -451,6 +454,7 @@ void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
@@ -536,6 +540,9 @@ void fs_trace(void);
 // fs_hostname.c
 void fs_hostname(const char *hostname);
 void fs_resolvconf(void);
+char *fs_check_hosts_fiile(const char *fname);
+void fs_store_hosts_file(void);
+void fs_mount_hosts_file(void);
 
 // rlimit.c
 void set_rlimits(void);
@@ -560,6 +567,11 @@ void check_netfilter_file(const char *fname);
 void netfilter(const char *fname);
 void netfilter6(const char *fname);
 
+// netns.c
+void check_netns(const char *nsname);
+void netns(const char *nsname);
+void netns_mounts(const char *nsname);
+
 // bandwidth.c
 void bandwidth_del_run_file(pid_t pid);
 void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 0da4cc111..69b9d77bc 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -20,6 +20,7 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
+#include <sys/wait.h>
 #include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
@@ -681,11 +682,13 @@ void fs_basic_fs(void) {
         fs_rdonly("/usr");
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
-//      if (!arg_private_dev)
-//              fs_dev_shm();
         fs_var_lock();
         fs_var_tmp();
-        fs_var_log();
+        if (!arg_writable_var_log)
+                fs_var_log();
+        else
+                fs_rdwr("/var/log");
+        
         fs_var_lib();
         fs_var_cache();
         fs_var_utmp();
@@ -995,7 +998,11 @@ void fs_overlayfs(void) {
 //              fs_dev_shm();
         fs_var_lock();
         fs_var_tmp();
-        fs_var_log();
+        if (!arg_writable_var_log)
+                fs_var_log();
+        else
+                fs_rdwr("/var/log");
+                
         fs_var_lib();
         fs_var_cache();
         fs_var_utmp();
@@ -1225,7 +1232,11 @@ void fs_chroot(const char *rootdir) {
 //                      fs_dev_shm();
                 fs_var_lock();
                 fs_var_tmp();
-                fs_var_log();
+                if (!arg_writable_var_log)
+                        fs_var_log();
+                else
+                        fs_rdwr("/var/log");
+                        
                 fs_var_lib();
                 fs_var_cache();
                 fs_var_utmp();
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 479383af2..f14e90deb 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -31,8 +31,8 @@ void fs_machineid(void) {
                 uint32_t u32[4];
         } mid;
 
-        // if --machine-id flag is active, do nothing
-        if (arg_machineid)
+        // if --machine-id flag is inactive, do nothing
+        if (arg_machineid == 0)
                 return;
 
         // init random number generator
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index b2e1b4a99..3b586b276 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -42,7 +42,7 @@ void fs_hostname(const char *hostname) {
         }
         
         // create a new /etc/hosts
-        if (stat("/etc/hosts", &s) == 0) {
+        if (cfg.hosts_file == NULL && stat("/etc/hosts", &s) == 0) {
                 if (arg_debug)
                         printf("Creating a new /etc/hosts file\n");
                 // copy /etc/host into our new file, and modify it on the fly
@@ -79,9 +79,7 @@ void fs_hostname(const char *hostname) {
                 fclose(fp2);
                 
                 // bind-mount the file on top of /etc/hostname
-                if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind /etc/hosts");
-                fs_logger("create /etc/hosts");
+                fs_mount_hosts_file();
         }
         return;
 
@@ -129,4 +127,49 @@ void fs_resolvconf(void) {
         }
 }
 
+char *fs_check_hosts_fiile(const char *fname) {
+        assert(fname);
+        invalid_filename(fname);
+        char *rv = expand_home(fname, cfg.homedir);
+
+        // no a link
+        if (is_link(rv))
+                goto errexit;
         
