16 files changed, 173 insertions, 180 deletions

diff --git a/src/fids/fids.h b/src/fids/fids.h
index a2e2886fe..eaf2bbd29 100644
--- a/src/fids/fids.h
+++ b/src/fids/fids.h
@@ -48,4 +48,4 @@ int db_exclude_check(const char *fname);
 //#define KEY_SIZE 512
 int blake2b(void *out, size_t outlen, const void *in, size_t inlen);
 
-#endif
\ No newline at end of file
+#endif
diff --git a/src/firejail/env.c b/src/firejail/env.c
index f5e9dd980..ad16de037 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -262,7 +262,7 @@ static const char * const env_whitelist[] = {
         "LANG",
         "LANGUAGE",
         "LC_MESSAGES",
-        "PATH",
+        // "PATH",
         "DISPLAY"       // required by X11
 };
 
@@ -311,6 +311,10 @@ void env_apply_whitelist(void) {
                 errExit("clearenv");
 
         env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist));
+
+        // hardcoding PATH
+        if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0)
+                errExit("setenv");
 }
 
 // Filter env variables for a sbox app
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 5ac2da164..dd4c2139d 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -108,7 +108,7 @@ static void disable_file(OPERATION op, const char *filename) {
         }
 
         // check for firejail executable
-        // we migth have a file found in ${PATH} pointing to /usr/bin/firejail
+        // we might have a file found in ${PATH} pointing to /usr/bin/firejail
         // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
         //     and expects Firefox to open in the same sandbox
         if (strcmp(BINDIR "/firejail", fname) == 0) {
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 1a9a78ceb..7d320e90b 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -93,10 +93,6 @@ char *fs_check_hosts_file(const char *fname) {
         invalid_filename(fname, 0); // no globbing
         char *rv = expand_macros(fname);
 
-        // no a link
-        if (is_link(rv))
-                goto errexit;
-
         // the user has read access to the file
         if (access(rv, R_OK))
                 goto errexit;
@@ -119,9 +115,6 @@ void fs_mount_hosts_file(void) {
         struct stat s;
         if (stat("/etc/hosts", &s) == -1)
                 goto errexit;
-        // not a link
-        if (is_link("/etc/hosts"))
-                goto errexit;
         // owned by root
         if (s.st_uid != 0)
                 goto errexit;
diff --git a/src/firejail/ids.c b/src/firejail/ids.c
index 59acdb1fe..a9ff59be4 100644
--- a/src/firejail/ids.c
+++ b/src/firejail/ids.c
@@ -86,4 +86,4 @@ void run_ids(int argc, char **argv) {
                 fprintf(stderr, "Error: unrecognized IDS command\n");
 
         exit(0);
-}
\ No newline at end of file
+}
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 394bbb528..a869f6b64 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -45,7 +45,7 @@ static unsigned display = 0;
 static void signal_handler(int sig){
         flush_stdin();
 
-        exit(sig);
+        exit(128 + sig);
 }
 
 static void install_handler(void) {
@@ -536,7 +536,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
 
 #ifdef HAVE_APPARMOR
-                // add apparmor confinement after the execve
                 set_apparmor();
 #endif
 
@@ -552,10 +551,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 if (cfg.cpus)   // not available for uid 0
                         set_cpu_affinity();
 
-                // set nice value
-                if (arg_nice)
-                        set_nice(cfg.nice);
-
                 // add x11 display
                 if (display) {
                         char *display_str;
@@ -574,6 +569,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         dbus_set_system_bus_env();
 #endif
 
+                // set nice and rlimits
+                if (arg_nice)
+                        set_nice(cfg.nice);
+                set_rlimits();
+
                 start_application(0, shfd, NULL);
 
