38 files changed, 316 insertions, 220 deletions
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 1b8231033..0bc4a0ee2 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -217,6 +217,10 @@ void build_share(const char *fname, FILE *fp) {
 //*******************************************
 static FileDB *tmp_out = NULL;
 static void tmp_callback(char *ptr) {
+        // skip strace file
+        if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
+                return;
        tmp_out = filedb_add(tmp_out, ptr);
 }
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index fca3396c4..c0f4a3407 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -24,7 +24,7 @@ static FileDB *db_skip = NULL;
 static FileDB *db_out = NULL;
 static void load_whitelist_common(void) {
-        FILE *fp = fopen("/etc/firejail/whitelist-common.inc", "r");
+        FILE *fp = fopen(SYSCONFDIR "/whitelist-common.inc", "r");
        if (!fp) {
                fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
                exit(1);
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index adc00e67b..09f41a838 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -80,10 +80,19 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
          stroutput,
        };
-        // detect strace
+        // detect strace and check if Yama LSM allows us to use it
        int have_strace = 0;
-        if (access("/usr/bin/strace", X_OK) == 0)
+        int have_yama_permission = 1;
+        if (access("/usr/bin/strace", X_OK) == 0) {
                have_strace = 1;
+                FILE *ps = fopen("/proc/sys/kernel/yama/ptrace_scope", "r");
+                if (ps) {
+                        unsigned val;
+                        if (fscanf(ps, "%u", &val) == 1)
+                                have_yama_permission = (val < 2);
+                        fclose(ps);
+                }
+        }
        // calculate command length
        unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1;
@@ -93,10 +102,11 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
        cmd[0] = cmdlist[0];    // explicit assignment to clean scan-build error
        // build command
+        // skip strace if not installed, or no permission to use it
+        int skip_strace = !(have_strace && have_yama_permission);
        unsigned i = 0;
        for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) {
-                // skip strace if not installed
+                if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0)
-                if (have_strace == 0 && strcmp(cmdlist[i], "/usr/bin/strace") == 0)
                        break;
                cmd[i] = cmdlist[i];
        }
@@ -172,12 +182,14 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                fprintf(fp, "caps.drop all\n");
                fprintf(fp, "nonewprivs\n");
                fprintf(fp, "seccomp\n");
-                if (have_strace)
+                if (!have_strace) {
-                        build_seccomp(strace_output, fp);
-                else {
                        fprintf(fp, "# If you install strace on your system, Firejail will also create a\n");
                        fprintf(fp, "# whitelisted seccomp filter.\n");
                }
+                else if (!have_yama_permission)
+                        fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n");
+                else
+                        build_seccomp(strace_output, fp);
                fprintf(fp, "\n");
                fprintf(fp, "### network\n");
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in
index 64e277e2d..85f84aa32 100644
--- a/src/fcopy/Makefile.in
+++ b/src/fcopy/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fcopy: $(OBJS)
+fcopy: $(OBJS) ../lib/common.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fcopy *.gcov *.gcda *.gcno *.plist
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 67237b4ea..e65501d6d 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -23,7 +23,6 @@
 #include <ftw.h>
 #include <errno.h>
 #include <pwd.h>
-#include <sys/prctl.h>
 #if HAVE_SELINUX
 #include <sys/stat.h>
@@ -112,7 +111,7 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui
        }
        // open destination
-        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, 0755);
+        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR);
        if (dst < 0) {
                if (!arg_quiet)
                        fprintf(stderr, "Warning fcopy: cannot open %s, file not copied\n", destname);
@@ -133,7 +132,8 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui
                        done += rv;
                }
        }
-        fflush(0);
+        if (len < 0)
+                goto errexit;
        if (fchown(dst, uid, gid) == -1)
                goto errexit;
@@ -180,7 +180,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid,
        // if the link is already there, don't create it
        struct stat s;
-        if (stat(linkpath, &s) == 0)
+        if (lstat(linkpath, &s) == 0)
               return;
        char *rp = realpath(target, NULL);
@@ -412,30 +412,21 @@ int main(int argc, char **argv) {
                exit(1);
        }
-#ifdef WARN_DUMPABLE
+        warn_dumpable();
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-                fprintf(stderr, "Error fcopy: I am dumpable\n");
-#endif
-        // trim trailing chars
