6 files changed, 557 insertions, 179 deletions
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index decc1af73..b9d336c4c 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -10,19 +10,25 @@ sandbox applications automatically, just by clicking on a regular desktop
 menus and icons.
 The symbolic links are placed in /usr/local/bin. For more information, see
-DESKTOP INTEGRATION section in man 1 firejail.
+\fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
 .SH OPTIONS
 .TP
 \fB\-\-clean
 Remove all firejail symbolic links.
 .TP
+\fB\-\-debug
+Print debug messages.
+.TP
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
 .TP
 \fB\-\-list
 List all firejail symbolic links
 .TP
+\fB\-\-fix
+Fix .desktop files. Some .desktop files use full path to executable. Firecfg will check .desktop files in /usr/share/applications/, replace full path by name if it is in PATH, and write result to $HOME/.local/share/applications/.
+.TP
 \fB\-\-version
 Print program version and exit.
@@ -48,13 +54,22 @@ $ firecfg --list
 .br
 [...]
 .br
-$ sudo firecfg --clear
+$ sudo firecfg --clean
 .br
 /usr/local/bin/firefox removed
 .br
 /usr/local/bin/vlc removed
 .br
 [...]
+.br
+$ firecfg --fix
+.br
+/home/user/.local/share/applications/chromium.desktop created
+.br
+/home/user/.local/share/applications/vlc.desktop created
+.br
+[...]
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
@@ -65,6 +80,5 @@ Homepage: http://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
deleted file mode 100644
index fcf4109ee..000000000
--- a/src/man/firejail-config.txt
+++ /dev/null
@@ -1,81 +0,0 @@
-.TH FIREJAIL-CONFIG 5 "MONTH YEAR" "VERSION" "firejail.config man page"
-.SH NAME
-firejail.config \- Firejail run time configuration file
-.SH DESCRIPTION
-/etc/firejail/firejail.config is the system-wide configuration file for Firejail.
-It allows the system administrator to enable or disable a number of
-features and Linux kernel security technologies used by Firejail sandbox.
-The file contains keyword-argument pairs, one per line.
-Use 'yes' or 'no' as configuration values.
-Note that some of these features can also be enabled or disabled at compile
-time. Most features are enabled by default both at compile time and
-at run time.
-.TP
-\fBbind
-Enable or disable bind support, default enabled.
-.TP
-\fBchroot
-Enable or disable chroot support, default enabled.
-.TP
-\fBfile-transfer
-Enable or disable file transfer support, default enabled.
-.TP
-\fBnetwork
-Enable or disable networking features, default enabled.
-.TP
-\fBrestricted-network
-Enable or disable restricted network support, default disabled. If enabled,
-networking features should also be enabled (network yes).
-Restricted networking grants access to --interface and --net=ethXXX
-only to root user. Regular users are only allowed --net=none.
-.TP
-\fBsecomp
-Enable or disable seccomp support, default enabled.
-.TP
-\fBuserns
-Enable or disable user namespace support, default enabled.
-.TP
-\fBx11
-Enable or disable X11 sandboxing support, default enabled.
-.TP
-\fBxephyr-screen
-Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
-a full list of resolutions available on your specific setup. Examples:
-.br
-.br
-xephyr-screen 640x480
-.br
-xephyr-screen 800x600
-.br
-xephyr-screen 1024x768
-.br
-xephyr-screen 1280x1024
-.SH FILES
-/etc/firejail/firejail.config
-.SH LICENSE
-Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
-.PP
-Homepage: http://firejail.wordpress.com
-.SH SEE ALSO
-\&\flfirejail\fR\|(1),
-\&\flfiremon\fR\|(1),
-\&\flfirecfg\fR\|(1),
-\&\flfirejail-profile\fR\|(5)
-\&\flfirejail-login\fR\|(5)
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 6cd9ce3cb..796179d0b 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -13,9 +13,13 @@ Example:
        netblue:--net=none --protocol=unix
+Wildcard patterns are accepted in the user name field:
+        user*: --private
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
-/etc/password file for each user that needs to be restricted. Alternatively,
+/etc/passwd file for each user that needs to be restricted. Alternatively,
 you can specify /usr/bin/firejail  using adduser or usermod commands:
 adduser \-\-shell /usr/bin/firejail username
@@ -34,6 +38,5 @@ Homepage: http://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9045c1122..d6113218c 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -44,7 +44,7 @@ To disable default profile loading, use --noprofile command option. Example:
 .RS
 $ firejail
 .br
-Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/default.profile
 .br
 Parent pid 8553, child pid 8554
 .br
@@ -93,11 +93,17 @@ If the file name matches file_name, the file will not be blacklisted in any blac
 Example: "noblacklist ${HOME}/.mozilla"
 .TP
-\fBignore command
+\fBignore
 Ignore command.
