From b146aefde53cf7c27985c566098605f50e0bf15f Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 30 May 2017 18:12:51 -0400
Subject: profile merges

---
 README.md                  | 2 +-
 RELNOTES                   | 2 ++
 platform/debian/conffiles  | 1 +
 src/firecfg/firecfg.config | 1 +
 4 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 54d1cd475..83cb1d58a 100644
--- a/README.md
+++ b/README.md
@@ -76,4 +76,4 @@ The plan is to have all bittorrent clients whitelisted in the next release.**
 
 ## New profiles
 
-vym, darktable
+vym, darktable, Waterfox
diff --git a/RELNOTES b/RELNOTES
index 763282fb8..24e340e01 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,8 @@
 firejail (0.9.47) baseline; urgency=low
   * work in progress
   * added /etc/firejail/globals.local for global customizations
+  * whitelisted Transmission, Deluge, qBitTorrent, KTorrent
+  * new profiles: vym, darktable, Waterfox
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Tue, 23 May 2017 08:00:00 -0500
 
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 9c99a918a..a03f23cc1 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -303,3 +303,4 @@
 /etc/firejail/zoom.profile
 /etc/firejail/vym.profile
 /etc/firejail/darktable.profile
+/etc/firejail/waterfox.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e58c8ee52..aa9d4c32c 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -224,6 +224,7 @@ vlc
 vym
 w3m
 warzone2100
+waterfox
 weechat
 weechat-curses
 wesnot
-- 
cgit v1.2.3-54-g00ecf


From ca98f1488a3d01df23c5415b1480b4e2df131e83 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 31 May 2017 15:26:13 -0400
Subject: bug: print whitelist seccomp filter for --debug option

---
 src/firejail/seccomp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 72a5874f8..15379215c 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -68,7 +68,7 @@ int seccomp_load(const char *fname) {
 		goto errexit;
 	unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
 	if (arg_debug)
-		printf("reading %d seccomp entries from %s\n", entries, fname);
+		printf("configuring %d seccomp entries from %s\n", entries, fname);
 
 	// read filter
 	struct sock_filter *filter = malloc(size);
@@ -205,6 +205,8 @@ int seccomp_filter_keep(void) {
 		printf("seccomp filter configured\n");
 
 
+	if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0)
+		sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
 	return seccomp_load(RUN_SECCOMP_CFG);
 }
 
-- 
cgit v1.2.3-54-g00ecf


From e74a493b105c203b522102e6357b483a8ce046b3 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 31 May 2017 17:26:26 -0400
Subject: profile cleanup

---
 etc/gimp-2.8.profile        |  4 ++++
 etc/mate-calculator.profile |  4 ++++
 etc/thunar.profile          |  4 ++++
 etc/vivaldi-beta.profile    |  2 +-
 etc/vivaldi-stable.profile  | 16 +---------------
 etc/vivaldi.profile         | 17 ++++++++++++++++-
 6 files changed, 30 insertions(+), 17 deletions(-)

diff --git a/etc/gimp-2.8.profile b/etc/gimp-2.8.profile
index 1902fac72..ce6cee7a5 100644
--- a/etc/gimp-2.8.profile
+++ b/etc/gimp-2.8.profile
@@ -1,4 +1,8 @@
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/gimp-2.8.local
+
 include /etc/firejail/gimp.profile
diff --git a/etc/mate-calculator.profile b/etc/mate-calculator.profile
index 67a9f244e..acc687b81 100644
--- a/etc/mate-calculator.profile
+++ b/etc/mate-calculator.profile
@@ -1,4 +1,8 @@
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mate-calculator.local
+
 #include /etc/firejail/mate-calc.profile
diff --git a/etc/thunar.profile b/etc/thunar.profile
index cd84acf39..d8389ebc8 100644
--- a/etc/thunar.profile
+++ b/etc/thunar.profile
@@ -1,4 +1,8 @@
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/thunar.local
+
 include /etc/firejail/Thunar.profile
diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile
index 51954c643..f2c2f4cc0 100644
--- a/etc/vivaldi-beta.profile
+++ b/etc/vivaldi-beta.profile
@@ -6,4 +6,4 @@ include /etc/firejail/globals.local
 include /etc/firejail/vivaldi-beta.local
 
 # Vivaldi Beta browser profile
-include /etc/firejail/vivaldi-stable.profile
+include /etc/firejail/vivaldi.profile
diff --git a/etc/vivaldi-stable.profile b/etc/vivaldi-stable.profile
index a57b2dd78..9b2ccd4f3 100644
--- a/etc/vivaldi-stable.profile
+++ b/etc/vivaldi-stable.profile
@@ -4,19 +4,5 @@ include /etc/firejail/globals.local
 # This file is overwritten during software install.
 # Persistent customizations should go in a .local file.
 include /etc/firejail/vivaldi.local
-noblacklist ~/.cache/vivaldi
 
-# Vivaldi browser profile
-noblacklist ~/.config/vivaldi
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
-include /etc/firejail/disable-devel.inc
-
-netfilter
-
-whitelist ${DOWNLOADS}
-mkdir ~/.config/vivaldi
-whitelist ~/.config/vivaldi
-mkdir ~/.cache/vivaldi
-whitelist ~/.cache/vivaldi
-include /etc/firejail/whitelist-common.inc
+include /etc/firejail/vivaldi.profile
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index c01c6d608..25d78439d 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -6,4 +6,19 @@ include /etc/firejail/globals.local
 include /etc/firejail/vivaldi.local
 
 # Vivaldi browser profile
-include /etc/firejail/vivaldi-stable.profile
+noblacklist ~/.cache/vivaldi
+
+# Vivaldi browser profile
+noblacklist ~/.config/vivaldi
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+netfilter
+
+whitelist ${DOWNLOADS}
+mkdir ~/.config/vivaldi
+whitelist ~/.config/vivaldi
+mkdir ~/.cache/vivaldi
+whitelist ~/.cache/vivaldi
+include /etc/firejail/whitelist-common.inc
-- 
cgit v1.2.3-54-g00ecf


From 687a429ddda387f40f163a45211345607ad96149 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 31 May 2017 20:42:19 -0400
Subject: AppArmor made optional; a warning is printed on the screen if the
 sandbox fails to load the AppArmor profile

---
 RELNOTES               | 2 ++
 src/firejail/sandbox.c | 8 ++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index 24e340e01..7fb5dea64 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,7 @@
 firejail (0.9.47) baseline; urgency=low
   * work in progress
+  * modifs: AppArmor made optional; a warning is printed on the screen
+    if the sandbox fails to load the AppArmor profile
   * added /etc/firejail/globals.local for global customizations
   * whitelisted Transmission, Deluge, qBitTorrent, KTorrent
   * new profiles: vym, darktable, Waterfox
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 7f82e2253..b22a4c651 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -987,12 +987,12 @@ int sandbox(void* sandbox_arg) {
 	if (app_pid == 0) {
 #ifdef HAVE_APPARMOR
 		if (arg_apparmor) {
+			int done = 0;
 			errno = 0;
 			if (aa_change_onexec("firejail-default")) {
-				fprintf(stderr, "Error: cannot confine the application using AppArmor.\n");
-				fprintf(stderr, "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n");
-				fprintf(stderr, "As root, run \"aa-enforce firejail-default\" to load it.\n");
-				exit(1);
+				fwarning("Cannot confine the application using AppArmor.\n"
+					"Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
+					"As root, run \"aa-enforce firejail-default\" to load it.\n");
 			}
 			else if (arg_debug)
 				printf("AppArmor enabled\n");
-- 
cgit v1.2.3-54-g00ecf