                 __builtin_unreachable();
@@ -596,15 +596,17 @@ void join(pid_t pid, int argc, char **argv, int index) {
 
         // end of signal-safe code
         //*****************************
-        flush_stdin();
 
         if (WIFEXITED(status)) {
+                // if we had a proper exit, return that exit status
                 status = WEXITSTATUS(status);
         } else if (WIFSIGNALED(status)) {
-                status = WTERMSIG(status);
+                // distinguish fatal signals by adding 128
+                status = 128 + WTERMSIG(status);
         } else {
-                status = 0;
+                status = -1;
         }
 
+        flush_stdin();
         exit(status);
 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e0bf44f62..81d148257 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -189,13 +189,15 @@ static void my_handler(int s) {
         logsignal(s);
 
         if (waitpid(child, NULL, WNOHANG) == 0) {
-                if (has_handler(child, s)) // signals are not delivered if there is no handler yet
+                // child is pid 1 of a pid namespace:
+                // signals are not delivered if there is no handler yet
+                if (has_handler(child, s))
                         kill(child, s);
                 else
                         kill(child, SIGKILL);
                 waitpid(child, NULL, 0);
         }
-        myexit(s);
+        myexit(128 + s);
 }
 
 static void install_handler(void) {
@@ -1263,9 +1265,9 @@ int main(int argc, char **argv, char **envp) {
                         arg_debug = 1;
                         arg_quiet = 0;
                 }
-                else if (strcmp(argv[i], "--debug-deny") == 0)
+                else if (strcmp(argv[i], "--debug-blacklists") == 0)
                         arg_debug_blacklists = 1;
-                else if (strcmp(argv[i], "--debug-allow") == 0)
+                else if (strcmp(argv[i], "--debug-whitelists") == 0)
                         arg_debug_whitelists = 1;
                 else if (strcmp(argv[i], "--debug-private-lib") == 0)
                         arg_debug_private_lib = 1;
@@ -3216,10 +3218,11 @@ printf("link #%s#\n", prf->link);
         if (WIFEXITED(status)){
                 myexit(WEXITSTATUS(status));
         } else if (WIFSIGNALED(status)) {
-                myexit(WTERMSIG(status));
+                // distinguish fatal signals by adding 128
+                myexit(128 + WTERMSIG(status));
         } else {
-                myexit(0);
+                myexit(1);
         }
 
-        return 0;
+        return 1;
 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index b7c7185a6..059100fcb 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1938,7 +1938,7 @@ char *profile_list_compress(char *list)
                         /* Include non-empty item */
                         if (!*item)
                                 in[i] = 0;
-                        /* Remove all allready included items */
+                        /* Remove all already included items */
                         for (k = 0; k < i; ++k)
                                 in[k] = 0;
                         break;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 59ddfb855..995827fb7 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -87,9 +87,9 @@ static void sandbox_handler(int sig){
 
         // broadcast a SIGKILL
         kill(-1, SIGKILL);
-        flush_stdin();
 
-        exit(sig);
+        flush_stdin();
+        exit(128 + sig);
 }
 
 static void install_handler(void) {
@@ -1243,7 +1243,6 @@ int sandbox(void* sandbox_arg) {
 
         if (app_pid == 0) {
 #ifdef HAVE_APPARMOR
-                // add apparmor confinement after the execve
                 set_apparmor();
 #endif
 
@@ -1258,13 +1257,17 @@ int sandbox(void* sandbox_arg) {
         munmap(set_sandbox_status, 1);
 
         int status = monitor_application(app_pid);      // monitor application
-        flush_stdin();
 