-        if (src[strlen(src) - 1] == '/')
-                src[strlen(src) - 1] = '\0';
-        if (dest[strlen(dest) - 1] == '/')
-                dest[strlen(dest) - 1] = '\0';
        // check the two files; remove ending /
-        int len = strlen(src);
+        size_t len = strlen(src);
-        if (src[len - 1] == '/')
+        while (len > 1 && src[len - 1] == '/')
-                src[len - 1] = '\0';
+                src[--len] = '\0';
-        if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != (size_t)len) {
+        if (strcspn(src, "\\*&!?\"'<>%^(){}[];,") != len) {
                fprintf(stderr, "Error fcopy: invalid source file name %s\n", src);
                exit(1);
        }
        len = strlen(dest);
-        if (dest[len - 1] == '/')
+        while (len > 1 && dest[len - 1] == '/')
-                dest[len - 1] = '\0';
+                dest[--len] = '\0';
-        if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != (size_t)len) {
+        if (strcspn(dest, "\\*&!?\"'<>%^(){}[];,~") != len) {
                fprintf(stderr, "Error fcopy: invalid dest file name %s\n", dest);
                exit(1);
        }
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 4853e099b..e924ef2ec 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -391,6 +391,7 @@ kazam
 kcalc
 # kdeinit4
 kdenlive
+kdiff3
 keepass
 keepass2
 keepassx
@@ -424,6 +425,7 @@ kwrite
 leafpad
 # less - breaks man
 libreoffice
+librewolf
 liferea
 lightsoff
 lincity-ng
@@ -455,6 +457,7 @@ macrofusion
 magicor
 # man
 manaplus
+marker
 masterpdfeditor
 masterpdfeditor4
 masterpdfeditor5
@@ -463,6 +466,7 @@ mate-calculator
 mate-color-select
 mate-dictionary
 mathematica
+matrix-mirage
 mattermost-desktop
 mcabber
 mediainfo
@@ -474,6 +478,8 @@ mencoder
 mendeleydesktop
 menulibre
 meteo-qt
+microsoft-edge
+microsoft-edge-dev
 midori
 min
 mindless
@@ -618,6 +624,7 @@ qemu-launcher
 qgis
 qlipper
 qmmp
+qnapi
 qpdfview
 qt-faststart
 qtox
@@ -659,6 +666,7 @@ secret-tool
 shellcheck
 shortwave
 shotcut
+shotwell
 signal-cli
 signal-desktop
 silentarmy
@@ -768,6 +776,7 @@ tremulous
 trojita
 truecraft
 tshark
+tutanota-desktop
 tuxguitar
 tvbrowser
 twitch
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 6c0ebcd43..9ea3edcd0 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -372,7 +372,7 @@ char *guess_shell(void);
 // sandbox.c
 #define SANDBOX_DONE '1'
 int sandbox(void* sandbox_arg);
-void start_application(int no_sandbox, char *set_sandbox_status) __attribute__((noreturn));
+void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn));
 void set_apparmor(void);
 // network_main.c
@@ -513,7 +513,6 @@ void check_private_dir(void);
 void update_map(char *mapping, char *map_file);
 void wait_for_other(int fd);
 void notify_other(int fd);
-const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 uid_t get_group_id(const char *group);
 int remove_overlay_directory(void);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 0d4e496e8..4e6c1adc3 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -795,6 +795,8 @@ void disable_config(void) {
                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR);
        if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0)
                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
+        if (!arg_appimage && stat(RUN_FIREJAIL_APPIMAGE_DIR, &s) == 0)
+                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_APPIMAGE_DIR);
 }
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 5cfd33b42..b8c1b21b1 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -33,6 +33,52 @@ extern void fslib_install_system(void);
 static int lib_cnt = 0;
 static int dir_cnt = 0;
+char *find_in_path(const char *program) {
+        EUID_ASSERT();
+        if (arg_debug)
+                printf("Searching $PATH for %s\n", program);
+        char self[MAXBUF];
+        ssize_t len = readlink("/proc/self/exe", self, MAXBUF - 1);
+        if (len < 0)
+                errExit("readlink");
+        self[len] = '\0';
+        char *path = getenv("PATH");
+        if (!path)
+                return NULL;
+        char *dup = strdup(path);
+        if (!dup)
+                errExit("strdup");
+        char *tok = strtok(dup, ":");
+        while (tok) {
+                char *fname;
+                if (asprintf(&fname, "%s/%s", tok, program) == -1)
+                        errExit("asprintf");
+                if (arg_debug)
+                        printf("trying #%s#\n", fname);
+                struct stat s;
+                if (stat(fname, &s) == 0) {
+                        // but skip links created by firecfg
+                        char *rp = realpath(fname, NULL);
+                        if (!rp)
+                                errExit("realpath");
+                        if (strcmp(self, rp) != 0) {
+                                free(rp);
+                                free(dup);
+                                return fname;
+                        }
+                        free(rp);
+                }
+                free(fname);
+                tok = strtok(NULL, ":");
+        }
+        free(dup);
+        return NULL;
+}
 static void report_duplication(const char *full_path) {
        char *fname = strrchr(full_path, '/');
        if (fname && *(++fname) != '\0') {
@@ -165,7 +211,7 @@ void fslib_copy_dir(const char *full_path) {
        mkdir_attr(dest, 0755, 0, 0);