 Example: "ignore seccomp"
+.TP
+\fBquiet
+Disable Firejail's output. This should be the first uncommented command in the profile file.
+Example: "quiet"
 .SH Filesystem
 These profile entries define a chroot filesystem built on top of the existing
 host filesystem. Each line describes a file element that is removed from
@@ -122,11 +128,16 @@ blacklist ${PATH}/ifconfig
 blacklist ${HOME}/.ssh
 .TP
-\fBread-only file_or_directory
+\fBblacklist-nolog file_or_directory
-Make directory or file read-only.
+When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory.
-.TP
+blacklist-nolog command disables syslog messages for this particular file or directory. Examples:
-\fBtmpfs directory
+.br
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+.br
+blacklist-nolog /usr/bin
+.br
+blacklist-nolog /usr/bin/gcc*
 .TP
 \fBbind directory1,directory2
 Mount-bind directory1 on top of directory2. This option is only available when running as root.
@@ -135,8 +146,14 @@ Mount-bind directory1 on top of directory2. This option is only available when r
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
 \fBmkdir directory
-Create a directory in user home. Use this command for whitelisted directories you need to preserve
+Create a directory in user home before the sandbox is started.
-when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from
+The directory is created if it doesn't already exist.
+.br
+.br
+Use this command for whitelisted directories you need to preserve
+when the sandbox is closed. Without it, the application will create the directory, and the directory
+will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from
 firefox profile:
 .br
@@ -145,14 +162,17 @@ mkdir ~/.mozilla
 .br
 whitelist ~/.mozilla
 .br
-mkdir ~/.cache
-.br
-mkdir ~/.cache/mozilla
-.br
 mkdir ~/.cache/mozilla/firefox
 .br
 whitelist ~/.cache/mozilla/firefox
 .TP
+\fBmkfile file
+Similar to mkdir, this command creates a file in user home before the sandbox is started.
+The file is created if it doesn't already exist, but it's target directory has to exist.
+.TP
+\fBnoexec file_or_directory
+Remount the file or the directory noexec, nodev and nosuid.
+.TP
 \fBprivate
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
@@ -161,6 +181,12 @@ closed.
 \fBprivate directory
 Use directory as user home.
 .TP
+\f\private-home file,directory
+Build a new user home in a temporary
+filesystem, and copy the files and directories in the list in the
+new home. All modifications are discarded when the sandbox is
+closed.
+.TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
@@ -174,19 +200,43 @@ filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-tmp
-Mount an empty temporary filesystem on top of /tmp directory.
+Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .TP
-\fBwhitelist file_or_directory
+\fBread-only file_or_directory
-Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
+Make directory or file read-only.
-The modifications to file_or_directory are persistent, everything else is discarded
+.TP
-when the sandbox is closed.
+\fBread-write file_or_directory
+Make directory or file read-write.
+.TP
+\fBtmpfs directory
+Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.
+.TP
+\fBwhitelist file_or_directory
+Whitelist directory or file. A temporary file system is mounted on the top directory, and the
+whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
+everything else is discarded when the sandbox is closed. The top directory could be 
+user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
+.br
+.br
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
+.TP
+\fBwritable-etc
+Mount /etc directory read-write.
+.TP
+\fBwritable-var
+Mount /var directory read-write.