From 8b53bdf4fb483b36de7d168541e4d300f61e1033 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 31 May 2017 21:20:01 -0400
Subject: added digiKam profile

---
 README.md                  | 2 +-
 RELNOTES                   | 5 +++--
 platform/debian/conffiles  | 1 +
 src/firecfg/firecfg.config | 1 +
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 83cb1d58a..7df356357 100644
--- a/README.md
+++ b/README.md
@@ -76,4 +76,4 @@ The plan is to have all bittorrent clients whitelisted in the next release.**
 
 ## New profiles
 
-vym, darktable, Waterfox
+vym, darktable, Waterfox, digiKam
diff --git a/RELNOTES b/RELNOTES
index 7fb5dea64..7b779fc22 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,10 +1,11 @@
 firejail (0.9.47) baseline; urgency=low
   * work in progress
+  * modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent;
+    please use ~/Downloads directory for saving files
   * modifs: AppArmor made optional; a warning is printed on the screen
     if the sandbox fails to load the AppArmor profile
   * added /etc/firejail/globals.local for global customizations
-  * whitelisted Transmission, Deluge, qBitTorrent, KTorrent
-  * new profiles: vym, darktable, Waterfox
+  * new profiles: vym, darktable, Waterfox, digiKam
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Tue, 23 May 2017 08:00:00 -0500
 
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index a03f23cc1..812b372ee 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -304,3 +304,4 @@
 /etc/firejail/vym.profile
 /etc/firejail/darktable.profile
 /etc/firejail/waterfox.profile
+/etc/firejail/digikam
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index aa9d4c32c..044f07c95 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -39,6 +39,7 @@ darktable
 deadbeef
 deluge
 dia
+digikam
 dillo
 dino
 display
-- 
cgit v1.2.3-54-g00ecf


From fe4dda6e3bfc715f0f0aaca0f8dbbae42d17a6a6 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Thu, 1 Jun 2017 07:21:37 -0400
Subject: digikam

---
 README                   | 1 +
 etc/disable-programs.inc | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/README b/README
index 28b126e6b..d9171b68a 100644
--- a/README
+++ b/README
@@ -116,6 +116,7 @@ curiosity-seeker (https://github.com/curiosity-seeker)
 	- added guayadeque profile
 	- added VirtualBox.profile
 	- various other profile fixes
+	- added digiKam profile
 Daan Bakker (https://github.com/dbakker)
 	- protect shell startup files
 Dara Adib (https://github.com/daradib)
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index af0bbfce6..c36ff38c3 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -71,6 +71,7 @@ blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
+blacklist ${HOME}/.config/digikam
 blacklist ${HOME}/.config/dolphinrc
 blacklist ${HOME}/.config/dragonplayerrc
 blacklist ${HOME}/.config/enchant
@@ -200,6 +201,7 @@ blacklist ${HOME}/.kde4/share/apps/okular
 blacklist ${HOME}/.kde4/share/config/baloofilerc
 blacklist ${HOME}/.kde4/share/config/baloorc
 blacklist ${HOME}/.kde4/share/config/gwenviewrc
+blacklist ${HOME}/.kde4/share/config/digikam
 blacklist ${HOME}/.kde4/share/config/k3brc
 blacklist ${HOME}/.kde4/share/config/kcookiejarrc
 blacklist ${HOME}/.kde4/share/config/khtmlrc
@@ -217,6 +219,7 @@ blacklist ${HOME}/.kde/share/apps/konqueror
 blacklist ${HOME}/.kde/share/apps/okular
 blacklist ${HOME}/.kde/share/config/baloofilerc
 blacklist ${HOME}/.kde/share/config/baloorc
+blacklist ${HOME}/.kde/share/config/digikam
 blacklist ${HOME}/.kde/share/config/gwenviewrc
 blacklist ${HOME}/.kde/share/config/k3brc
 blacklist ${HOME}/.kde/share/config/kcookiejarrc
-- 
cgit v1.2.3-54-g00ecf


From 22c62fd71d3474a5253af29eec9f6c29c6d6be54 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Thu, 1 Jun 2017 07:24:28 -0400
Subject: digikam profile

---
 etc/digikam.profile | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 etc/digikam.profile

diff --git a/etc/digikam.profile b/etc/digikam.profile
new file mode 100644
index 000000000..fd19953a0
--- /dev/null
+++ b/etc/digikam.profile
@@ -0,0 +1,33 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/digikam.local
+
+noblacklist ${HOME}/.kde4/share/apps/digikam
+noblacklist ${HOME}/.kde/share/apps/digikam
+noblacklist ${HOME}/.config/digikamrc
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+
+# This is a seccomp whitelist profile for  Debian jessie, Kubuntu 17.04.
+# Uncomment seccomp.keep line and try it out. By default only the regular seccomp blacklist profile is enabled.
+#seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
+seccomp
+
+nogroups
+shell none
+# private-bin program
+# private-etc none
+# private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
+private-tmp
-- 
cgit v1.2.3-54-g00ecf


From 6364ca6429a7b30458a5ad2969ded3a71a2ce0f8 Mon Sep 17 00:00:00 2001
From: Fred Barclay <Fred-Barclay@users.noreply.github.com>
Date: Thu, 1 Jun 2017 11:47:51 -0500
Subject: Fix #1325

---
 etc/disable-programs.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index c36ff38c3..f2cf99188 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -90,7 +90,7 @@ blacklist ${HOME}/.config/globaltime
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
 blacklist ${HOME}/.config/google-chrome-unstable
-blacklist ${HOME}./config/gpicview
+blacklist ${HOME}/.config/gpicview
 blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
@@ -256,7 +256,7 @@ blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/data/Mumble
-blacklist ${HOME}./local/share/dino
+blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
-- 
cgit v1.2.3-54-g00ecf


From 4d3da296b28ab96a274e40044c2537a96f112e7d Mon Sep 17 00:00:00 2001
From: Fred Barclay <Fred-Barclay@users.noreply.github.com>
Date: Thu, 1 Jun 2017 11:57:13 -0500
Subject: Fix for `make deb` fail `make deb` failed when building from mainline
 with the message: dpkg-deb: error: conffile '/etc/firejail/digikam' does not
 appear in package warning: cannot find binary, udeb or source package
 debian.deb in lab (skipping)

This is because the line /etc/firejail/digikam in platform/debian/conffiles did
not end in '.profile': i.e /etc/firejail/digikam.profile
---
 platform/debian/conffiles | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 812b372ee..cc7453ae7 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -49,6 +49,7 @@
 /etc/firejail/default.profile
 /etc/firejail/deluge.profile
 /etc/firejail/dia.profile
+/etc/firejail/digikam.profile
 /etc/firejail/dillo.profile
 /etc/firejail/dino.profile
 /etc/firejail/disable-common.inc
@@ -304,4 +305,3 @@
 /etc/firejail/vym.profile
 /etc/firejail/darktable.profile
 /etc/firejail/waterfox.profile
-/etc/firejail/digikam
-- 
cgit v1.2.3-54-g00ecf


From 3a2428bd4ba70e4b4c71b8e7ae7aeee8e027428e Mon Sep 17 00:00:00 2001
From: Fred Barclay <Fred-Barclay@users.noreply.github.com>
Date: Fri, 2 Jun 2017 16:46:32 -0500
Subject: fix for keepassx on Fedora 25

---
 etc/keepassx.profile | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/etc/keepassx.profile b/etc/keepassx.profile
index 9aeed0057..34e260f8f 100644
--- a/etc/keepassx.profile
+++ b/etc/keepassx.profile
@@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+machine-id
 net none
 no3d
 nogroups
@@ -28,8 +29,8 @@ seccomp
 shell none
 tracelog
 