         if (WIFEXITED(status)) {
                 // if we had a proper exit, return that exit status
-                return WEXITSTATUS(status);
+                status = WEXITSTATUS(status);
+        } else if (WIFSIGNALED(status)) {
+                // distinguish fatal signals by adding 128
+                status = 128 + WTERMSIG(status);
         } else {
-                // something else went wrong!
-                return -1;
+                status = -1;
         }
+
+        flush_stdin();
+        return status;
 }
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index d843c74ae..43f862b9d 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -28,7 +28,6 @@ static char *usage_str =
         "\n"
         "Options:\n"
         "    -- - signal the end of options and disables further option processing.\n"
-        "    --allow=filename - allow file system access.\n"
         "    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
         "    --allusers - all user home directories are visible inside the sandbox.\n"
         "    --apparmor - enable AppArmor confinement.\n"
@@ -39,12 +38,13 @@ static char *usage_str =
 #endif
         "    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"
         "    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"
-        "    --build - build a profile for the application.\n"
-        "    --build=filename - build a profile for the application.\n"
+        "    --blacklist=filename - blacklist directory or file.\n"
+        "    --build - build a whitelisted profile for the application.\n"
+        "    --build=filename - build a whitelisted profile for the application.\n"
         "    --caps - enable default Linux capabilities filter.\n"
         "    --caps.drop=all - drop all capabilities.\n"
-        "    --caps.drop=capability,capability - drop capabilities.\n"
-        "    --caps.keep=capability,capability - allow capabilities.\n"
+        "    --caps.drop=capability,capability - blacklist capabilities filter.\n"
+        "    --caps.keep=capability,capability - whitelist capabilities filter.\n"
         "    --caps.print=name|pid - print the caps filter.\n"
 #ifdef HAVE_FILE_TRANSFER
         "    --cat=name|pid filename - print content of file from sandbox container.\n"
@@ -75,18 +75,17 @@ static char *usage_str =
         "    --dbus-user.talk=name - allow talking to name on the session DBus.\n"
 #endif
         "    --debug - print sandbox debug messages.\n"
-        "    --debug-allow - debug file system access.\n"
-        "    --debug-deny - debug file system access.\n"
+        "    --debug-blacklists - debug blacklisting.\n"
         "    --debug-caps - print all recognized capabilities.\n"
         "    --debug-errnos - print all recognized error numbers.\n"
         "    --debug-private-lib - debug for --private-lib option.\n"
         "    --debug-protocols - print all recognized protocols.\n"
         "    --debug-syscalls - print all recognized system calls.\n"
         "    --debug-syscalls32 - print all recognized 32 bit system calls.\n"
+        "    --debug-whitelists - debug whitelisting.\n"
 #ifdef HAVE_NETWORK
         "    --defaultgw=address - configure default gateway.\n"
 #endif
-        "    --deny=filename - deny access to directory or file.\n"
         "    --deterministic-exit-code - always exit with first child's status code.\n"
         "    --dns=address - set DNS server.\n"
         "    --dns.print=name|pid - print DNS configuration.\n"
@@ -147,14 +146,13 @@ static char *usage_str =
         "    --netfilter6=filename - enable IPv6 firewall.\n"
         "    --netfilter6.print=name|pid - print the IPv6 firewall.\n"
         "    --netmask=address - define a network mask when dealing with unconfigured\n"
-        "\tparrent interfaces.\n"
+        "\tparent interfaces.\n"
         "    --netns=name - Run the program in a named, persistent network namespace.\n"
         "    --netstats - monitor network statistics.\n"
 #endif
         "    --nice=value - set nice value.\n"
         "    --no3d - disable 3D hardware acceleration.\n"
-        "    --noallow=filename - disable allow command for file or directory.\n"
-        "    --nodeny=filename - disable deny command for file or directory.\n"
+        "    --noblacklist=filename - disable blacklist for file or directory.\n"
         "    --nodbus - disable D-Bus access.\n"
         "    --nodvd - disable DVD and audio CD devices.\n"
         "    --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"
@@ -169,6 +167,7 @@ static char *usage_str =
         "    --noautopulse - disable automatic ~/.config/pulse init.\n"
         "    --novideo - disable video devices.\n"
         "    --nou2f - disable U2F devices.\n"
+        "    --nowhitelist=filename - disable whitelist for file or directory.\n"
 #ifdef HAVE_OUTPUT
         "    --output=logfile - stdout logging and log rotation.\n"
         "    --output-stderr=logfile - stdout and stderr logging and log rotation.\n"
@@ -225,14 +224,14 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
         "    --scan - ARP-scan all the networks from inside a network namespace.\n"
 #endif
-        "    --seccomp - enable seccomp filter and drop the default syscalls.\n"
-        "    --seccomp=syscall,syscall,syscall - enable seccomp filter, drop the\n"
+        "    --seccomp - enable seccomp filter and apply the default blacklist.\n"
+        "    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"
         "\tdefault syscall list and the syscalls specified by the command.\n"
         "    --seccomp.block-secondary - build only the native architecture filters.\n"
         "    --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"
-        "\tdrop the syscalls specified by the command.\n"
+        "\tblacklist the syscalls specified by the command.\n"
         "    --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"
-        "\tallow the syscalls specified by the command.\n"
+        "\twhitelist the syscalls specified by the command.\n"
         "    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"
         "\tidentified by name or PID.\n"
         "    --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
@@ -247,7 +246,7 @@ static char *usage_str =
         "    --top - monitor the most CPU-intensive sandboxes.\n"
         "    --trace - trace open, access and connect system calls.\n"
         "    --tracelog - add a syslog message for every access to files or\n"
-        "\tdirectories dropped by the security profile.\n"
+        "\tdirectories blacklisted by the security profile.\n"
         "    --tree - print a tree of all sandboxed processes.\n"
         "    --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
         "\tfiretunnel utility.\n"
@@ -255,6 +254,7 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
         "    --veth-name=name - use this name for the interface connected to the bridge.\n"
 #endif
+        "    --whitelist=filename - whitelist directory or file.\n"
         "    --writable-etc - /etc directory is mounted read-write.\n"
         "    --writable-run-user - allow access to /run/user/$UID/systemd and\n"
         "\t/run/user/$UID/gnupg.\n"
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h
index be3104da3..3f8c89bfb 100644
--- a/src/jailcheck/jailcheck.h
+++ b/src/jailcheck/jailcheck.h
@@ -61,4 +61,4 @@ char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
 int find_child(pid_t pid);
 pid_t switch_to_child(pid_t pid);
 