        if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
+                mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
                errExit("mount bind");
        fs_logger2("clone", full_path);
        fs_logger2("mount", full_path);
@@ -336,11 +382,40 @@ void fs_private_lib(void) {
        // start timetrace
        timetrace_start();
+        // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail
+        if (arg_debug || arg_debug_private_lib)
+                printf("Installing Firejail libraries\n");
+        fslib_install_list(PATH_FIREJAIL);
+        // bring in firejail directory
+        fslib_install_list(LIBDIR "/firejail");
+        // bring in dhclient libraries
+        if (any_dhcp()) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("Installing dhclient libraries\n");
+                fslib_install_list(RUN_MNT_DIR "/dhclient");
+        }
+        fmessage("Firejail libraries installed in %0.2f ms\n", timetrace_end());
+        timetrace_start();
        // copy the libs in the new lib directory for the main exe
        if (cfg.original_program_index > 0) {
                if (arg_debug || arg_debug_private_lib)
                        printf("Installing sandboxed program libraries\n");
-                fslib_install_list(cfg.original_argv[cfg.original_program_index]);
+                if (strchr(cfg.original_argv[cfg.original_program_index], '/'))
+                        fslib_install_list(cfg.original_argv[cfg.original_program_index]);
+                else { // search executable in $PATH
+                        EUID_USER();
+                        char *fname = find_in_path(cfg.original_argv[cfg.original_program_index]);
+                        EUID_ROOT();
+                        if (fname) {
+                                fslib_install_list(fname);
+                                free(fname);
+                        }
+                }
        }
        // for the shell
@@ -369,18 +444,11 @@ void fs_private_lib(void) {
        }
        fmessage("Program libraries installed in %0.2f ms\n", timetrace_end());
-        // install the reset of the system libraries
+        // install the rest of the system libraries
        if (arg_debug || arg_debug_private_lib)
                printf("Installing system libraries\n");
        fslib_install_system();
-        // bring in firejail directory for --trace and seccomp post exec
-        // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail
-        fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable
-        // install libraries needed by fcopy
-        fslib_install_list(PATH_FCOPY);
        fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries",
                dir_cnt, (dir_cnt == 1)? "directory": "directories");
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index b2ae07f3e..95e10ee05 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -30,6 +30,7 @@ extern void fslib_copy_dir(const char *full_path);
 //***************************************************************
 // standard libc libraries based on Debian's libc6 package
 // selinux seems to be linked in most command line utilities
+// libpcre2 is a dependency of selinux
 // locale (/usr/lib/locale) - without it, the program will default to "C" locale
 typedef struct liblist_t {
        const char *name;
@@ -38,6 +39,7 @@ typedef struct liblist_t {
 static LibList libc_list[] = {
        { "libselinux.so.", 0 },
+        { "libpcre2-8.so.", 0 },
        { "libapparmor.so.", 0},
        { "ld-linux-x86-64.so.", 0 },
        { "libanl.so.", 0 },
@@ -104,17 +106,15 @@ static void stdc(const char *dirname) {
 void fslib_install_stdc(void) {
        // install standard C libraries
+        timetrace_start();
        struct stat s;
-        char *stdclib = "/lib64";                 // CentOS, Fedora, Arch
        if (stat("/lib/x86_64-linux-gnu", &s) == 0) {   // Debian & friends
                mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0);
                selinux_relabel_path(RUN_LIB_DIR "/x86_64-linux-gnu", "/lib/x86_64-linux-gnu");
-                stdclib = "/lib/x86_64-linux-gnu";
+                stdc("/lib/x86_64-linux-gnu");
        }
-        timetrace_start();
+        stdc("/lib64"); // CentOS, Fedora, Arch, ld-linux.so in Debian & friends
-        stdc(stdclib);
        // install locale
        if (stat("/usr/lib/locale", &s) == 0)
diff --git a/src/firejail/join.c b/src/firejail/join.c
index ca8b8c4bf..4f0210f95 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -20,10 +20,14 @@
 #include "firejail.h"
 #include <sys/stat.h>
 #include <sys/wait.h>
-#include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
 #include <sys/prctl.h>
 #ifndef PR_SET_NO_NEW_PRIVS
 #define PR_SET_NO_NEW_PRIVS 38
@@ -292,13 +296,28 @@ static void extract_umask(pid_t pid) {
                fprintf(stderr, "Error: cannot open umask file\n");
                exit(1);
        }
-        if (fscanf(fp, "%o", &orig_umask) != 1) {
+        if (fscanf(fp, "%3o", &orig_umask) != 1) {
                fprintf(stderr, "Error: cannot read umask\n");
                exit(1);
        }
        fclose(fp);
 }
+static int open_shell(void) {
+        EUID_ASSERT();
+        assert(cfg.shell);
+        if (arg_debug)
+                printf("Opening shell %s\n", cfg.shell);
+        // file descriptor will leak if not opened with O_CLOEXEC !!