 .SH Security filters
 The following security filters are currently implemented:
 .TP
+\fBapparmor
+Enable AppArmor confinement.
+.TP
 \fBcaps
 Enable default Linux capabilities filter.
 .TP
@@ -205,10 +255,7 @@ first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
 .TP
 \fBseccomp
-Enable default seccomp filter.  The default list is as follows:
+Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
-mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
-sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
 .TP
 \fBseccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
@@ -219,9 +266,32 @@ Enable seccomp filter and blacklist  the system calls in the list.
 \fBseccomp.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list.
 .TP
+\fBnonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not result in an increase of privilege.
+.TP
 \fBnoroot
 Use this command  to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
+.TP
+\fBx11
+Enable X11 sandboxing.
+.TP
+\fBx11 none
+Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
+Remove DISPLAY and XAUTHORITY environment variables.
+Stop with error message if X11 abstract socket will be accessible in jail.
+.TP
+\fBx11 xephyr
+Enable X11 sandboxing with xephyr.
+.TP
+\fBx11 xorg
+Enable X11 sandboxing with X11 security extension.
+.TP
+\fBx11 xpra
+Enable X11 sandboxing with xpra.
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
@@ -255,6 +325,10 @@ The sandbox is placed in g1 control group.
 .SH User Environment
 .TP
+\fBallusers
+All user home directories are visible inside the sandbox. By default, only current user home directory is visible.
+.TP
 \fBname sandboxname
 Set sandbox name. Example:
 .br
@@ -284,9 +358,18 @@ Enable IPC namespace.
 .TP
 \fBnosound
 Disable sound system.
+.TP
+\fBno3d
+Disable 3D hardware acceleration.
 .SH Networking
 Networking features available in profile files.
+.TP
+\fBdefaultgw address
+Use this address as default gateway in the new network namespace.
+.TP
 \fBdns address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
@@ -295,6 +378,45 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 Set a hostname for the sandbox.
 .TP
+\fBip address
+Assign IP addresses to the last network interface defined by a net command. A
+default gateway is assigned by default.
+.br
+.br
+Example:
+.br
+net eth0
+.br
+ip 10.10.20.56
+.TP
+\fBip none
+No IP address and no default gateway are configured for the last interface
+defined by a net command. Use this option
+in case you intend to start an external DHCP client in the sandbox.
+.br
+.br
+Example:
+.br
+net eth0
+.br
+ip none
+.TP
+\fBip6 address
+Assign IPv6 addresses to the last network interface defined by a net command.
+.br
+.br
+Example:
+.br
+net eth0
+.br
+ip6 2001:0db8:0:f101::1/64
+.TP
 \fBiprange address,address
 Assign  an  IP address in the provided range to the last network
 interface defined by  a  net command.  A  default  gateway  is assigned by default.
@@ -311,6 +433,16 @@ iprange 192.168.1.150,192.168.1.160
 .br
 .TP
+\fBmac address
+Assign MAC addresses to the last network interface defined by a net command.
+.TP
+\fBmtu number
+Assign a MTU value to the last network interface defined by a net command.
+.TP
 \fBnetfilter
 If a new network namespace is created, enabled default network filter.
@@ -345,6 +477,17 @@ available in the new namespace is a new loopback interface (lo).
 Use this option to deny network access to programs that don't
 really need network access.
+.TP
+\fBveth-name name
+Use this name for the interface connected to the bridge for --net=bridge_interface commands, 
+instead of the default one.
+.SH Other
+.TP
+\fBjoin-or-start sandboxname
+Join the sandbox identified by name or start a new one.
+Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
 .SH RELOCATING PROFILES
 For various reasons some users might want to keep the profile files in a different directory.
 Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles
@@ -388,7 +531,6 @@ Homepage: http://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-login\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 23db832c1..bb9ae270c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -11,7 +11,7 @@ firejail [OPTIONS] [program and arguments]
 File transfer from an existing sandbox
 .PP
 .RS
-firejail {\-\-ls | \-\-get} dir_or_filename
+firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename
 .RE
 .PP
 Network traffic shaping for an existing sandbox:
@@ -50,15 +50,16 @@ of applications. The software includes security profiles for a number of more co
 Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
 .SH USAGE
-Without any options, the sandbox consists of a chroot filesystem build in a new mount namespace,
+Without any options, the sandbox consists of a filesystem build in a new mount namespace,
-and new PID and UTS namespaces. IPC, network and user namespaces can be added using the command line options.