-#endif
\ No newline at end of file
+#endif
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c
index 7f994d6a1..be18ac109 100644
--- a/src/jailcheck/noexec.c
+++ b/src/jailcheck/noexec.c
@@ -110,4 +110,4 @@ void noexec_test(const char *path) {
         wait(&status);
         int rv = unlink(fname);
         (void) rv;
-}
\ No newline at end of file
+}
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 6280026e6..a768829a1 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -156,7 +156,7 @@ Scripting commands:
 \fBFile and directory names
 File and directory names containing spaces are supported. The space character ' ' should not be escaped.
 
-Example: "deny ~/My Virtual Machines"
+Example: "blacklist ~/My Virtual Machines"
 
 .TP
 \fB# this is a comment
@@ -170,9 +170,9 @@ net none # this command creates an empty network namespace
 \fB?CONDITIONAL: profile line
 Conditionally add profile line.
 
-Example: "?HAS_APPIMAGE: allow ${HOME}/special/appimage/dir"
+Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 
-This example will load the profile line only if the \-\-appimage option has been specified on the command line.
+This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
 
 Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
 can be enabled or disabled globally in Firejail's configuration file.
@@ -205,16 +205,16 @@ storing modifications to the persistent configuration. Persistent .local files
 are included at the start of regular profile files.
 
 .TP
-\fBnoallow file_name
-If the file name matches file_name, the file will not be allowed in any allow commands that follow.
+\fBnoblacklist file_name
+If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
 
-Example: "nowhitelist ~/.config"
+Example: "noblacklist ${HOME}/.mozilla"
 
 .TP
-\fBnodeny file_name
-If the file name matches file_name, the file will not be denied any deny commands that follow.
+\fBnowhitelist file_name
+If the file name matches file_name, the file will not be whitelisted in any whitelist commands that follow.
 