+        int fd = open(cfg.shell, O_PATH|O_CLOEXEC);
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot open shell %s\n", cfg.shell);
+                exit(1);
+        }
+        return fd;
+}
 // return false if the sandbox identified by pid is not fully set up yet or if
 // it is no firejail sandbox at all, return true if the sandbox is complete
 bool is_ready_for_join(const pid_t pid) {
@@ -316,7 +335,7 @@ bool is_ready_for_join(const pid_t pid) {
        struct stat s;
        if (fstat(fd, &s) == -1)
                errExit("fstat");
-        if (!S_ISREG(s.st_mode) || s.st_uid != 0) {
+        if (!S_ISREG(s.st_mode) || s.st_uid != 0 || s.st_size != 1) {
                close(fd);
                return false;
        }
@@ -391,6 +410,10 @@ void join(pid_t pid, int argc, char **argv, int index) {
        extract_x11_display(parent);
+        int shfd = -1;
+        if (!arg_shell_none && !arg_audit)
+                shfd = open_shell();
        EUID_ROOT();
        // in user mode set caps seccomp, cpu, cgroup, etc
        if (getuid() != 0) {
@@ -400,6 +423,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
                extract_cgroup(pid);
                extract_nogroups(pid);
                extract_user_namespace(pid);
+                extract_umask(pid);
 #ifdef HAVE_APPARMOR
                extract_apparmor(pid);
 #endif
@@ -409,9 +433,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
        if (cfg.cgroup) // not available for uid 0
                set_cgroup(cfg.cgroup);
-        // set umask, also uid 0
-        extract_umask(pid);
        // join namespaces
        if (arg_join_network) {
                if (join_namespace(pid, "net"))
@@ -522,10 +543,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
                extract_command(argc, argv, index);
                if (cfg.command_line == NULL) {
                        assert(cfg.shell);
-                        cfg.command_line = cfg.shell;
                        cfg.window_title = cfg.shell;
                }
-                if (arg_debug)
+                else if (arg_debug)
                        printf("Extracted command #%s#\n", cfg.command_line);
                // set cpu affinity
@@ -554,11 +574,13 @@ void join(pid_t pid, int argc, char **argv, int index) {
                        dbus_set_system_bus_env();
 #endif
-                start_application(0, NULL);
+                start_application(0, shfd, NULL);
                __builtin_unreachable();
        }
        EUID_USER();
+        if (shfd != -1)
+                close(shfd);
        int status = 0;
        //*****************************
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 544bfe83a..0f0086a6e 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1231,11 +1231,6 @@ int main(int argc, char **argv, char **envp) {
        }
        EUID_ASSERT();
-#ifdef WARN_DUMPABLE
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-                fprintf(stderr, "Error: Firejail is dumpable\n");
-#endif
        // check for force-nonewprivs in /etc/firejail/firejail.config file
        if (checkcfg(CFG_FORCE_NONEWPRIVS))
                arg_nonewprivs = 1;
@@ -2787,7 +2782,7 @@ int main(int argc, char **argv, char **envp) {
        // build the sandbox command
        if (prog_index == -1 && cfg.shell) {
-                cfg.command_line = cfg.shell;
+                assert(cfg.command_line == NULL); // runs cfg.shell
                cfg.window_title = cfg.shell;
                cfg.command_name = cfg.shell;
        }
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 01df77ee6..6c7803602 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -204,14 +204,15 @@ void run_no_sandbox(int argc, char **argv) {
                        break;
                }
        }
-        // if shell is /usr/bin/firejail, replace it with /bin/bash
-        if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
+// if shell is /usr/bin/firejail, replace it with /bin/bash
-                cfg.shell = "/bin/bash";
+//      if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
-                prog_index = 0;
+//              cfg.shell = "/bin/bash";
-        }
+//              prog_index = 0;
+//      }
        if (prog_index == 0) {
-                cfg.command_line = cfg.shell;
+                assert(cfg.command_line == NULL); // runs cfg.shell
                cfg.window_title = cfg.shell;
        } else {
                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
@@ -230,5 +231,5 @@ void run_no_sandbox(int argc, char **argv) {
        arg_quiet = 1;
-        start_application(1, NULL);
+        start_application(1, -1, NULL);
 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4172c96f7..1ee8cdfcb 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -619,6 +619,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                return 0;
        }
+        else if (strncmp(ptr, "netns  ", 6) == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        arg_netns = ptr + 6;
+                        check_netns(arg_netns);
+                }
+                else
+                        warning_feature_disabled("networking");
+#endif
+                return 0;
+        }
        else if (strcmp(ptr, "net none") == 0) {
                arg_nonetwork  = 1;
                cfg.bridge0.configured = 0;
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index ea3889024..b38cc0ca6 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -22,6 +22,8 @@
 #include <sys/stat.h>
 #include <unistd.h>
+extern char *find_in_path(const char *program);
 void run_symlink(int argc, char **argv, int run_as_is) {
        EUID_ASSERT();
@@ -40,54 +42,17 @@ void run_symlink(int argc, char **argv, int run_as_is) {
                errExit("setresuid");
        // find the real program by looking in PATH
-        char *p = getenv("PATH");
+        if (!getenv("PATH")) {
-        if (!p) {
                fprintf(stderr, "Error: PATH environment variable not set\n");
                exit(1);
        }
-        char *path = strdup(p);
+        char *p = find_in_path(program);
-        if (!path)
+        if (!p) {
-                errExit("strdup");
-        char *selfpath = realpath("/proc/self/exe", NULL);
-        if (!selfpath)
-                errExit("realpath");
-        // look in path for our program
-        char *tok = strtok(path, ":");
-        int found = 0;
-        while (tok) {
-                char *name;
-                if (asprintf(&name, "%s/%s", tok, program) == -1)