+        // the user has read access to the file
+        if (access(rv, R_OK))
+                goto errexit;
+
+        return rv;
+errexit:
+        fprintf(stderr, "Error: invalid file %s\n", fname);
+        exit(1);
+}
+
+void fs_store_hosts_file(void) {
+        copy_file_from_user_to_root(cfg.hosts_file, RUN_HOSTS_FILE, 0, 0, 0644); // root needed
+}
+
+void fs_mount_hosts_file(void) {
+        // check /etc/hosts file
+        struct stat s;
+        if (stat("/etc/hosts", &s) == -1)
+                goto errexit;
+        // not a link
+        if (is_link("/etc/hosts"))
+                goto errexit;
+        // owned by root
+        if (s.st_uid != 0)
+                goto errexit;
+
+        // bind-mount the file on top of /etc/hostname
+        if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind /etc/hosts");
+        fs_logger("create /etc/hosts");
+        return;
+
+errexit:
+        fprintf(stderr, "Error: invalid /etc/hosts file\n");
+        exit(1);
+}
+
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 84bf5e8e6..7c6568903 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -85,6 +85,7 @@ int arg_netfilter;				// enable netfilter
 int arg_netfilter6;                             // enable netfilter6
 char *arg_netfilter_file = NULL;                        // netfilter file
 char *arg_netfilter6_file = NULL;               // netfilter6 file
+char *arg_netns = NULL;                 // "ip netns"-created network namespace to use
 int arg_doubledash = 0;                 // double dash
 int arg_shell_none = 0;                 // run the program directly without a shell
 int arg_private_dev = 0;                        // private dev directory
@@ -113,7 +114,8 @@ int arg_x11_block = 0;				// block X11
 int arg_x11_xorg = 0;                           // use X11 security extention
 int arg_allusers = 0;                           // all user home directories visible
 int arg_machineid = 0;                          // preserve /etc/machine-id
-int arg_allow_private_blacklist = 0;  // blacklist things in private directories
+int arg_allow_private_blacklist = 0;            // blacklist things in private directories
+int arg_writable_var_log;                       // writable /var/log
 
 int login_shell = 0;
 
@@ -1487,6 +1489,9 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--writable-var") == 0) {
                         arg_writable_var = 1;
                 }
+                else if (strcmp(argv[i], "--writable-var-log") == 0) {
+                        arg_writable_var_log = 1;
+                }
                 else if (strcmp(argv[i], "--machine-id") == 0) {
                         arg_machineid = 1;
                 }
@@ -1946,6 +1951,9 @@ int main(int argc, char **argv) {
                                 return 1;
                         }
                 }
+                
+                else if (strncmp(argv[i], "--hosts-file=", 13) == 0)
+                        cfg.hosts_file = fs_check_hosts_fiile(argv[i] + 13);
 