+and new PID and UTS namespaces. IPC, network and user namespaces can be added using the
-The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only.
+command line options. The default Firejail filesystem is based on the host filesystem with the main 
-Only /home and /tmp are writable.
+system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, 
+/libx32 and /lib64. Only /home and /tmp are writable.
 .PP
 As it starts up, Firejail tries to find a security profile based on the name of the application.
 If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option 
-to disable it. For more information, please see \fBSECURITY PROFILES\fR section.
+to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
 If a program argument is not specified, Firejail starts /bin/bash shell.
 Examples:
@@ -74,6 +75,46 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 \fB\-\-
 Signal the end of options and disables further option processing.
 .TP
+\fB\-\-allow-debuggers
+Allow tools such as strace and gdb inside the sandbox.
+.br
+.br
+Example:
+.br
+$ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
+.TP
+\fB\-\-allusers
+All user home directories are visible inside the sandbox. By default, only current user home directory is visible.
+.br
+.br
+Example:
+.br
+$ firejail --allusers
+.TP
+\fB\-\-apparmor
+Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
+.TP
+\fB\-\-appimage
+Sandbox an AppImage (http://appimage.org/) application.
+.br
+.br
+Example:
+.br
+$ firejail --appimage krita-3.0-x86_64.appimage
+.br
+$ firejail --appimage --private krita-3.0-x86_64.appimage
+.br
+$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
+.TP
+\fB\-\-audit
+Audit the sandbox, see \fBAUDIT\fR section for more details.
+.TP
+\fB\-\-audit=test-program
+Audit the sandbox, see \fBAUDIT\fR section for more details.
+.TP
 \fB\-\-bandwidth=name|pid
 Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
 .TP
@@ -152,14 +193,7 @@ Example:
 .br
 $ sudo firejail \-\-caps.keep=chown,net_bind_service,setgid,\\
 setuid /etc/init.d/nginx start
-.br
-.br
-A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories
-should be made read-only independently. Making a parent directory read-only, will not
-make the whitelist read-only. Example:
-.br
-$ firejail --whitelist=~/work --read-only=~/ --read-only=~/work
 .TP
 \fB\-\-caps.print=name|pid
 Print the caps filter for the sandbox identified by name or by PID.
@@ -194,7 +228,8 @@ Example:
 .TP
 \fB\-\-chroot=dirname
-Chroot the sandbox into a root filesystem. If the sandbox is started as a
+Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,
+the system directories are mounted read-write. If the sandbox is started as a
 regular user, default seccomp and capabilities filters are enabled. This
 option is not available on Grsecurity systems.
 .br
@@ -465,6 +500,11 @@ in case you intend to start an external DHCP client in the sandbox.
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-\ip=none
+.br
+.br
+If the corresponding interface doesn't have an IP address configured, this
+option is enabled by default.
 .TP
 \fB\-\-ip6=address
@@ -547,19 +587,19 @@ $ firejail --net=eth0 --name=browser firefox &
 .br
 # change netfilter configuration
 .br
-$ sudo firejail --join-network=browser "cat /etc/firejail/nolocal.net | /sbin/iptables-restore"
+$ sudo firejail --join-network=browser bash -c "cat /etc/firejail/nolocal.net | /sbin/iptables-restore"
 .br
 .br
 # verify netfilter configuration
 .br
-$ sudo firejail --join-network=browser "/sbin/iptables -vL"
+$ sudo firejail --join-network=browser /sbin/iptables -vL
 .br
 .br
 # verify  IP addresses
 .br
-$ sudo firejail --join-network=browser "ip addr"
+$ sudo firejail --join-network=browser ip addr
 .br
 Switching to pid 1932, the first child process inside the sandbox
 .br
@@ -588,6 +628,13 @@ Switching to pid 1932, the first child process inside the sandbox
       valid_lft forever preferred_lft forever
 .TP
+\fB\-\-join-or-start=name
+Join the sandbox identified by name or start a new one.