-private-bin keepassx
-private-etc fonts
+private-bin keepassx,keepassx2
+private-etc fonts,machine-id
 private-dev
 private-tmp
 
-- 
cgit v1.2.3-54-g00ecf


From de565a0009c8f2ef24f3bd741000fe79de122b8a Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Fri, 2 Jun 2017 17:49:49 -0400
Subject: fix login shell functionality broken in 0.9.46

---
 src/firejail/firejail.h    | 1 +
 src/firejail/no_sandbox.c  | 5 +++++
 src/firejail/run_symlink.c | 6 +-----
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 91b9c7be7..6f0a5aa7b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -718,6 +718,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 // programs
 #define PATH_FNET (LIBDIR "/firejail/fnet")
 #define PATH_FIREMON (PREFIX "/bin/firemon")
+#define PATH_FIREJAIL (PREFIX "/bin/firejail")
 #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
 #define PATH_FCOPY (LIBDIR "/firejail/fcopy")
 #define SBOX_STDIN_FILE "/run/firejail/mnt/sbox_stdin"
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index b37c5abf7..07c42006d 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -209,6 +209,11 @@ void run_no_sandbox(int argc, char **argv) {
 			break;
 		}
 	}
+	// if shell is /usr/bin/firejail, replace it with /bin/bash
+	if (strcmp(cfg.shell, PATH_FIREJAIL) == 0) {
+		cfg.shell = "/bin/bash";
+		prog_index = 0;
+	}
 
 	if (prog_index == 0) {
 		cfg.command_line = cfg.shell;
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index a9298a33f..ed885d3b1 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -86,10 +86,6 @@ void run_symlink(int argc, char **argv) {
 
 
 	// start the argv[0] program in a new sandbox
-	char *firejail;
-	if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1)
-		errExit("asprintf");
-
 	// drop privileges
 	if (setgid(getgid()) < 0)
 		errExit("setgid/getgid");
@@ -98,7 +94,7 @@ void run_symlink(int argc, char **argv) {
 
 	// run command
 	char *a[3 + argc];
-	a[0] = firejail;
+	a[0] =PATH_FIREJAIL;
 	a[1] = program;
 	int i;
 	for (i = 0; i < (argc - 1); i++) {
-- 
cgit v1.2.3-54-g00ecf


From 8e178ad5527d8dc60e440c89d42337f5a91997cf Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Fri, 2 Jun 2017 17:54:25 -0400
Subject: testing

---
 test/filters/syscall_test   | Bin 11095 -> 9552 bytes
 test/filters/syscall_test32 | Bin 8907 -> 6868 bytes
 2 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/test/filters/syscall_test b/test/filters/syscall_test
index 12edd2d64..bf29c5b99 100755
Binary files a/test/filters/syscall_test and b/test/filters/syscall_test differ
diff --git a/test/filters/syscall_test32 b/test/filters/syscall_test32
index 29af1e073..8d72f58c4 100755
Binary files a/test/filters/syscall_test32 and b/test/filters/syscall_test32 differ
-- 
cgit v1.2.3-54-g00ecf


From 67a6d8712f1ec3a43dc5bcf7ffa471c19b0e218e Mon Sep 17 00:00:00 2001
From: Fred Barclay <Fred-Barclay@users.noreply.github.com>
Date: Fri, 2 Jun 2017 18:36:46 -0500
Subject: Added Catfish profile

---
 README                     |  1 +
 README.md                  |  2 +-
 RELNOTES                   |  2 +-
 etc/catfish.profile        | 31 +++++++++++++++++++++++++++++++
 etc/disable-programs.inc   |  1 +
 platform/debian/conffiles  |  1 +
 src/firecfg/firecfg.config |  3 ++-
 7 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 etc/catfish.profile

diff --git a/README b/README
index d9171b68a..22f835a10 100644
--- a/README
+++ b/README
@@ -187,6 +187,7 @@ Fred-Barclay (https://github.com/Fred-Barclay)
 	- added mousepad, qpicview, and cvlc profiles
 	- added BibleTime profile
 	- added caja and galculator profiles
+	- added Catfish profile
 G4JC (http://sourceforge.net/u/gaming4jc/profile/)
 	- ARM support
 	- profile fixes
diff --git a/README.md b/README.md
index 7df356357..594dd92e8 100644
--- a/README.md
+++ b/README.md
@@ -76,4 +76,4 @@ The plan is to have all bittorrent clients whitelisted in the next release.**
 
 ## New profiles
 
-vym, darktable, Waterfox, digiKam
+vym, darktable, Waterfox, digiKam, Catfish
diff --git a/RELNOTES b/RELNOTES
index 7b779fc22..e67f2dbd7 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -5,7 +5,7 @@ firejail (0.9.47) baseline; urgency=low
   * modifs: AppArmor made optional; a warning is printed on the screen
     if the sandbox fails to load the AppArmor profile
   * added /etc/firejail/globals.local for global customizations
-  * new profiles: vym, darktable, Waterfox, digiKam
+  * new profiles: vym, darktable, Waterfox, digiKam, Catfish
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Tue, 23 May 2017 08:00:00 -0500
 
diff --git a/etc/catfish.profile b/etc/catfish.profile
new file mode 100644
index 000000000..e0039a042
--- /dev/null
+++ b/etc/catfish.profile
@@ -0,0 +1,31 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/catfish.local
+
+# Firejail profile for catfish
+noblacklist ~/.config/catfish
+
+# We can't blacklist much since catfish
+# is for finding files/content
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+net none
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix
+seccomp
+shell none
+tracelog
+
+# These options work but are disabled in case
+# a users wants to search in these directories.
+#private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m
+#private-dev
+#private-tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index f2cf99188..4d975a8ae 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -62,6 +62,7 @@ blacklist ${HOME}/.config/borg
 blacklist ${HOME}/.config/brasero
 blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/caja
+blacklist ${HOME}/.config/catfish
 blacklist ${HOME}/.config/cherrytree
 blacklist ${HOME}/.config/chromium
 blacklist ${HOME}/.config/chromium-dev
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index cc7453ae7..094134494 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -32,6 +32,7 @@
 /etc/firejail/brasero.profile
 /etc/firejail/brave.profile
 /etc/firejail/caja.profile
+/etc/firejail/catfish.profile
 /etc/firejail/cherrytree.profile
 /etc/firejail/chromium-browser.profile
 /etc/firejail/chromium.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 044f07c95..73d47a142 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -1,5 +1,5 @@
 # /usr/lib/firejail/firecfg.config - firecfg utility configuration file
-# This is the list of programs in alfabetical order handled by firecfg utility
+# This is the list of programs in alphabetical order handled by firecfg utility
 #
 0ad
 2048-qt
@@ -23,6 +23,7 @@ bless
 blender
 brasero
 brave
+catfish
 cherrytree
 chromium
 chromium-browser
-- 
cgit v1.2.3-54-g00ecf


From c60666097838b67a80bbff7724865e23cdbd00f4 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sat, 3 Jun 2017 20:21:45 -0400
Subject: profile support in overlayfs mode