 #ifdef HAVE_NETWORK
                 else if (strcmp(argv[i], "--netfilter") == 0) {
@@ -1999,6 +2007,15 @@ int main(int argc, char **argv) {
                         else
                                 exit_err_feature("networking");
                 }
+
+                else if (strncmp(argv[i], "--netns=", 8) == 0) {
+                        if (checkcfg(CFG_NETWORK)) {
+                                arg_netns = argv[i] + 8;
+                                check_netns(arg_netns);
+                        }
+                        else
+                                exit_err_feature("networking");
+                }
 #endif
                 //*************************************
                 // command
diff --git a/src/firejail/netns.c b/src/firejail/netns.c
new file mode 100644
index 000000000..477d56b3d
--- /dev/null
+++ b/src/firejail/netns.c
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <unistd.h>
+
+static char *netns_control_file(const char *nsname) {
+        char *rv = 0;
+        if (asprintf(&rv, "/var/run/netns/%s", nsname) <= 0)
+                errExit("asprintf");
+        return rv;
+}
+
+static char *netns_etc_dir(const char *nsname) {
+        char *rv = 0;
+        if (asprintf(&rv, "/etc/netns/%s", nsname) <= 0)
+                errExit("asprintf");
+        return rv;
+}
+
+void check_netns(const char *nsname) {
+        if (strchr(nsname, '/') || strstr(nsname, "..")) {
+                fprintf(stderr, "Error: invalid netns name %s\n", nsname);
+                exit(1);
+        }
+        invalid_filename(nsname);
+        char *control_file = netns_control_file(nsname);
+
+        EUID_ASSERT();
+
+        struct stat st;
+        if (lstat(control_file, &st)) {
+                fprintf(stderr, "Error: invalid netns '%s' (%s: %s)\n",
+                        nsname, control_file, strerror(errno));
+                exit(1);
+        }
+        if (!S_ISREG(st.st_mode)) {
+                fprintf(stderr, "Error: invalid netns '%s' (%s: not a regular file)\n",
+                        nsname, control_file);
+                exit(1);
+        }
+        free(control_file);
+}
+
+void netns(const char *nsname) {
+        char *control_file = netns_control_file(nsname);
+        int nsfd = open(control_file, O_RDONLY|O_CLOEXEC);
+        if (nsfd < 0) {
+                fprintf(stderr, "Error: cannot open netns '%s' (%s: %s)\n",
+                        nsname, control_file, strerror(errno));
+                exit(1);
+        }
+        if (syscall(__NR_setns, nsfd, CLONE_NEWNET) < 0) {
+                fprintf(stderr, "Error: cannot join netns '%s': %s\n",
+                        nsname, strerror(errno));
+                exit(1);
+        }
+        close(nsfd);
+        free(control_file);
+}
+
+void netns_mounts(const char *nsname) {
+        char *etcdir = netns_etc_dir(nsname);
+        char *netns_name, *etc_name;
+        struct dirent *entry;
+        DIR *dir;
+
+        dir = opendir(etcdir);
+        if (!dir) {
+                free(etcdir);
+                return;
+        }
+        while ((entry = readdir(dir))) {
+                if (!strcmp(entry->d_name, ".") || !strcmp(entry->d_name, ".."))
+                        continue;
+                if (asprintf(&netns_name, "%s/%s", etcdir, entry->d_name) < 0 ||
+                    asprintf(&etc_name, "/etc/%s", entry->d_name) < 0)
+                        errExit("asprintf");
+                if (mount(netns_name, etc_name, "none", MS_BIND, 0) < 0) {
+                        fprintf(stderr, "Warning: bind %s -> %s failed: %s\n",
+                                netns_name, etc_name, strerror(errno));
+                }
+                free(netns_name);
+                free(etc_name);
+        }
+        closedir(dir);
+        free(etcdir);
+}
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 33b6eab91..4856b31ae 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -215,6 +215,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_no3d = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "allow-private-blacklist") == 0) {
+                arg_allow_private_blacklist = 1;
+                return 0;
+        }       
         else if (strcmp(ptr, "netfilter") == 0) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK))
@@ -602,6 +606,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         
+        // hosts-file
+        if (strncmp(ptr, "hosts-file ", 11) == 0) {
+                cfg.hosts_file = fs_check_hosts_fiile(ptr + 11);
+                return 0;
+        }
+        
         // dns
         if (strncmp(ptr, "dns ", 4) == 0) {
                 uint32_t dns;
@@ -663,6 +673,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_writable_var = 1;
                 return 0;
         }
+        if (strcmp(ptr, "writable-var-log") == 0) {
+                arg_writable_var_log = 1;
+                return 0;
+        }
         
         // private directory
         if (strncmp(ptr, "private ", 8) == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 493877db3..e56526f34 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -386,7 +386,7 @@ static void enforce_filters(void) {
         }
         
         // disable all capabilities
-        if (arg_caps_default_filter || arg_caps_list)
+        if (arg_caps_default_filter || arg_caps_list && !arg_quiet)
                 fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n");
         arg_caps_drop_all = 1;
         
@@ -467,6 +467,11 @@ int sandbox(void* sandbox_arg) {
                 if (arg_debug)
                         printf("Network namespace enabled, only loopback interface available\n");
         }
+        else if (arg_netns) {
+                netns(arg_netns);
+                if (arg_debug)
+                        printf("Network namespace '%s' activated\n", arg_netns);
+        }
         else if (any_bridge_configured() || any_interface_configured()) {
                 // configure lo and eth0...eth3
                 net_if_up("lo");
@@ -515,7 +520,8 @@ int sandbox(void* sandbox_arg) {
                 if (cfg.defaultgw) {
                         // set the default route
                         if (net_add_route(0, 0, cfg.defaultgw)) {
-                                fprintf(stderr, "Warning: cannot configure default route\n");
+                                if (!arg_quiet)
+                                        fprintf(stderr, "Warning: cannot configure default route\n");
                                 gw_cfg_failed = 1;
                         }
                 }
@@ -582,6 +588,10 @@ int sandbox(void* sandbox_arg) {
         if (arg_trace || arg_tracelog || mask_x11_abstract_socket)
                 fs_trace_preload();
 