+Same as "firejail --join=name" if sandbox with specified name exists, otherwise same as "firejail --name=name ..."
+.br
+Note that in contrary to other join options there is respective profile option.
+.TP
 \fB\-\-ls=name|pid dir_or_filename
 List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
@@ -798,13 +845,23 @@ PID  User    RX(KB/s) TX(KB/s) Command
 .TP
 \fB\-\-nice=value
 Set nice value for all processes running inside the sandbox.
+Only root may specify a negative value.
 .br
 .br
 Example:
 .br
-$ firejail --nice=-5 firefox
+$ firejail --nice=2 firefox
+.TP
+\fB\-\-no3d
+Disable 3D hardware acceleration.
+.br
+.br
+Example:
+.br
+$ firejail --no3d firefox
 .TP
 \fB\-\-noblacklist=dirname_or_filename
@@ -831,6 +888,21 @@ $ nc dict.org 2628
 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
 .br
 .TP
+\fB\-\-noexec=dirname_or_filename
+Remount directory or file noexec, nodev and nosuid.
+.br
+.br
+Example:
+.br
+$ firejail \-\-noexec=/tmp
+.br
+.br
+/etc and /var are noexec by default if the sandbox was started as a regular user. If there are more than one mount operation
+on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox.
+.TP
 \fB\-\-nogroups
 Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the
 sandbox. For root user supplementary groups are always disabled.
@@ -865,7 +937,7 @@ Example:
 .br
 $ firejail
 .br
-Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/default.profile
 .br
 Parent pid 8553, child pid 8554
 .br
@@ -908,6 +980,14 @@ ping: icmp open socket: Operation not permitted
 $
 .TP
+\fB\-\-nonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not result in an increase of privilege. This option
+is enabled by default if seccomp filter is activated.
+.TP
 \fB\-\-nosound
 Disable sound system.
 .br
@@ -946,13 +1026,15 @@ $ ls -l sandboxlog*
 .TP
 \fB\-\-overlay
-Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay.
+Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
-The overlay is stored in $HOME/.firejail directory. This option is not available on Grsecurity systems.
+the system directories are mounted read-write. All filesystem modifications go into the overlay.
+The overlay is stored in $HOME/.firejail/<PID> directory.
 .br
 .br
 OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
 .br
 .br
@@ -961,14 +1043,34 @@ Example:
 $ firejail \-\-overlay firefox
 .TP
+\fB\-\-overlay-named=name
+Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
+the system directories are mounted read-write. All filesystem modifications go into the overlay.
+The overlay is stored in $HOME/.firejail/<NAME> directory. The created overlay can be reused between multiple
+sessions.
+.br
+.br
+OverlayFS support is required in Linux kernel for this option to work.
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
+.br
+.br
+Example:
+.br
+$ firejail \-\-overlay-named=jail1 firefox
+.TP
 \fB\-\-overlay-tmpfs
 Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay,
-and are discarded when the sandbox is closed. This option is not available on Grsecurity systems.
+and are discarded when the sandbox is closed.
 .br
 .br
 OverlayFS support is required in Linux kernel for this option to work.
-OverlayFS was officially introduced in Linux kernel version 3.18
+OverlayFS was officially introduced in Linux kernel version 3.18.
+This option is not available on Grsecurity systems.
 .br
 .br
@@ -977,6 +1079,17 @@ Example:
 $ firejail \-\-overlay-tmpfs firefox
 .TP
+\fB\-\-overlay-clean
+Clean all overlays stored in $HOME/.firejail directory. Overlays created with --overlay-path=path
+outside $HOME/.firejail will not be deleted.