---
 RELNOTES            | 3 ++-
 src/firejail/main.c | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index e67f2dbd7..0c59364c5 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,7 +4,8 @@ firejail (0.9.47) baseline; urgency=low
     please use ~/Downloads directory for saving files
   * modifs: AppArmor made optional; a warning is printed on the screen
     if the sandbox fails to load the AppArmor profile
-  * added /etc/firejail/globals.local for global customizations
+  * feature: added /etc/firejail/globals.local for global customizations
+  * feature: profile support in overlayfs mode
   * new profiles: vym, darktable, Waterfox, digiKam, Catfish
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Tue, 23 May 2017 08:00:00 -0500
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 95c325f9f..cff61f64a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2272,9 +2272,9 @@ int main(int argc, char **argv) {
 		if (cfg.chrootdir) {
 			fwarning("default profile disabled by --chroot option\n");
 		}
-		else if (arg_overlay) {
-			fwarning("default profile disabled by --overlay option\n");
-		}
+//		else if (arg_overlay) {
+//			fwarning("default profile disabled by --overlay option\n");
+//		}
 		else {
 			// try to load a default profile
 			char *profile_name = DEFAULT_USER_PROFILE;
-- 
cgit v1.2.3-54-g00ecf


From 881520edff69292ddbe05efada584f515ccadac4 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sun, 4 Jun 2017 11:48:27 -0400
Subject: drop discretionary access control capabilities by default

---
 RELNOTES                |  1 +
 etc/server.profile      |  1 +
 src/firejail/caps.c     | 11 +++++++++--
 src/firejail/firejail.h |  1 +
 src/firejail/join.c     |  3 +++
 src/firejail/sandbox.c  |  6 ++++--
 6 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index 0c59364c5..5add1b48e 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,6 +4,7 @@ firejail (0.9.47) baseline; urgency=low
     please use ~/Downloads directory for saving files
   * modifs: AppArmor made optional; a warning is printed on the screen
     if the sandbox fails to load the AppArmor profile
+  * feature: drop discretionary access control capabilities by default 
   * feature: added /etc/firejail/globals.local for global customizations
   * feature: profile support in overlayfs mode
   * new profiles: vym, darktable, Waterfox, digiKam, Catfish
diff --git a/etc/server.profile b/etc/server.profile
index 31a81b88f..2d79fa1c8 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -18,6 +18,7 @@ blacklist /tmp/.X11-unix
 no3d
 nosound
 seccomp
+caps
 
 private
 private-dev
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index d45ba20ce..883e8015e 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -248,10 +248,17 @@ void caps_print(void) {
 	}
 }
 
+// drop discretionary access control capabilities by default in all sandboxes
+void caps_drop_dac_override(void) {
+	if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
+	else if (arg_debug)
+		printf("Drop CAP_DAC_OVERRIDE\n");
 
+	if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
+	else if (arg_debug)
+		printf("Drop CAP_DAC_READ_SEARCH\n");
+}
 
-
-// enabled by default
 int caps_default_filter(void) {
 	// drop capabilities
 	if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0))
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 6f0a5aa7b..8224b5012 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -533,6 +533,7 @@ void caps_check_list(const char *clist, void (*callback)(int));
 void caps_drop_list(const char *clist);
 void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
+void caps_drop_dac_override(void);
 
 // syscall.c
 const char *syscall_find_nr(int nr);
diff --git a/src/firejail/join.c b/src/firejail/join.c
index b5b45a3bf..d7328a91b 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -242,6 +242,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
 	if (child < 0)
 		errExit("fork");
 	if (child == 0) {
+		// drop discretionary access control capabilities by default
+		caps_drop_dac_override();
+		
 		// chroot into /proc/PID/root directory
 		char *rootdir;
 		if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b22a4c651..0a32393a2 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -99,6 +99,9 @@ static void set_caps(void) {
 		caps_keep_list(arg_caps_list);
 	else if (arg_caps_default_filter)
 		caps_default_filter();
+	
+	// drop discretionary access control capabilities by default
+	caps_drop_dac_override();
 }
 
 void save_nogroups(void) {
@@ -896,8 +899,7 @@ int sandbox(void* sandbox_arg) {
 	// set security filters
 	//****************************
 	// set capabilities
-//	if (!arg_noroot)
-		set_caps();
+	set_caps();
 
 	// set rlimits
 	set_rlimits();
-- 
cgit v1.2.3-54-g00ecf


From bf62b457f0c60d12c761755d83021fcadd9eaea3 Mon Sep 17 00:00:00 2001
From: startx2017 <vradu.startx@yandex.com>
Date: Mon, 5 Jun 2017 09:31:38 -0400
Subject: handbrake profile

---
 README.md                  | 2 +-
 RELNOTES                   | 2 +-
 etc/disable-programs.inc   | 1 +
 platform/debian/conffiles  | 1 +
 src/firecfg/firecfg.config | 1 +
 5 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 594dd92e8..79d7d965a 100644
--- a/README.md
+++ b/README.md
@@ -76,4 +76,4 @@ The plan is to have all bittorrent clients whitelisted in the next release.**
 
 ## New profiles
 
-vym, darktable, Waterfox, digiKam, Catfish
+vym, darktable, Waterfox, digiKam, Catfish, HandBrake
diff --git a/RELNOTES b/RELNOTES
index 5add1b48e..9795fe376 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -7,7 +7,7 @@ firejail (0.9.47) baseline; urgency=low
   * feature: drop discretionary access control capabilities by default 
   * feature: added /etc/firejail/globals.local for global customizations
   * feature: profile support in overlayfs mode
-  * new profiles: vym, darktable, Waterfox, digiKam, Catfish
+  * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Tue, 23 May 2017 08:00:00 -0500
 
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 4d975a8ae..bac43ba7e 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -87,6 +87,7 @@ blacklist ${HOME}/.config/galculator
 blacklist ${HOME}/.config/geany
 blacklist ${HOME}/.config/geeqie
 blacklist ${HOME}/.config/gedit
+blacklist ${HOME}/.config/ghb
 blacklist ${HOME}/.config/globaltime
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 094134494..7d36714c1 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -306,3 +306,4 @@
 /etc/firejail/vym.profile
 /etc/firejail/darktable.profile
 /etc/firejail/waterfox.profile
+/etc/firejail/handbrake.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 73d47a142..444b304ab 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -99,6 +99,7 @@ gpredict
 gthumb
 gucharmap
 gwenview
+handbrake
 hedgewars
 hexchat
 highlight
-- 
cgit v1.2.3-54-g00ecf


From 2b22501223ee9886158f60520b6f1f7bade0cbaa Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Mon, 5 Jun 2017 18:57:25 -0400
Subject: bittorrent

---
 README.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 79d7d965a..db1810b94 100644
--- a/README.md
+++ b/README.md
@@ -69,10 +69,10 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 All profiles include /etc/firejail/globals.local for persistent customizations across all applications. For example, you
 can set here a global DNS "dns 8.8.8.8". The file is not overwritten during software install.
 
-**The following BitTorrent clients have been whitelisted: Transmission, Deluge, qBitTorrent, KTorrent. Configuration files and
-~/Downloads directory are real, everything else is placed on a temporary filesystem and discarded when the
-sandboxed is closed. Please configure your client to put downloaded files in ~/Download directory. 
-The plan is to have all bittorrent clients whitelisted in the next release.**
+The following BitTorrent clients have been whitelisted: Transmission, Deluge, qBitTorrent, KTorrent.
+Configuration files and ~/Downloads directory are real, everything else is placed on a temporary 
+filesystem and discarded when the sandboxed is closed. **Please configure your client to put 
+downloaded files in ~/Downloads directory.**  The plan is to have all bittorrent clients whitelisted in the next release.
 