-                        errExit("asprintf");
-                struct stat s;
-                if (stat(name, &s) == 0) {
-                        /* coverity[toctou] */
-                        char* rp = realpath(name, NULL);
-                        if (!rp)
-                                errExit("realpath");
-                        if (strcmp(selfpath, rp) != 0) {
-                                program = strdup(name);
-                                found = 1;
-                                free(rp);
-                                break;
-                        }
-                        free(rp);
-                }
-                free(name);
-                tok = strtok(NULL, ":");
-        }
-        if (!found) {
                fprintf(stderr, "Error: cannot find the program in the path\n");
                exit(1);
        }
+        program = p;
-        free(selfpath);
        // restore original umask
        umask(orig_umask);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5115191ea..d811fe45a 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -461,7 +461,7 @@ static int ok_to_run(const char *program) {
        return 0;
 }
-void start_application(int no_sandbox, char *set_sandbox_status) {
+void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
        // set environment
        if (no_sandbox == 0) {
                env_defaults();
@@ -471,7 +471,7 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
        umask(orig_umask);
        if (arg_debug) {
-                printf("starting application\n");
+                printf("Starting application\n");
                printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
        }
@@ -488,9 +488,6 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
                if (set_sandbox_status)
                        *set_sandbox_status = SANDBOX_DONE;
                execl(arg_audit_prog, arg_audit_prog, NULL);
-                perror("execl");
-                exit(1);
        }
        //****************************************
        // start the program without using a shell
@@ -532,35 +529,37 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
        //****************************************
        else {
                assert(cfg.shell);
-                assert(cfg.command_line);
                char *arg[5];
                int index = 0;
                arg[index++] = cfg.shell;
-                if (login_shell) {
+                if (cfg.command_line) {
-                        arg[index++] = "-l";
-                        if (arg_debug)
-                                printf("Starting %s login shell\n", cfg.shell);
-                } else {
-                        arg[index++] = "-c";
                        if (arg_debug)
                                printf("Running %s command through %s\n", cfg.command_line, cfg.shell);
+                        arg[index++] = "-c";
                        if (arg_doubledash)
                                arg[index++] = "--";
                        arg[index++] = cfg.command_line;
                }
-                arg[index] = NULL;
+                else if (login_shell) {
+                        if (arg_debug)
+                                printf("Starting %s login shell\n", cfg.shell);
+                        arg[index++] = "-l";
+                }
+                else if (arg_debug)
+                        printf("Starting %s shell\n", cfg.shell);
                assert(index < 5);
+                arg[index] = NULL;
                if (arg_debug) {
                        char *msg;
-                        if (asprintf(&msg, "sandbox %d, execvp into %s", sandbox_pid, cfg.command_line) == -1)
+                        if (asprintf(&msg, "sandbox %d, execvp into %s",
+                                sandbox_pid, cfg.command_line ? cfg.command_line : cfg.shell) == -1)
                                errExit("asprintf");
                        logmsg(msg);
                        free(msg);
-                }
-                if (arg_debug) {
                        int i;
                        for (i = 0; i < 5; i++) {
                                if (arg[i] == NULL)
@@ -580,10 +579,14 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
                if (set_sandbox_status)
                        *set_sandbox_status = SANDBOX_DONE;
                execvp(arg[0], arg);
+                // join sandbox without shell in the mount namespace
+                if (fd > -1)
+                        fexecve(fd, arg, environ);
        }
-        perror("execvp");
+        perror("Cannot start application");
-        exit(1); // it should never get here!!!
+        exit(1);
 }
 static void enforce_filters(void) {
@@ -1223,7 +1226,7 @@ int sandbox(void* sandbox_arg) {
                        set_nice(cfg.nice);
                set_rlimits();
-                start_application(0, set_sandbox_status);
+                start_application(0, -1, set_sandbox_status);
        }
        munmap(set_sandbox_status, 1);
diff --git a/src/firejail/util.c b/src/firejail/util.c
index a3927cc88..911c8bd94 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -565,27 +565,18 @@ char *clean_pathname(const char *path) {
        if (!rv)
                errExit("malloc");
-        if (len > 0) {
+        size_t i = 0;
-                size_t i = 0, j = 0, cnt = 0;
+        size_t j = 0;
-                for (; i < len; i++) {
+        while (path[i]) {
-                        if (path[i] == '/')
+                while (path[i] == '/' && path[i+1] == '/')
-                                cnt++;
+                        i++;
-                        else
+                rv[j++] = path[i++];
-                                cnt = 0;
-                        if (cnt < 2) {
-                                rv[j] = path[i];
-                                j++;
-                        }
-                }
-                rv[j] = '\0';
-                // remove a trailing slash
-                if (j > 1 && rv[j - 1] == '/')
-                        rv[j - 1] = '\0';
        }
-        else
+        rv[j] = '\0';
-                *rv = '\0';
+        // remove a trailing slash
+        if (j > 1 && rv[j - 1] == '/')
+                rv[j - 1] = '\0';
        return rv;
 }
@@ -820,20 +811,6 @@ void notify_other(int fd) {
        fclose(stream);
 }
-// Equivalent to the GNU version of basename, which is incompatible with
-// the POSIX basename. A few lines of code saves any portability pain.
-// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
-const char *gnu_basename(const char *path) {
-        const char *last_slash = strrchr(path, '/');
-        if (!last_slash)
-                return path;
-        return last_slash+1;
-}
 uid_t pid_get_uid(pid_t pid) {
        EUID_ASSERT();
        uid_t rv = 0;
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in
index 53382c2df..37b139d38 100644
--- a/src/fldd/Makefile.in
+++ b/src/fldd/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fldd: $(OBJS) ../lib/ldd_utils.o
+fldd: $(OBJS) ../lib/common.o ../lib/ldd_utils.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fldd *.gcov *.gcda *.gcno *.plist
diff --git a/src/fldd/main.c b/src/fldd/main.c
index d68504f6b..55a0dfcce 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -24,7 +24,6 @@
 #include <fcntl.h>
 #include <sys/mman.h>
 #include <sys/mount.h>
-#include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
@@ -303,10 +302,7 @@ printf("\n");
                return 0;
        }
-#ifdef WARN_DUMPABLE
+        warn_dumpable();
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-                fprintf(stderr, "Error fldd: I am dumpable\n");
-#endif
        // check program access
        if (access(argv[1], R_OK)) {
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in
index 37566db72..bd5fe9e7a 100644
--- a/src/fnet/Makefile.in
+++ b/src/fnet/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fnet: $(OBJS) ../lib/libnetlink.o
+fnet: $(OBJS) ../lib/common.o ../lib/libnetlink.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fnet *.gcov *.gcda *.gcno *.plist
diff --git a/src/fnet/main.c b/src/fnet/main.c
index f6316a7fe..db090fb95 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -21,7 +21,6 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/utsname.h>
-#include <sys/prctl.h>
 int arg_quiet = 0;
@@ -69,10 +68,9 @@ printf("\n");
                usage();
                return 0;
        }
-#ifdef WARN_DUMPABLE
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
+        warn_dumpable();
-                fprintf(stderr, "Error fnet: I am dumpable\n");
-#endif
        char *quiet = getenv("FIREJAIL_QUIET");
        if (quiet && strcmp(quiet, "yes") == 0)
                arg_quiet = 1;
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in
index 055167192..6fe650a17 100644
--- a/src/fnetfilter/Makefile.in
+++ b/src/fnetfilter/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fnetfilter: $(OBJS)
+fnetfilter: $(OBJS) ../lib/common.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fnetfilter *.gcov *.gcda *.gcno *.plist
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c
index 1ca35ab56..381d0d36e 100644
--- a/src/fnetfilter/main.c
+++ b/src/fnetfilter/main.c
@@ -18,7 +18,6 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "../include/common.h"
-#include <sys/prctl.h>
 #define MAXBUF 4098
 #define MAXARGS 16
@@ -181,10 +180,9 @@ printf("\n");
                usage();
                return 1;
        }
-#ifdef WARN_DUMPABLE
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
+        warn_dumpable();
-                fprintf(stderr, "Error fnetfilter: I am dumpable\n");
-#endif
        char *destfile = (argc == 3)? argv[2]: argv[1];
        char *command = (argc == 3)? argv[1]: NULL;
 //printf("command %s\n", command);
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in
index 0387f7ec7..b6a28fdd8 100644
--- a/src/fsec-optimize/Makefile.in
+++ b/src/fsec-optimize/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fsec-optimize: $(OBJS) ../lib/libnetlink.o
+fsec-optimize: $(OBJS) ../lib/common.o ../lib/libnetlink.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fsec-optimize *.gcov *.gcda *.gcno *.plist
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h
index 034fde2ac..211111641 100644
--- a/src/fsec-optimize/fsec_optimize.h
+++ b/src/fsec-optimize/fsec_optimize.h
@@ -22,7 +22,6 @@
 #include "../include/common.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
-#include <sys/prctl.h>
 // optimize.c
 struct sock_filter *duplicate(struct sock_filter *filter, int entries);
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c
index fb13eeca8..74aebc9e0 100644
--- a/src/fsec-optimize/main.c
+++ b/src/fsec-optimize/main.c
@@ -44,11 +44,7 @@ printf("\n");
                return 0;
        }
-#ifdef WARN_DUMPABLE
+        warn_dumpable();
-        // check FIREJAIL_PLUGIN in order to not print a warning during make
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
-                fprintf(stderr, "Error fsec-optimize: I am dumpable\n");
-#endif
        char *fname = argv[1];
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in
index a30ff4ba3..bf39a8c77 100644
--- a/src/fsec-print/Makefile.in
+++ b/src/fsec-print/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fsec-print: $(OBJS) ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
+fsec-print: $(OBJS) ../lib/common.o ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h
index 9d17e3f18..337199288 100644
--- a/src/fsec-print/fsec_print.h
+++ b/src/fsec-print/fsec_print.h
@@ -23,7 +23,6 @@
 #include "../include/seccomp.h"
 #include "../include/syscall.h"
 #include <sys/mman.h>
-#include <sys/prctl.h>
 // print.c
 void print(struct sock_filter *filter, int entries);
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c
index d1f056e47..ed030db21 100644
--- a/src/fsec-print/main.c
+++ b/src/fsec-print/main.c
@@ -61,10 +61,7 @@ printf("\n");
                return 0;
        }
-#ifdef WARN_DUMPABLE
+        warn_dumpable();
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid())
-                fprintf(stderr, "Error fsec-print: I am dumpable\n");
-#endif
        char *fname = argv[1];
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
index 8623db6f8..b776a73ce 100644
--- a/src/fseccomp/Makefile.in
+++ b/src/fseccomp/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-fseccomp: $(OBJS) ../lib/errno.o ../lib/syscall.o