-Example: "nodeny ${HOME}/.mozilla"
+Example: "nowhitelist ~/.config"
 
 .TP
 \fBignore
@@ -242,17 +242,19 @@ HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR sect
 for more details.
 Examples:
 .TP
-\fBallow file_or_directory
-Allow directory or file. A temporary file system is mounted on the top directory, and the
-allowed files are mount-binded inside. Modifications to allowd files are persistent,
-everything else is discarded when the sandbox is closed. The top directory can be
-all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
-all directories in /usr.
+\fBblacklist file_or_directory
+Blacklist directory or file. Examples:
 .br
 
 .br
-Symbolic link handling: with the exception of user home, both the link and the real file should be in
-the same top directory. For user home, both the link and the real file should be owned by the user.
+blacklist /usr/bin
+.br
+blacklist /usr/bin/gcc*
+.br
+blacklist ${PATH}/ifconfig
+.br
+blacklist ${HOME}/.ssh
+
 .TP
 \fBblacklist-nolog file_or_directory
 When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory.
@@ -271,20 +273,6 @@ Mount-bind directory1 on top of directory2. This option is only available when r
 \fBbind file1,file2
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
-\fBdeny file_or_directory
-Deny access to directory or file. Examples:
-.br
-
-.br
-deny /usr/bin
-.br
-deny /usr/bin/gcc*
-.br
-deny ${PATH}/ifconfig
-.br
-deny ${HOME}/.ssh
-
-.TP
 \fBdisable-mnt
 Disable /mnt, /media, /run/mount and /run/media access.
 .TP
@@ -304,7 +292,7 @@ The directory is created if it doesn't already exist.
 .br
 
 .br
-Use this command for allowed directories you need to preserve
+Use this command for whitelisted directories you need to preserve
 when the sandbox is closed. Without it, the application will create the directory, and the directory
 will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from
 firefox profile:
@@ -317,7 +305,7 @@ whitelist ~/.mozilla
 .br
 mkdir ~/.cache/mozilla/firefox
 .br
-allow ~/.cache/mozilla/firefox
+whitelist ~/.cache/mozilla/firefox
 .br
 
 .br
@@ -423,7 +411,7 @@ expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-tmp
-Mount an empty temporary filesystem on top of /tmp directory allowing /tmp/.X11-unix.
+Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .TP
 \fBread-only file_or_directory
 Make directory or file read-only.
@@ -435,13 +423,25 @@ Make directory or file read-write.
 Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
 .TP
 \fBtracelog
-File system deny violations logged to syslog.
+Blacklist violations logged to syslog.
+.TP
+\fBwhitelist file_or_directory
+Whitelist directory or file. A temporary file system is mounted on the top directory, and the
+whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
+.br
+
+.br
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
 .TP
 \fBwritable-etc
 Mount /etc directory read-write.
 .TP
 \fBwritable-run-user
-Disable the default denying of run/user/$UID/systemd and /run/user/$UID/gnupg.
+Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg.
 .TP
 \fBwritable-var
 Mount /var directory read-write.
@@ -455,7 +455,7 @@ The following security filters are currently implemented:
 