 ## New profiles
 
-- 
cgit v1.2.3-54-g00ecf


From 89677fc115d7d781bb685642fe93e1bd037b3331 Mon Sep 17 00:00:00 2001
From: startx2017 <vradu.startx@yandex.com>
Date: Mon, 5 Jun 2017 19:16:14 -0400
Subject: handbrake profile

---
 etc/handbrake.profile | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 etc/handbrake.profile

diff --git a/etc/handbrake.profile b/etc/handbrake.profile
new file mode 100644
index 000000000..0f3f32250
--- /dev/null
+++ b/etc/handbrake.profile
@@ -0,0 +1,30 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/handbrake.local
+
+noblacklist ~/.config/ghb
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+# netlink required!
+protocol unix,inet,inet6,netlink
+seccomp
+
+#
+# depending on your usage, you can enable some of the commands below:
+#
+nogroups
+shell none
+# private-bin program
+# private-etc none
+#private-dev
+private-tmp
+nosound
-- 
cgit v1.2.3-54-g00ecf


From d139470e1782cff1179537b524e3e12ebb2a99ae Mon Sep 17 00:00:00 2001
From: Fred Barclay <Fred-Barclay@users.noreply.github.com>
Date: Tue, 6 Jun 2017 09:22:10 -0500
Subject: Fix build error for implicit declaration of fs_dev_disable_video

---
 src/firejail/firejail.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8224b5012..8bf2a75c3 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -500,6 +500,7 @@ void fs_dev_shm(void);
 void fs_private_dev(void);
 void fs_dev_disable_sound(void);
 void fs_dev_disable_3d(void);
+void fs_dev_disable_video(void);
 
 // fs_home.c
 // private mode (--private)
-- 
cgit v1.2.3-54-g00ecf


From 84ade8f847adfd3e18987ccc840f352aad92c1c2 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 6 Jun 2017 10:31:41 -0400
Subject: testing

---
 RELNOTES                   |  3 ++-
 src/firejail/caps.c        | 18 ++++++++++--------
 src/firejail/join.c        |  2 +-
 src/firejail/sandbox.c     |  2 +-
 test/apps-x11/chromium.exp |  2 +-
 test/apps/chromium.exp     |  2 +-
 6 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index 9795fe376..d4e8c9e43 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,7 +4,8 @@ firejail (0.9.47) baseline; urgency=low
     please use ~/Downloads directory for saving files
   * modifs: AppArmor made optional; a warning is printed on the screen
     if the sandbox fails to load the AppArmor profile
-  * feature: drop discretionary access control capabilities by default 
+  * feature: drop discretionary access control capabilities for
+    root sandboxes
   * feature: added /etc/firejail/globals.local for global customizations
   * feature: profile support in overlayfs mode
   * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 883e8015e..ff4d3a9d7 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -248,15 +248,17 @@ void caps_print(void) {
 	}
 }
 
-// drop discretionary access control capabilities by default in all sandboxes
+// drop discretionary access control capabilities for root sandboxes
 void caps_drop_dac_override(void) {
-	if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
-	else if (arg_debug)
-		printf("Drop CAP_DAC_OVERRIDE\n");
-
-	if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
-	else if (arg_debug)
-		printf("Drop CAP_DAC_READ_SEARCH\n");
+	if (getuid() == 0) {
+		if (prctl(PR_CAPBSET_DROP, CAP_DAC_OVERRIDE, 0, 0, 0));
+		else if (arg_debug)
+			printf("Drop CAP_DAC_OVERRIDE\n");
+
+		if (prctl(PR_CAPBSET_DROP, CAP_DAC_READ_SEARCH, 0, 0, 0));
+		else if (arg_debug)
+			printf("Drop CAP_DAC_READ_SEARCH\n");
+	}
 }
 
 int caps_default_filter(void) {
diff --git a/src/firejail/join.c b/src/firejail/join.c
index d7328a91b..4c0537413 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -242,7 +242,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
 	if (child < 0)
 		errExit("fork");
 	if (child == 0) {
-		// drop discretionary access control capabilities by default
+		// drop discretionary access control capabilities for root sandboxes
 		caps_drop_dac_override();
 		
 		// chroot into /proc/PID/root directory
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0a32393a2..7489e7b6d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -100,7 +100,7 @@ static void set_caps(void) {
 	else if (arg_caps_default_filter)
 		caps_default_filter();
 	
-	// drop discretionary access control capabilities by default
+	// drop discretionary access control capabilities for root sandboxes
 	caps_drop_dac_override();
 }
 
diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp
index 3ec2bc049..a7eace125 100755
--- a/test/apps-x11/chromium.exp
+++ b/test/apps-x11/chromium.exp
@@ -71,7 +71,7 @@ expect {
 }
 expect {
 	timeout {puts "TESTING ERROR 6.2\n";exit}
-	"fffffffff"
+	"00240000"
 }
 expect {
 	timeout {puts "TESTING ERROR 6.3\n";exit}
diff --git a/test/apps/chromium.exp b/test/apps/chromium.exp
index 041918d7f..6b784e395 100755
--- a/test/apps/chromium.exp
+++ b/test/apps/chromium.exp
@@ -72,7 +72,7 @@ expect {
 }
 expect {
 	timeout {puts "TESTING ERROR 6.2\n";exit}
-	"fffffffff"
+	"00240000"
 }
 expect {
 	timeout {puts "TESTING ERROR 6.3\n";exit}
-- 
cgit v1.2.3-54-g00ecf


From b53d02259ee867c03ba8317a98575a6fb3cdf93e Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Thu, 8 Jun 2017 15:00:27 -0400
Subject: fix quiet in profiles

---
 etc/7z.profile         | 2 +-
 etc/cpio.profile       | 2 +-
 etc/file.profile       | 2 +-
 etc/git.profile        | 2 +-
 etc/gtar.profile       | 2 +-
 etc/gzip.profile       | 2 +-
 etc/less.profile       | 2 +-
 etc/ssh-agent.profile  | 2 +-
 etc/ssh.profile        | 2 +-
 etc/strings.profile    | 2 +-
 etc/tar.profile        | 2 +-
 etc/unrar.profile      | 2 +-
 etc/unzip.profile      | 2 +-
 etc/uudeview.profile   | 2 +-
 etc/wget.profile       | 2 +-
 etc/xz.profile         | 2 +-
 etc/xzdec.profile      | 2 +-
 etc/youtube-dl.profile | 2 +-
 18 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/etc/7z.profile b/etc/7z.profile
index f36735303..9cd8ade75 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/7z.local
 
 # 7zip crompression tool profile
-quiet
 ignore noroot
 
 include /etc/firejail/default.profile
diff --git a/etc/cpio.profile b/etc/cpio.profile
index f38e0a6ce..fe1dc0408 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -8,7 +9,6 @@ include /etc/firejail/cpio.local
 # cpio profile
 # /sbin and /usr/sbin are visible inside the sandbox
 # /boot is not visible and /var is heavily modified
-quiet
 noblacklist /sbin
 noblacklist /usr/sbin
 include /etc/firejail/disable-common.inc
diff --git a/etc/file.profile b/etc/file.profile
index a757dce5a..915bf1088 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/file.local
 
 # file profile
-quiet
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
diff --git a/etc/git.profile b/etc/git.profile
index a8e7bf882..5fa3ef95e 100644
--- a/etc/git.profile
+++ b/etc/git.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/git.local
 
 # git profile
-quiet
 noblacklist ~/.gitconfig
 noblacklist ~/.ssh
 noblacklist ~/.gnupg
diff --git a/etc/gtar.profile b/etc/gtar.profile
index cd15b7156..9a4325082 100644
--- a/etc/gtar.profile
+++ b/etc/gtar.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,5 +7,4 @@ include /etc/firejail/globals.local
 include /etc/firejail/gtar.local
 
 # gtar profile
-quiet
 include /etc/firejail/tar.profile
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 2ba4e0b58..5a2a5d26e 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/gzip.local
 
 # gzip profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/less.profile b/etc/less.profile
index 273b47a7a..dd63d3e2e 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/less.local
 