+.br
+.br
+Example:
+.br
+$ firejail \-\-overlay-clean
+.TP
 \fB\-\-private
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
@@ -998,9 +1111,24 @@ Example:
 $ firejail \-\-private=/home/netblue/firefox-home firefox
 .TP
+\fB\-\-private-home=file,directory
+Build a new user home in a temporary
+filesystem, and copy the files and directories in the list in the
+new home. All modifications are discarded when the sandbox is
+closed.
+.br
+.br
+Example:
+.br
+$ firejail \-\-private-home=.mozilla firefox
+.TP
 \fB\-\-private-bin=file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
+If no listed file is found, /bin directory will be empty.
 The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.
+All modifications are discarded when the sandbox is closed. 
 .br
 .br
@@ -1018,7 +1146,7 @@ bash  cat  ls  sed
 .TP
 \fB\-\-private-dev
-Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
+Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, log and shm devices are available.
 .br
 .br
@@ -1032,14 +1160,15 @@ Child process initialized
 .br
 $ ls /dev
 .br
-dri  full  log  null  ptmx  pts  random  shm  tty  urandom  zero
+dri  full  log  null  ptmx  pts  random  shm  snd  tty  urandom  zero
 .br
 $
 .TP
 \fB\-\-private-etc=file,directory
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
-All modifications are discarded when the sandbox is closed.
+If no listed file is found, /etc directory will be empty.
+All modifications are discarded when the sandbox is closed. 
 .br
 .br
@@ -1051,7 +1180,7 @@ nsswitch.conf,passwd,resolv.conf
 .TP
 \fB\-\-private-tmp
-Mount an empty temporary filesystem on top of /tmp directory.
+Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .br
 .br
@@ -1120,6 +1249,9 @@ $ firejail \-\-protocol.print=3272
 .br
 unix,inet,inet6,netlink
 .TP
+\fB\-\-put=name|pid src-filename dest-filename
+Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more details.
+.TP
 \fB\-\-quiet
 Turn off Firejail's output.
 .TP
@@ -1131,6 +1263,31 @@ Set directory or file read-only.
 Example:
 .br
 $ firejail \-\-read-only=~/.mozilla firefox
+.br
+.br
+A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories
+should be made read-only independently. Making a parent directory read-only, will not
+make the whitelist read-only. Example:
+.br
+.br
+$ firejail --whitelist=~/work --read-only=~ --read-only=~/work
+.TP
+\fB\-\-read-write=dirname_or_filename
+Set directory or file read-write. Only files or directories belonging to the current user are allowed for
+this operation. Example:
+.br
+.br
+$ mkdir ~/test
+.br
+$ touch ~/test/a
+.br
+$ firejail --read-only=~/test --read-write=~/test/a
 .TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
@@ -1143,6 +1300,17 @@ Set the maximum number of processes that can be created for the real user ID of
 .TP
 \fB\-\-rlimit-sigpending=number
 Set the maximum number of pending signals for a process.
+.TP
+\fB\-\-rmenv=name
+Remove environment variable in the new sandbox.
+.br
+.br
+Example:
+.br
+$ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS
 .TP
 \fB\-\-scan
 ARP-scan all the networks from inside a network namespace.
@@ -1156,13 +1324,13 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows:
-mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module,
+mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
+iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
 sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
 add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
 io_destroy, io_getevents, io_submit, io_cancel,
 remap_file_pages, mbind, get_mempolicy, set_mempolicy,
-migrate_pages, move_pages, vmsplice, perf_event_open, chroot,
+migrate_pages, move_pages, vmsplice, chroot,
 tuxcall, reboot, mfsservctl and get_kernel_syms.
 .br
@@ -1425,15 +1593,7 @@ $ firejail \-\-tree
 11969:netblue:firejail \-\-net=eth0 transmission-gtk 
 .br
  11970:netblue:transmission-gtk 
-.TP
-\fB\-\-user=new-user
-Switch the user before starting the sandbox. This command should be run as root.
-.br
-.br
-Example:
-.br
-# firejail \-\-user=www-data
 .TP
 \fB\-\-version
 Print program version and exit.