+        // store hosts file
+        if (cfg.hosts_file)
+                fs_store_hosts_file();
+
         //****************************
         // configure filesystem
         //****************************
@@ -620,19 +630,29 @@ int sandbox(void* sandbox_arg) {
 #ifdef HAVE_OVERLAYFS
         if (arg_overlay)        {
                 fs_overlayfs();
+
+//todo - bring it back for overlay-named
+#if 0           
+                fs_overlayfs();
+                // force caps and seccomp if not started as root
+                if (getuid() != 0) {
+                        enforce_filters();
+#ifdef HAVE_SECCOMP
+                        enforce_seccomp = 1;
+#endif
+                }
+                else
+                        arg_seccomp = 1;
+#endif          
+                
+                
+                
         }
         else
 #endif
                 fs_basic_fs();
         
         //****************************
-        // set hostname in /etc/hostname
-        //****************************
-        if (cfg.hostname) {
-                fs_hostname(cfg.hostname);
-        }
-        
-        //****************************
         // private mode
         //****************************
         if (arg_private) {
@@ -729,6 +749,22 @@ int sandbox(void* sandbox_arg) {
                         EUID_ROOT();
                 }
         }
+
+        
+        //****************************
+        // hosts and hostname
+        //****************************
+        if (cfg.hostname)
+                fs_hostname(cfg.hostname);
+
+        if (cfg.hosts_file)
+                fs_mount_hosts_file();
+
+        //****************************
+        // /etc overrides from the network namespace
+        //****************************
+        if (arg_netns)
+                netns_mounts(arg_netns);
         
         //****************************
         // update /proc, /sys, /dev, /boot directorymy
@@ -812,7 +848,8 @@ int sandbox(void* sandbox_arg) {
                 int rv = nice(cfg.nice);
                 (void) rv;
                 if (errno) {
-                        fprintf(stderr, "Warning: cannot set nice value\n");
+                        if (!arg_quiet)
+                                fprintf(stderr, "Warning: cannot set nice value\n");
                         errno = 0;
                 }
         }
@@ -868,7 +905,8 @@ int sandbox(void* sandbox_arg) {
         if (arg_noroot) {
                 int rv = unshare(CLONE_NEWUSER);
                 if (rv == -1) {
-                        fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n");
+                        if (!arg_quiet)
+                                fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n");
                         drop_privs(arg_nogroups);
                         arg_noroot = 0;
                 }
@@ -899,7 +937,7 @@ int sandbox(void* sandbox_arg) {
         if (arg_nonewprivs) {
                 int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
 
-                if(no_new_privs != 0)
+                if(no_new_privs != 0 && !arg_quiet)
                         fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n");
                 else if (arg_debug)
                         printf("NO_NEW_PRIVS set\n");
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 9f4dfd44c..15ba22d4d 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -78,6 +78,7 @@ void usage(void) {
         printf("    --get=name|pid filename - get a file from sandbox container.\n");
         printf("    --help, -? - this help screen.\n");
         printf("    --hostname=name - set sandbox hostname.\n");
+        printf("    --hosts-file=file - use file as /etc/hosts.\n");
         printf("    --ignore=command - ignore command in profile files.\n");
 #ifdef HAVE_NETWORK     
         printf("    --interface=name - move interface in sandbox.\n");
@@ -191,6 +192,7 @@ void usage(void) {
 #endif  
         printf("    --writable-etc - /etc directory is mounted read-write.\n");
         printf("    --writable-var - /var directory is mounted read-write.\n");
+        printf("    --writable-var-log - use the real /var/log directory, not a clone.\n");
         printf("    --x11 - enable X11 sandboxing. The software checks first if Xpra is\n");
         printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n");
         printf("\tattempt to use X11 security extension.\n");
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 10000e912..44891ce2d 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -169,6 +169,25 @@ void logerr(const char *msg) {
         closelog();
 }
 
+static int copy_file_by_fd(int src, int dst) {
+        assert(src >= 0);
+        assert(dst >= 0);
+
+        ssize_t len;
+        static const int BUFLEN = 1024;
+        unsigned char buf[BUFLEN];
+        while ((len = read(src, buf, BUFLEN)) > 0) {
+                int done = 0;
+                while (done != len) {
+                        int rv = write(dst, buf + done, len - done);
+                        if (rv == -1)
+                                return -1;
+                        done += rv;
+                }
+        }
+        fflush(0);
+        return 0;
+}
 
 // return -1 if error, 0 if no error; if destname already exists, return error
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
@@ -190,33 +209,16 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
                 return -1;
         }
 