 # less profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile
index bbb0baade..ab47067f1 100644
--- a/etc/ssh-agent.profile
+++ b/etc/ssh-agent.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/ssh-agent.local
 
 # ssh-agent
-quiet
 noblacklist ~/.ssh
 noblacklist /tmp/ssh-*
 noblacklist /etc/ssh
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 7ea78535d..e592841a1 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/ssh.local
 
 # ssh client
-quiet
 noblacklist ~/.ssh
 noblacklist /tmp/ssh-*
 noblacklist /etc/ssh
diff --git a/etc/strings.profile b/etc/strings.profile
index b12c42f0d..a9301c652 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/strings.local
 
 # strings profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/tar.profile b/etc/tar.profile
index 0661286b4..577e795f8 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/tar.local
 
 # tar profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/unrar.profile b/etc/unrar.profile
index 1375c9b48..62d6665ec 100644
--- a/etc/unrar.profile
+++ b/etc/unrar.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/unrar.local
 
 # unrar profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 581d65167..130e57ae9 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/unzip.local
 
 # unzip profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 blacklist /tmp/.X11-unix
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
index c795619a0..46f28179b 100644
--- a/etc/uudeview.profile
+++ b/etc/uudeview.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/uudeview.local
 
 # uudeview profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/wget.profile b/etc/wget.profile
index 562c7bbf1..306ec4417 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/wget.local
 
 # wget profile
-quiet
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
diff --git a/etc/xz.profile b/etc/xz.profile
index f01906610..a3c1ab3ca 100644
--- a/etc/xz.profile
+++ b/etc/xz.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,5 +7,4 @@ include /etc/firejail/globals.local
 include /etc/firejail/xz.local
 
 # xz profile
-quiet
 include /etc/firejail/cpio.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index 21cb15556..2a84bf0ee 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -6,7 +7,6 @@ include /etc/firejail/globals.local
 include /etc/firejail/xzdec.local
 
 # xzdec profile
-quiet
 ignore noroot
 include /etc/firejail/default.profile
 
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 8d925a354..e1ed3ccab 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -1,3 +1,4 @@
+quiet
 # Persistent global definitions go here
 include /etc/firejail/globals.local
 
@@ -24,7 +25,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-quiet
 
 private-dev
 
-- 
cgit v1.2.3-54-g00ecf


From 201cb8d2036e943009addefa6c0ae1785b942abc Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Fri, 9 Jun 2017 08:02:36 -0400
Subject: ktorrent profile fix

---
 etc/disable-programs.inc | 2 ++
 etc/ktorrent.profile     | 7 ++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index bac43ba7e..41889cc5f 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -106,6 +106,7 @@ blacklist ${HOME}/.config/katesyntaxhighlightingrc
 blacklist ${HOME}/.config/katevirc
 blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/knotesrc
+blacklist ${HOME}/.config/ktorrentrc
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/lximage-qt
@@ -270,6 +271,7 @@ blacklist ${HOME}/.local/share/gnome-chess
 blacklist ${HOME}/.local/share/gnome-music
 blacklist ${HOME}/.local/share/gnome-photos
 blacklist ${HOME}/.local/share/kate
+blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/multimc5
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
index 5b7e5e667..59c2827cd 100644
--- a/etc/ktorrent.profile
+++ b/etc/ktorrent.profile
@@ -8,6 +8,8 @@ include /etc/firejail/ktorrent.local
 ################################
 # Generic GUI application profile
 ################################
+noblacklist ~/.config/ktorrentrc
+noblacklist ~/.local/share/ktorrent
 noblacklist ~/.kde/share/config/ktorrentrc
 noblacklist ~/.kde4/share/config/ktorrentrc
 noblacklist ~/.kde/share/apps/ktorrent
@@ -16,7 +18,10 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
-
+mkfile ~/.config/ktorrentrc
+whitelist ~/.config/ktorrentrc
+mkdir ~/.local/share/ktorrent
+whitelist ~/.local/share/ktorrent
 mkdir ~/.kde/share/config/ktorrentrc
 whitelist ~/.kde/share/config/ktorrentrc
 mkdir ~/.kde4/share/config/ktorrentrc
-- 
cgit v1.2.3-54-g00ecf


From 027d9df80f48b05aa9ba7ac67b879941a10e52a0 Mon Sep 17 00:00:00 2001
From: Alexander Schier <alexander_schier@yahoo.de>
Date: Fri, 9 Jun 2017 20:46:38 +0200
Subject: profiles: allow thunderbird to read mime information

Reported here: https://bugs.debian.org/864510
---
 etc/thunderbird.profile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 8a5bf1f7b..c693a53b3 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -25,6 +25,11 @@ noblacklist ~/.cache/thunderbird
 mkdir ~/.cache/thunderbird
 whitelist ~/.cache/thunderbird
 
+whitelist ~/.config/mimeapps.list
+read-only ~/.config/mimeapps.list
+whitelist ~/.local/share/applications
+read-only ~/.local/share/applications
+
 # allow browsers
 ignore private-tmp
 include /etc/firejail/firefox.profile
-- 
cgit v1.2.3-54-g00ecf


From ad83d0c164083634ba8608d22b2faccdaeba074c Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sun, 11 Jun 2017 09:22:28 -0400
Subject: novideo fixes

---
 src/firejail/fs_dev.c        | 52 ++++++++++++++++++++++----------------------
 src/man/firejail-profile.txt |  1 +
 2 files changed, 27 insertions(+), 26 deletions(-)

diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 159c8e654..8ab176961 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -35,37 +35,37 @@ typedef struct {
 	const char *dev_fname;
 	const char *run_fname;
 	int sound;
-	int video;
 	int hw3d;
+	int video;
 } DevEntry;
 
 static DevEntry dev[] = {
-	{"/dev/snd", RUN_DEV_DIR "/snd", 1, 0},	// sound device
-	{"/dev/dri", RUN_DEV_DIR "/dri", 0, 1},		// 3d device
-	{"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1},
-	{"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1},
-	{"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1},
-	{"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1},
-	{"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1},
-	{"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1},
-	{"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1},
-	{"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1},
-	{"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1},
-	{"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1},
+	{"/dev/snd", RUN_DEV_DIR "/snd", 1, 0, 0},	// sound device
+	{"/dev/dri", RUN_DEV_DIR "/dri", 0, 1, 0},		// 3d device
+	{"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1, 0},
+	{"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1, 0},
+	{"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1, 0},
+	{"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1, 0},
+	{"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1, 0},
+	{"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1, 0},
+	{"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1, 0},
+	{"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1, 0},
+	{"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1, 0},
+	{"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1, 0},
 	{"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1},
-	{"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1},
-	{"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1},
-	{"/dev/video0", RUN_DEV_DIR "/video0", 0, 1},
-	{"/dev/video1", RUN_DEV_DIR "/video1", 0, 1},
-	{"/dev/video2", RUN_DEV_DIR "/video2", 0, 1},
-	{"/dev/video3", RUN_DEV_DIR "/video3", 0, 1},
-	{"/dev/video4", RUN_DEV_DIR "/video4", 0, 1},
-	{"/dev/video5", RUN_DEV_DIR "/video5", 0, 1},
-	{"/dev/video6", RUN_DEV_DIR "/video6", 0, 1},
-	{"/dev/video7", RUN_DEV_DIR "/video7", 0, 1},
-	{"/dev/video8", RUN_DEV_DIR "/video8", 0, 1},
-	{"/dev/video9", RUN_DEV_DIR "/video9", 0, 1},
-	{NULL, NULL, 0, 0}
+	{"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1, 0},
+	{"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1, 0},
+	{"/dev/video0", RUN_DEV_DIR "/video0", 0, 0, 1}, // video camera devices
+	{"/dev/video1", RUN_DEV_DIR "/video1", 0, 0, 1},
+	{"/dev/video2", RUN_DEV_DIR "/video2", 0, 0, 1},
+	{"/dev/video3", RUN_DEV_DIR "/video3", 0, 0, 1},
+	{"/dev/video4", RUN_DEV_DIR "/video4", 0, 0, 1},
+	{"/dev/video5", RUN_DEV_DIR "/video5", 0, 0, 1},
+	{"/dev/video6", RUN_DEV_DIR "/video6", 0, 0, 1},
+	{"/dev/video7", RUN_DEV_DIR "/video7", 0, 0, 1},
+	{"/dev/video8", RUN_DEV_DIR "/video8", 0, 0, 1},
+	{"/dev/video9", RUN_DEV_DIR "/video9", 0, 0, 1},
+	{NULL, NULL, 0, 0, 0}
 };
 