@@ -1445,66 +1605,106 @@ Example:
 $ firejail \-\-version
 .br
 firejail version 0.9.27
+.TP
+\fB\-\-veth-name=name
+Use this name for the interface connected to the bridge for --net=bridge_interface commands, 
+instead of the default one.
+.br
+.br
+Example:
+.br
+$ firejail \-\-net=br0 --veth-name=if0
 .TP
 \fB\-\-whitelist=dirname_or_filename
-Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories.
+Whitelist directory or file. A temporary file system is mounted on the top directory, and the
-When whitlisting symbolic links, both the link and the real file should be in the same top directory
+whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-(home user, /media, /var etc.)
+everything else is discarded when the sandbox is closed. The top directory could be 
+user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
+.br
+.br
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
 .br
 .br
 Example:
 .br
-$ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads
+$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
 .br
 $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
 .br
 $ firejail "\-\-whitelist=/home/username/My Virtual Machines"
 .TP
-\fB\-\-x11
+\fB\-\-writable-etc
-Start a new X11 server using Xpra or Xephyr and attach the sandbox to this server.
+Mount /etc directory read-write.
-The regular X11 server (display 0) is not visible in the sandbox. This prevents screenshot and keylogger
-applications started in the sandbox from accessing other X11 displays.
-A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
 .br
 .br
-Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
+Example:
-This feature is not available when running as root. 
+.br
+$ sudo firejail --writable-etc
+.TP
+\fB\-\-writable-var
+Mount /var directory read-write.
 .br
 .br
 Example:
 .br
-$ firejail \-\-x11 --net=eth0 firefox
+$ sudo firejail --writable-var
 .TP
-\fB\-\-x11=xpra
+\fB\-\-x11
-Start a new X11 server using Xpra (http://xpra.org) and attach the sandbox to this server.
+Sandbox the application using Xpra, Xephyr or Xorg security extension.
-Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
+The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
-On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
+clients running outside the sandbox.
-This feature is not available when running as root.
+Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
+If all fails, Firejail will not attempt to use X11 security extension.
+.br
+.br
+Xpra and Xephyr modes require a network namespace to be instantiated in order to disable
+X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket
+by adding "-nolisten local" on Xorg command line.
 .br
 .br
 Example:
 .br
-$ firejail \-\-x11=xpra --net=eth0 firefox
+$ firejail \-\-x11 --net=eth0 firefox
+.TP
+\fB\-\-x11=none
+Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the file specified in ${XAUTHORITY} environment variable.
+Remove DISPLAY and XAUTHORITY environment variables.
+Stop with error message if X11 abstract socket will be accessible in jail.
 .TP
 \fB\-\-x11=xephyr
-Start a new X11 server using Xephyr and attach the sandbox to this server.
+Start Xephyr and attach the sandbox to this server.
 Xephyr is a display server implementing the X11 display server protocol.
-It runs in a window just like other X applications, but it is an X server itself in which you can run other software.
+A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
-The default Xephyr window size is 800x600. This can be modified in /etc/firejail/firejail.config file,
+.br
-see \fBman 5 firejail-config\fR for more details.
+.br
+Xephyr runs in a window just like any other X11 application. The default window size is 800x600.
+This can be modified in /etc/firejail/firejail.config file.
 .br
 .br
 The recommended way to use this feature is to run a window manager inside the sandbox.
 A security profile for OpenBox is provided.
-On Debian platforms Xephyr is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
+.br
+.br
+Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
 This feature is not available when running as root. 
 .br
@@ -1514,6 +1714,42 @@ Example:
 $ firejail \-\-x11=xephyr --net=eth0 openbox
 .TP
+\fB\-\-x11=xorg
+Sandbox the application using the untrusted mode implemented by X11 security extension. 
+The extension is available in Xorg package
+and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted 
+connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
+contents of other clients, stealing input events, etc.
+The untrusted mode has several limitations. A lot of regular programs  assume they are a trusted X11 clients
+and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
+Firefox and transmission-gtk seem to be working fine.
+A network namespace is not required for this option.
+.br
+.br
+Example:
+.br
+$ firejail \-\-x11=xorg firefox
+.TP
+\fB\-\-x11=xpra
+Start Xpra (http://xpra.org) and attach the sandbox to this server.
+Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
+A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
+.br
+.br
+On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
+This feature is not available when running as root.
+.br
+.br
+Example:
+.br
+$ firejail \-\-x11=xpra --net=eth0 firefox
+.TP
 \fB\-\-zsh
 Use /usr/bin/zsh as default user shell.
 .br
@@ -1576,6 +1812,44 @@ $ firejail --tree
      1221:netblue:/usr/lib/firefox/firefox
 .RE
+.SH APPARMOR
+.TP
+AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it:
+.br
+.br
+$ ./configure --prefix=/usr --enable-apparmor
+.TP
+During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:
+.br
+.br
+# aa-enforce firejail-default
+.TP
+The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:
+.br
+.br
+- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running
+commands such as "top" and "ps aux".
+.br
+.br
+- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running
+programs and scripts from user home or other directories writable by the user is not allowed.
+.br
+.br
+- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.
+You should have no problems running Chromium or Firefox.
+.TP
+To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:
+.br
+.br
+$ firejail --apparmor firefox
 .SH FILE TRANSFER
 These features allow the user to inspect the filesystem container of an existing sandbox
 and transfer files from the container to the host filesystem.
@@ -1583,12 +1857,16 @@ and transfer files from the container to the host filesystem.
 .TP
 \fB\-\-get=name|pid filename
 Retrieve the container file and store it on the host in the current working directory.
-The container is specified by name or PID. Full path is needed for filename.
+The container is specified by name or PID.
 .TP
 \fB\-\-ls=name|pid dir_or_filename
 List container files. The container is specified by name or PID.
-Full path is needed for dir_or_filename.
+.TP
+\fB\-\-put=name|pid src-filename dest-filename
+Put src-filename in sandbox container.
+The container is specified by name or PID.
 .TP
 Examples:
@@ -1614,7 +1892,11 @@ drwxr-xr-x netblue  netblue         4096 ..
 .br
 $ firejail \-\-get=mybrowser ~/Downloads/xpra-clipboard.png
+.br
+.br
+$ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png
+.br
 .SH TRAFFIC SHAPING
 Network bandwidth is an expensive resource shared among all sandboxes running on a system.
@@ -1626,15 +1908,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured
 Set rate-limits:
-        firejail --bandwidth=name|pid set network download upload
+        $ firejail --bandwidth=name|pid set network download upload
 Clear rate-limits:
-        firejail --bandwidth=name|pid clear network
+        $ firejail --bandwidth=name|pid clear network
 Status:
-        firejail --bandwidth=name|pid status
+        $ firejail --bandwidth=name|pid status
 where:
 .br
@@ -1658,6 +1940,26 @@ Example:
 .br
        $ firejail \-\-bandwidth=mybrowser clear eth0
+.SH AUDIT
+Audit feature allows the user to point out gaps in security profiles. The
+implementation replaces the program to be sandboxed with a test program. By
+default, we use faudit program distributed with Firejail. A custom test program
+can also be supplied by the user. Examples:
+Running the default audit program:
+.br
+        $ firejail --audit transmission-gtk
+Running a custom audit program:
+.br
+        $ firejail --audit=~/sandbox-test transmission-gtk
+In the examples above, the sandbox configures transmission-gtk profile and
+starts the test program. The real program, transmission-gtk, will not be
+started.
+Limitations: audit feature is not implemented for --x11 commands.
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
 for each process entry is as follows:
@@ -1751,7 +2053,7 @@ To disable default profile loading, use --noprofile command option. Example:
 .RS
 $ firejail
 .br
-Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/default.profile
 .br
 Parent pid 8553, child pid 8554
 .br
@@ -1818,7 +2120,6 @@ Homepage: http://firejail.wordpress.com
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
-\&\flfirejail-config\fR\|(5)
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index ef99b0927..bd84401af 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -109,6 +109,5 @@ Homepage: http://firejail.wordpress.com
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
 \&\flfirejail-login\fR\|(5)
-\&\flfirejail-config\fR\|(5)