 .TP
 \fBallow-debuggers
-Allow tools such as strace and gdb inside the sandbox by allowing system calls ptrace and process_vm_readv.
+Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv.
 #ifdef HAVE_APPARMOR
 .TP
 \fBapparmor
@@ -466,13 +466,13 @@ Enable AppArmor confinement.
 Enable default Linux capabilities filter.
 .TP
 \fBcaps.drop capability,capability,capability
-Deny given Linux capabilities.
+Blacklist given Linux capabilities.
 .TP
 \fBcaps.drop all
-Deny all Linux capabilities.
+Blacklist all Linux capabilities.
 .TP
 \fBcaps.keep capability,capability,capability
-Allow given Linux capabilities.
+Whitelist given Linux capabilities.
 .TP
 \fBmemory-deny-write-execute
 Install a seccomp filter to block attempts to create memory mappings
@@ -497,32 +497,32 @@ first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
 .TP
 \fBseccomp
-Enable seccomp filter and deny the syscalls in the default list. See man 1 firejail for more details.
+Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
 .TP
 \fBseccomp.32
-Enable seccomp filter and deny the syscalls in the default list for 32 bit system calls on a 64 bit architecture system.
+Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp syscall,syscall,syscall
-Enable seccomp filter and deny the system calls in the list on top of default seccomp filter.
+Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
 .TP
 \fBseccomp.32 syscall,syscall,syscall
-Enable seccomp filter and deny the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system.
+Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp.block-secondary
 Enable seccomp filter and filter system call architectures
 so that only the native architecture is allowed.
 .TP
 \fBseccomp.drop syscall,syscall,syscall
-Enable seccomp filter and deny the system calls in the list.
+Enable seccomp filter and blacklist the system calls in the list.
 .TP
 \fBseccomp.32.drop syscall,syscall,syscall
-Enable seccomp filter and deny the system calls in the list for 32 bit system calls on a 64 bit architecture system.
+Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp.keep syscall,syscall,syscall
-Enable seccomp filter and allow the system calls in the list.
+Enable seccomp filter and whitelist the system calls in the list.
 .TP
 \fBseccomp.32.keep syscall,syscall,syscall
-Enable seccomp filter and allow the system calls in the list for 32 bit system calls on a 64 bit architecture system.
+Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp-error-action kill | log | ERRNO
 Return a different error instead of EPERM to the process, kill it when
@@ -534,7 +534,7 @@ attempt.
 Enable X11 sandboxing.
 .TP
 \fBx11 none
-Deny access to /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
+Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
 Remove DISPLAY and XAUTHORITY environment variables.
 Stop with error message if X11 abstract socket will be accessible in jail.
 .TP
@@ -606,7 +606,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati
 Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-user filter
 Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 498ff9aa9..0462705c0 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -99,40 +99,6 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 \fB\-\-
 Signal the end of options and disables further option processing.
 .TP
-\fB\-\-allow=dirname_or_filename
-Allow access to a directory or file. A temporary file system is mounted on the top directory, and the
-allowed files are mount-binded inside. Modifications to allowed files are persistent,
-everything else is discarded when the sandbox is closed. The top directory can be
-all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
-all directories in /usr.
-.br
-
-.br
-Symbolic link handling: with the exception of user home, both the link and the real file should be in
-the same top directory. For user home, both the link and the real file should be owned by the user.
-.br
-
-.br
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-noprofile \-\-allow=~/.mozilla
-.br
-$ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null
-.br
-$ firejail "\-\-allow=/home/username/My Virtual Machines"
-.br
-$ firejail \-\-allow=~/work* \-\-allow=/var/backups*
-
-
-
-
-
-
-.TP
 \fB\-\-allow-debuggers
 Allow tools such as strace and gdb inside the sandbox by whitelisting
 system calls ptrace and process_vm_readv. This option is only
@@ -203,6 +169,21 @@ Example:
 .br
 # firejail \-\-bind=/config/etc/passwd,/etc/passwd
 .TP
+\fB\-\-blacklist=dirname_or_filename
+Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
+.br
+$ firejail \-\-blacklist=~/.mozilla
+.br
+$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
+.br
+$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
+.TP
 \fB\-\-build
 The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
 builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
@@ -262,7 +243,7 @@ $ firejail \-\-caps.drop=all warzone2100
 
 .TP
 \fB\-\-caps.drop=capability,capability,capability
-Define a custom Linux capabilities filter.
+Define a custom blacklist Linux capabilities filter.
 .br
 
 .br
@@ -643,14 +624,14 @@ Example:
 $ firejail \-\-debug firefox
 
 .TP
-\fB\-\-debug-allow\fR
-Debug file system access.
+\fB\-\-debug-blacklists\fR
+Debug blacklisting.
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-debug-allow firefox
+$ firejail \-\-debug-blacklists firefox
 