 static void deventry_mount(void) {
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index cbffa9ce4..e4ef90944 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -407,6 +407,7 @@ Disable sound system.
 .TP
 \fBnovideo
 Disable video devices.
+.TP
 \fBno3d
 Disable 3D hardware acceleration.
 
-- 
cgit v1.2.3-54-g00ecf


From 5be1d138e54f9497703c2126c2ad087e960caad0 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Mon, 12 Jun 2017 07:24:43 -0400
Subject: 0.9.48 testing

---
 RELNOTES                |  5 ++---
 configure               | 18 +++++++++---------
 configure.ac            |  2 +-
 src/firejail/appimage.c |  4 +++-
 src/firejail/fs_dev.c   |  2 +-
 src/firejail/sandbox.c  |  1 -
 6 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index d4e8c9e43..7d0f037da 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,4 @@
-firejail (0.9.47) baseline; urgency=low
-  * work in progress
+firejail (0.9.48) baseline; urgency=low
   * modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent;
     please use ~/Downloads directory for saving files
   * modifs: AppArmor made optional; a warning is printed on the screen
@@ -10,7 +9,7 @@ firejail (0.9.47) baseline; urgency=low
   * feature: profile support in overlayfs mode
   * new profiles: vym, darktable, Waterfox, digiKam, Catfish, HandBrake
   * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Tue, 23 May 2017 08:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 08:00:00 -0500
 
 firejail (0.9.46) baseline; urgency=low
   * security: split most of networking code in a separate executable
diff --git a/configure b/configure
index 2de213647..72c0b242c 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.47.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.48.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.47'
-PACKAGE_STRING='firejail 0.9.47'
+PACKAGE_VERSION='0.9.48'
+PACKAGE_STRING='firejail 0.9.48'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
 
@@ -1265,7 +1265,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.47 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.48 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1326,7 +1326,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.47:";;
+     short | recursive ) echo "Configuration of firejail 0.9.48:";;
    esac
   cat <<\_ACEOF
 
@@ -1434,7 +1434,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.47
+firejail configure 0.9.48
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1736,7 +1736,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.47, which was
+It was created by firejail $as_me 0.9.48, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4355,7 +4355,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.47, which was
+This file was extended by firejail $as_me 0.9.48, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4409,7 +4409,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.47
+firejail config.status 0.9.48
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index dc59e5b15..c0f5dd357 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.47, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.48, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 976750f8f..0f7ab40ff 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -31,17 +31,19 @@
 static char *devloop = NULL;	// device file
 static char *mntdir = NULL;	// mount point in /tmp directory
 
+#ifdef LOOP_CTL_GET_FREE	// test for older kernels; this definition is found in /usr/include/linux/loop.h
 static void err_loop(void) {
 	fprintf(stderr, "Error: cannot configure loopback device\n");
 	exit(1);
 }
+#endif
 
 void appimage_set(const char *appimage) {
 	assert(appimage);
 	assert(devloop == NULL);	// don't call this twice!
 	EUID_ASSERT();
 
-#ifdef LOOP_CTL_GET_FREE	// test for older kernels; this definition is found in /usr/include/linux/loop.h
+#ifdef LOOP_CTL_GET_FREE
 	// check appimage file
 	invalid_filename(appimage);
 	if (access(appimage, R_OK) == -1) {
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 8ab176961..fdaa0b355 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -52,7 +52,7 @@ static DevEntry dev[] = {
 	{"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1, 0},
 	{"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1, 0},
 	{"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1, 0},
-	{"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1},
+	{"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1, 0},
 	{"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1, 0},
 	{"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1, 0},
 	{"/dev/video0", RUN_DEV_DIR "/video0", 0, 0, 1}, // video camera devices
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 7489e7b6d..4ee05d070 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -989,7 +989,6 @@ int sandbox(void* sandbox_arg) {
 	if (app_pid == 0) {
 #ifdef HAVE_APPARMOR
 		if (arg_apparmor) {
-			int done = 0;
 			errno = 0;
 			if (aa_change_onexec("firejail-default")) {
 				fwarning("Cannot confine the application using AppArmor.\n"
-- 
cgit v1.2.3-54-g00ecf


From 2ac97688adea66d33b38eee0d84e12cc59fd2cf8 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Mon, 12 Jun 2017 07:40:28 -0400
Subject: 0.9.48 testing

---
 src/firejail/fs_var.c | 3 ++-
 src/ftee/main.c       | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 9452d162d..11e9eabf5 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -326,7 +326,8 @@ void fs_var_utmp(void) {
 	endutent();
 
 	// save new utmp file
-	fwrite(&u_boot, sizeof(u_boot), 1, fp);
+	int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp);
+	(void) rv;
 	SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
 	fclose(fp);
 
diff --git a/src/ftee/main.c b/src/ftee/main.c
index 2628a77c5..6aede324c 100644
--- a/src/ftee/main.c
+++ b/src/ftee/main.c
@@ -129,7 +129,8 @@ static void log_write(const unsigned char *str, int len, const char *fname) {
 		out_cnt = len;
 	}
 
-	fwrite(str, len, 1, out_fp);
+	int rv = fwrite(str, len, 1, out_fp);
+	(void) rv;
 	fflush(0);
 }
 
@@ -230,7 +231,8 @@ int main(int argc, char **argv) {
 		if (n <= 0)
 			break;
 
-		fwrite(buf, n, 1, stdout);
+		int rv = fwrite(buf, n, 1, stdout);
+		(void) rv;
 		log_write(buf, n, fname);
 	}
 
-- 
cgit v1.2.3-54-g00ecf


From 2c3f9444cdd07102ad4762484a9a34e53bb5abdb Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Mon, 12 Jun 2017 08:25:11 -0400
Subject: 0.9.48 testing

---
 RELNOTES | 1 +
 1 file changed, 1 insertion(+)

diff --git a/RELNOTES b/RELNOTES
index 7d0f037da..e8bc65625 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,6 +3,7 @@ firejail (0.9.48) baseline; urgency=low
     please use ~/Downloads directory for saving files
   * modifs: AppArmor made optional; a warning is printed on the screen
     if the sandbox fails to load the AppArmor profile
+  * feature: --novideo
   * feature: drop discretionary access control capabilities for
     root sandboxes
   * feature: added /etc/firejail/globals.local for global customizations
-- 
cgit v1.2.3-54-g00ecf


From 145e26033a9b830b018e2abfbe259e9042a73cfd Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Mon, 12 Jun 2017 09:55:39 -0400
Subject: 0.9.48 testing