-        // copy
-        ssize_t len;
-        static const int BUFLEN = 1024;
-        unsigned char buf[BUFLEN];
-        while ((len = read(src, buf, BUFLEN)) > 0) {
-                int done = 0;
-                while (done != len) {
-                        int rv = write(dst, buf + done, len - done);
-                        if (rv == -1) {
-                                close(src);
-                                close(dst);
-                                return -1;
-                        }
-
-                        done += rv;
-                }
+        int errors = copy_file_by_fd(src, dst);
+        if (!errors) {
+                if (fchown(dst, uid, gid) == -1)
+                        errExit("fchown");
+                if (fchmod(dst, mode) == -1)
+                        errExit("fchmod");
         }
-        fflush(0);
-
-        if (fchown(dst, uid, gid) == -1)
-                errExit("fchown");
-        if (fchmod(dst, mode) == -1)
-                errExit("fchmod");
-
         close(src);
         close(dst);
-        return 0;
+        return errors;
 }
 
 // return -1 if error, 0 if no error
@@ -241,6 +243,45 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid
         waitpid(child, NULL, 0);
 }
 
+void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
+        // open destination
+        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (dst < 0) {
+                fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname);
+                return;
+        }
+
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
+                int src = open(srcname, O_RDONLY);
+                if (src < 0) {
+                        fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname);
+                } else {
+                        if (copy_file_by_fd(src, dst)) {
+                                fprintf(stderr, "Warning: cannot copy %s\n", srcname);
+                        }
+                        close(src);
+                }
+                close(dst);
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        // wait for the child to finish
+        waitpid(child, NULL, 0);
+        if (fchown(dst, uid, gid) == -1)
+                errExit("fchown");
+        if (fchmod(dst, mode) == -1)
+                errExit("fchmod");
+        close(dst);
+}
+
 // return -1 if error, 0 if no error
 void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
         pid_t child = fork();
@@ -864,4 +905,4 @@ errexit:
         close(fd);
         fprintf(stderr, "Error: cannot read %s\n", fname);
         exit(1);
-}
\ No newline at end of file
+}
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 8fd4562b0..90dca19bf 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -244,6 +244,11 @@ Mount /etc directory read-write.
 .TP
 \fBwritable-var
 Mount /var directory read-write.
+.TP
+\fBwritable-var-log
+Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log
+directory, and a skeleton filesystem is created based on the original /var/log.
+
 .SH Security filters
 The following security filters are currently implemented:
 
@@ -392,6 +397,10 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 Set a hostname for the sandbox.
 
 .TP
+\fBhosts-file file
+Use file as /etc/hosts.
+
+.TP
 \fBip address
 Assign IP addresses to the last network interface defined by a net command. A
 default gateway is assigned by default.
@@ -452,7 +461,7 @@ Assign MAC addresses to the last network interface defined by a net command.
 
 .TP
 \fBmachine-id
-Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
 
 .TP
 \fBmtu number
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 69d28c788..993186476 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -192,7 +192,7 @@ Define a custom blacklist Linux capabilities filter.
 .br
 Example:
 .br
-$ firejail \-\-caps.keep=net_broadcast,net_admin,net_raw
+$ firejail \-\-caps.drop=net_broadcast,net_admin,net_raw
 
 .TP
 \fB\-\-caps.keep=capability,capability,capability
@@ -469,6 +469,16 @@ Example:
 $ firejail \-\-hostname=officepc firefox
 
 .TP
+\fB\-\-hosts-file=file
+Use file as /etc/hosts.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-hosts-file=~/myhosts firefox
+
+.TP
 \fB\-\-ignore=command
 Ignore command in profile file.
 .br
@@ -678,7 +688,7 @@ $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
 
 .TP
 \fB\-\-machine-id
-Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
 .br
 
 .br
@@ -761,6 +771,11 @@ Example:
 $ firejail \-\-net=none vlc
 
 .TP
+\fB\-\-netns=name
+Run the program in a named, persistent network namespace.  These can
+be created and configured using "ip netns".
+
+.TP
 \fB\-\-netfilter
 Enable a default client network filter in the new network namespace.
 New network namespaces are created using \-\-net option. If a new network namespaces is not created,
@@ -1710,6 +1725,17 @@ Example:
 .br
 $ sudo firejail --writable-var
 
+.TP
+\fB\-\-writable-var-log
+Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log
+directory, and a skeleton filesystem is created based on the original /var/log.
+.br
+
+.br
+Example:
+.br
+$ sudo firejail --writable-var-log
+
 
 .TP
 \fB\-\-x11