 .TP
 \fB\-\-debug-caps
@@ -663,16 +644,6 @@ Example:
 $ firejail \-\-debug-caps
 
 .TP
-\fB\-\-debug-deny\fR
-Debug file access.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-debug-deny firefox
-
-.TP
 \fB\-\-debug-errnos
 Print all recognized error numbers in the current Firejail software build and exit.
 .br
@@ -706,44 +677,33 @@ $ firejail \-\-debug-syscalls
 \fB\-\-debug-syscalls32
 Print all recognized 32 bit system calls in the current Firejail software build and exit.
 .br
-
-#ifdef HAVE_NETWORK
 .TP
-\fB\-\-defaultgw=address
-Use this address as default gateway in the new network namespace.
+\fB\-\-debug-whitelists\fR
+Debug whitelisting.
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
-#endif
-
+$ firejail \-\-debug-whitelists firefox
+#ifdef HAVE_NETWORK
 .TP
-\fB\-\-deny=dirname_or_filename
-Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+\fB\-\-defaultgw=address
+Use this address as default gateway in the new network namespace.
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-deny=/sbin \-\-deny=/usr/sbin
-.br
-$ firejail \-\-deny=~/.mozilla
-.br
-$ firejail "\-\-deny=/home/username/My Virtual Machines"
-.br
-$ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines
-
-
-
+$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
+#endif
 .TP
 \fB\-\-deterministic-exit-code
 Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 .br
 .TP
 \fB\-\-disable-mnt
-Deny access to /mnt, /media, /run/mount and /run/media.
+Blacklist /mnt, /media, /run/mount and /run/media access.
 .br
 
 .br
@@ -1511,16 +1471,12 @@ Example:
 $ firejail --no3d firefox
 
 .TP
-\fB\-\-noallow=dirname_or_filename
-Disable \-\-allow for this directory or file.
-
-.TP
 \fB\-\-noautopulse \fR(deprecated)
 See --keep-config-pulse.
 
 .TP
-\fB\-\-nodeny=dirname_or_filename
-Disable \-\-deny for this directory or file.
+\fB\-\-noblacklist=dirname_or_filename
+Disable blacklist for this directory or file.
 .br
 
 .br
@@ -1536,7 +1492,7 @@ $ exit
 .br
 
 .br
-$ firejail --nodeny=/bin/nc
+$ firejail --noblacklist=/bin/nc
 .br
 $ nc dict.org 2628
 .br
@@ -1710,6 +1666,10 @@ $ firejail \-\-nou2f
 Disable video devices.
 .br
 
+.TP
+\fB\-\-nowhitelist=dirname_or_filename
+Disable whitelist for this directory or file.
+
 #ifdef HAVE_OUTPUT
 .TP
 \fB\-\-output=logfile
@@ -2773,6 +2733,34 @@ Example:
 .br
 $ firejail \-\-net=br0 --veth-name=if0
 #endif
+.TP
+\fB\-\-whitelist=dirname_or_filename
+Whitelist directory or file. A temporary file system is mounted on the top directory, and the
+whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
+.br
+
+.br
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
+.br
+
+.br
+File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
+.br
+$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
+.br
+$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
+.br
+$ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
 
 .TP
 \fB\-\-writable-etc
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c
index 93bb3f73d..beff93199 100644
--- a/src/tools/profcleaner.c
+++ b/src/tools/profcleaner.c
@@ -72,4 +72,4 @@ int main(int argc, char **argv) {
         }
 
         return 0;
-}
\ No newline at end of file
+}
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 666dfd4c2..c7f6ee3f1 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -218,7 +218,7 @@ _firejail_args=(
     '--netfilter.print=-[print the firewall name|pid]: :_all_firejails'
     '--netfilter6=-[enable IPv6 firewall]: :'
     '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails'
-    '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :'
+    '--netmask=-[define a network mask when dealing with unconfigured parent interfaces]: :'
     '--netns=-[Run the program in a named, persistent network namespace]: :'
     '--netstats[monitor network statistics]'
     '--interface=-[move interface in sandbox]: :'