+fseccomp: $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
 clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index e40999938..e8dd083b6 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -23,7 +23,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <assert.h>
-#include <sys/prctl.h>
 #include "../include/common.h"
 #include "../include/syscall.h"
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index f505ca0f3..c8259b079 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -69,11 +69,7 @@ printf("\n");
                return 0;
        }
-#ifdef WARN_DUMPABLE
+        warn_dumpable();
-        // check FIREJAIL_PLUGIN in order to not print a warning during make
-        if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN"))
-                fprintf(stderr, "Error fseccomp: I am dumpable\n");
-#endif
        char *quiet = getenv("FIREJAIL_QUIET");
        if (quiet && strcmp(quiet, "yes") == 0)
diff --git a/src/include/common.h b/src/include/common.h
index 5df51c5a9..5497929c7 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -38,11 +38,6 @@
 #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
-// check if processes run with dumpable flag set
-// currently we get "Error fseccomp: I am dumpable" every time we run a firejail build on Debian 8,
-// regardless what Debian version we run the build on
-//#define WARN_DUMPABLE
 // macro to print ip addresses in a printf statement
 #define PRINT_IP(A) \
 ((int) (((A) >> 24) & 0xFF)),  ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF))
@@ -126,4 +121,6 @@ char *pid_proc_comm(const pid_t pid);
 char *pid_proc_cmdline(const pid_t pid);
 int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
 int pid_hidepid(void);
+void warn_dumpable(void);
+const char *gnu_basename(const char *path);
 #endif
diff --git a/src/lib/common.c b/src/lib/common.c
index 823442835..ace5cb87e 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -267,7 +267,6 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
 }
 // return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
-#define BUFLEN 4096
 int pid_hidepid(void) {
        FILE *fp = fopen("/proc/mounts", "r");
        if (!fp)
@@ -288,6 +287,39 @@ int pid_hidepid(void) {
        return 0;
 }
+// print error if unprivileged users can trace the process
+void warn_dumpable(void) {
+        if (getuid() != 0 && prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getenv("FIREJAIL_PLUGIN")) {
+                fprintf(stderr, "Error: dumpable process\n");
+                // best effort to provide detailed debug information
+                // cannot use process name, it is just a file descriptor number
+                char path[BUFLEN];
+                ssize_t len = readlink("/proc/self/exe", path, BUFLEN - 1);
+                if (len < 0)
+                        return;
+                path[len] = '\0';
+                // path can refer to a sandbox mount namespace, use basename only
+                const char *base = gnu_basename(path);
+                struct stat s;
+                if (stat("/proc/self/exe", &s) == 0 && s.st_uid != 0)
+                        fprintf(stderr, "Change owner of %s executable to root\n", base);
+                else if (access("/proc/self/exe", R_OK) == 0)
+                        fprintf(stderr, "Remove read permission on %s executable\n", base);
+        }
+}
+// Equivalent to the GNU version of basename, which is incompatible with
+// the POSIX basename. A few lines of code saves any portability pain.
+// https://www.gnu.org/software/libc/manual/html_node/Finding-Tokens-in-a-String.html#index-basename
+const char *gnu_basename(const char *path) {
+        const char *last_slash = strrchr(path, '/');
+        if (!last_slash)
+                return path;
+        return last_slash+1;
+}
 //**************************
 // time trace based on getticks function
 //**************************
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index 4903971ad..6823d0ae6 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -336,6 +336,7 @@ static const SyscallGroupList sysgroups[] = {
 #endif
        },
        { .name = "@default-keep", .list =
+          "execveat," // commonly used by fexecve
          "execve,"
          "prctl"
        },
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9524254c1..030a3c95c 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -862,6 +862,11 @@ the parent interface specified by --net is not configured. An IP address and
 a default gateway address also have to be added.
 .TP
+\fBnetns namespace
+Run the program in a named, persistent network namespace. These can
+be created and configured using "ip netns".
+.TP
 \fBveth-name name
 Use this name for the interface connected to the bridge for --net=bridge_interface commands,
 instead of the default one.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 562b3eda3..e72ef48c2 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -76,10 +76,10 @@ If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
 to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
 .PP
-If a program argument is not specified, Firejail starts /bin/bash shell.
+If a program argument is not specified, Firejail starts the user's preferred shell.
 Examples:
 .PP
-$ firejail [OPTIONS]                # starting a /bin/bash shell
+$ firejail [OPTIONS]                # starting the program specified in $SHELL, usually /bin/bash
 .PP
 $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 .PP
@@ -2273,7 +2273,7 @@ rm: cannot remove `testfile': Operation not permitted
 .TP
 \fB\-\-seccomp.keep=syscall,@group,!syscall2
 Enable seccomp filter, blacklist all syscall not listed and "syscall2".
-The system calls needed by Firejail (group @default-keep: prctl, execve)
+The system calls needed by Firejail (group @default-keep: prctl, execve, execveat)
 are handled with the preload library. On a 64 bit architecture, an
 additional filter for 32 bit system calls can be installed with
 \-\-seccomp.32.keep.
@@ -2476,7 +2476,7 @@ $ firejail \-\-shell=none script.sh
 \fB\-\-shell=program
 Set default user shell. Use this shell to run the application using \-c shell option.
 For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
-By default Bash shell (/bin/bash) is used.
+By default the user's preferred shell is used.
 .br
 .br
@@ -3023,7 +3023,7 @@ We provide a tool that automates all this integration, please see \&\flfirecfg\f
 .SH EXAMPLES
 .TP
 \f\firejail
-Sandbox a regular /bin/bash session.
+Sandbox a regular shell session.
 .TP
 \f\firejail firefox
 Start Mozilla Firefox.
@@ -3043,7 +3043,7 @@ Start Firefox in a new network namespace. An IP address is
 assigned automatically.
 .TP
 \f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
-Start a /bin/bash session in a new network namespace and connect it
+Start a shell session in a new network namespace and connect it
 to br0, br1, and br2 host bridge devices. IP addresses are assigned
 automatically for the interfaces connected to br1 and b2
 #endif
diff --git a/src/profstats/main.c b/src/profstats/main.c
index 4c1221464..68f62831b 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -30,6 +30,8 @@ static int cnt_seccomp = 0;
 static int cnt_caps = 0;
 static int cnt_dbus_system_none = 0;
 static int cnt_dbus_user_none = 0;
+static int cnt_dbus_system_filter = 0;
+static int cnt_dbus_user_filter = 0;
 static int cnt_dotlocal = 0;
 static int cnt_globalsdotlocal = 0;
 static int cnt_netnone = 0;
@@ -107,6 +109,7 @@ void process_file(const char *fname) {
                return;
        }
+        int have_include_local = 0;
        char buf[MAXBUF];
        while (fgets(buf, MAXBUF, fp)) {
                char *ptr = strchr(buf, '\n');
@@ -152,11 +155,16 @@ void process_file(const char *fname) {
                        cnt_privateetc++;
                else if (strncmp(ptr, "dbus-system none", 16) == 0)
                        cnt_dbus_system_none++;
+                else if (strncmp(ptr, "dbus-system", 11) == 0)
+                        cnt_dbus_system_filter++;
                else if (strncmp(ptr, "dbus-user none", 14) == 0)
                        cnt_dbus_user_none++;
+                else if (strncmp(ptr, "dbus-user", 9) == 0)
+                        cnt_dbus_user_filter++;
                else if (strncmp(ptr, "include ", 8) == 0) {
                        // not processing .local files
                        if (strstr(ptr, ".local")) {
+                                have_include_local = 1;
 //printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8);
                                if (strstr(ptr, "globals.local"))
                                        cnt_globalsdotlocal++;
@@ -174,6 +182,8 @@ void process_file(const char *fname) {
        }
        fclose(fp);
+        if (!have_include_local)
+                printf("No include .local found in %s\n", fname);
        level--;
 }
@@ -257,7 +267,9 @@ int main(int argc, char **argv) {
                int whitelistrunuser = cnt_whitelistrunuser;
                int whitelistusrshare = cnt_whitelistusrshare;
                int dbussystemnone = cnt_dbus_system_none;
+                int dbussystemfilter = cnt_dbus_system_filter;
                int dbususernone = cnt_dbus_user_none;
+                int dbususerfilter = cnt_dbus_user_filter;
                int ssh = cnt_ssh;
                int mdwx = cnt_mdwx;
@@ -278,6 +290,16 @@ int main(int argc, char **argv) {
                        cnt_globalsdotlocal = globalsdotlocal + 1;
                if (cnt_whitelistrunuser > (whitelistrunuser + 1))
                        cnt_whitelistrunuser = whitelistrunuser + 1;
+                if (cnt_seccomp > (seccomp + 1))
+                        cnt_seccomp = seccomp + 1;
+                if (cnt_dbus_user_none > (dbususernone + 1))
+                        cnt_dbus_user_none = dbususernone + 1;
+                if (cnt_dbus_user_filter > (dbususerfilter + 1))
+                        cnt_dbus_user_filter = dbususerfilter + 1;
+                if (cnt_dbus_system_none > (dbussystemnone + 1))
+                        cnt_dbus_system_none = dbussystemnone + 1;
+                if (cnt_dbus_system_filter > (dbussystemfilter + 1))
+                        cnt_dbus_system_filter = dbussystemfilter + 1;
                if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none)
                        printf("No dbus-system none found in %s\n", argv[i]);
@@ -337,7 +359,9 @@ int main(int argc, char **argv) {
        printf("    whitelist usr/share\t\t%d   (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare);
        printf("    net none\t\t\t%d\n", cnt_netnone);
        printf("    dbus-user none \t\t%d\n", cnt_dbus_user_none);
+        printf("    dbus-user filter \t\t%d\n", cnt_dbus_user_filter);
        printf("    dbus-system none \t\t%d\n", cnt_dbus_system_none);
+        printf("    dbus-system filter \t\t%d\n", cnt_dbus_system_filter);
        printf("\n");
        return 0;
 }