---
 platform/rpm/old-mkrpm.sh | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/platform/rpm/old-mkrpm.sh b/platform/rpm/old-mkrpm.sh
index 108759049..ef1a51c93 100755
--- a/platform/rpm/old-mkrpm.sh
+++ b/platform/rpm/old-mkrpm.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-VERSION="0.9.46"
+VERSION="0.9.48"
 rm -fr ~/rpmbuild
 rm -f firejail-$VERSION-1.x86_64.rpm
 
@@ -409,6 +409,13 @@ rm -rf %{buildroot}
 %{_sysconfdir}/%{name}/xfce4-dict.profile
 %{_sysconfdir}/%{name}/xfce4-notes.profile
 %{_sysconfdir}/%{name}/youtube-dl.profile
+%{_sysconfdir}/%{name}/catfish.profile
+%{_sysconfdir}/%{name}/darktable.profile
+%{_sysconfdir}/%{name}/digikam.profile
+%{_sysconfdir}/%{name}/handbrake.profile
+%{_sysconfdir}/%{name}/vym.profile
+%{_sysconfdir}/%{name}/waterfox.profile
+
 
 
 /usr/bin/firejail
@@ -451,6 +458,8 @@ rm -rf %{buildroot}
 chmod u+s /usr/bin/firejail
 
 %changelog
+* Mon Jun 12 2017  netblue30 <netblue30@yahoo.com> 0.9.48-1
+
 * Mon May 15 2017  netblue30 <netblue30@yahoo.com> 0.9.46-1
 
 * Fri Oct 21 2016  netblue30 <netblue30@yahoo.com> 0.9.44-1
-- 
cgit v1.2.3-54-g00ecf


From 18c755fc30ea828a96a9046b77ddb98d3a8760ac Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 13 Jun 2017 07:48:56 -0400
Subject: 0.9.49 development version

---
 README.md    | 16 +---------------
 RELNOTES     |  5 +++++
 configure    | 18 +++++++++---------
 configure.ac |  2 +-
 4 files changed, 16 insertions(+), 25 deletions(-)

diff --git a/README.md b/README.md
index db1810b94..fa5b9199f 100644
--- a/README.md
+++ b/README.md
@@ -62,18 +62,4 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 `````
 
 `````
-# Current development version: 0.9.47
-
-## Profile changes
-
-All profiles include /etc/firejail/globals.local for persistent customizations across all applications. For example, you
-can set here a global DNS "dns 8.8.8.8". The file is not overwritten during software install.
-
-The following BitTorrent clients have been whitelisted: Transmission, Deluge, qBitTorrent, KTorrent.
-Configuration files and ~/Downloads directory are real, everything else is placed on a temporary 
-filesystem and discarded when the sandboxed is closed. **Please configure your client to put 
-downloaded files in ~/Downloads directory.**  The plan is to have all bittorrent clients whitelisted in the next release.
-
-## New profiles
-
-vym, darktable, Waterfox, digiKam, Catfish, HandBrake
+# Current development version: 0.9.49
diff --git a/RELNOTES b/RELNOTES
index e8bc65625..684a0c731 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,3 +1,8 @@
+firejail (0.9.49) baseline; urgency=low
+  * work in progress!
+  * bugfixes
+ -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 20:00:00 -0500
+
 firejail (0.9.48) baseline; urgency=low
   * modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent;
     please use ~/Downloads directory for saving files
diff --git a/configure b/configure
index 72c0b242c..f8a606f88 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.48.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.49.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.48'
-PACKAGE_STRING='firejail 0.9.48'
+PACKAGE_VERSION='0.9.49'
+PACKAGE_STRING='firejail 0.9.49'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
 
@@ -1265,7 +1265,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.48 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.49 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1326,7 +1326,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.48:";;
+     short | recursive ) echo "Configuration of firejail 0.9.49:";;
    esac
   cat <<\_ACEOF
 
@@ -1434,7 +1434,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.48
+firejail configure 0.9.49
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1736,7 +1736,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.48, which was
+It was created by firejail $as_me 0.9.49, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4355,7 +4355,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.48, which was
+This file was extended by firejail $as_me 0.9.49, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4409,7 +4409,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.48
+firejail config.status 0.9.49
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index c0f5dd357..7f9b12d97 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.48, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.49, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
 
-- 
cgit v1.2.3-54-g00ecf


From 57048234dd48d71b8097678dd8d4c5117ead7974 Mon Sep 17 00:00:00 2001
From: Fred-Barclay <Fred-Barclay@users.noreply.github.com>
Date: Tue, 13 Jun 2017 10:54:54 -0500
Subject: Fix 1333

---
 etc/qpdfview.profile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 1fe0a1f63..97bd2b0b1 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -6,7 +6,7 @@ include /etc/firejail/globals.local
 include /etc/firejail/qpdfview.local
 
 # qpdfview profile
-noblacklist ${HOME}./config/qt5ct
+noblacklist ${HOME}/.config/qt5ct
 noblacklist ${HOME}/.config/qpdfview
 noblacklist ${HOME}/.local/share/qpdfview
 
-- 
cgit v1.2.3-54-g00ecf


From 62bfa2b2494e6f3b02703d3b8f1c0adebbb6759a Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 14 Jun 2017 06:42:48 -0400
Subject: fix 1334

---
 etc/chromium.profile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/chromium.profile b/etc/chromium.profile
index 7e73634ec..2728bf74a 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -34,7 +34,7 @@ nogroups
 shell none
 
 private-dev
-private-tmp
+#private-tmp - problems with multiple browser sessions
 
 noexec ${HOME}
 noexec /tmp
-- 
cgit v1.2.3-54-g00ecf


From 48deec958027c9aae59a19974ee7721582c633bc Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 14 Jun 2017 06:47:02 -0400
Subject: fix #1335

---
 etc/firefox.profile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/etc/firefox.profile b/etc/firefox.profile
index 9d047db97..70b41a240 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -13,7 +13,10 @@ noblacklist ~/.local/share/qpdfview
 noblacklist ~/.kde4/share/apps/okular
 noblacklist ~/.kde/share/apps/okular
 noblacklist ~/.local/share/okular
+noblacklist ~/.config/okularpartrc
+noblacklist ~/.config/okularrc
 noblacklist ~/.pki
+
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
@@ -48,6 +51,8 @@ whitelist ~/.pki
 whitelist ~/.lastpass
 whitelist ~/.config/qpdfview
 whitelist ~/.local/share/qpdfview
+whitelist ~/.config/okularrc
+whitelist ~/.config/okularpartrc
 whitelist ~/.kde4/share/apps/okular
 whitelist ~/.kde/share/apps/okular
 whitelist ~/.local/share/okular
-- 
cgit v1.2.3-54-g00ecf


From cde35acef2864ba2b03b14ed36b00d3733ce760c Mon Sep 17 00:00:00 2001
From: Reiner Herrmann <reiner@reiner-h.de>
Date: Thu, 15 Jun 2017 15:43:59 +0200
Subject: Fix faudit syscall bug and crash when single argument was passed

---
 src/faudit/main.c    | 2 +-
 src/faudit/syscall.c | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/faudit/main.c b/src/faudit/main.c
index 8ab0de5a6..57c709767 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -38,7 +38,7 @@ int main(int argc, char **argv) {
 		int i;
 
 		for (i = 1; i < argc; i++) {
-			if (strcmp(argv[i], "syscall")) {
+			if (strcmp(argv[i], "syscall") == 0) {
 				syscall_helper(argc, argv);
 				return 0;
 			}
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
index 2925a6c30..9661f81e6 100644
--- a/src/faudit/syscall.c
+++ b/src/faudit/syscall.c
@@ -34,6 +34,9 @@ extern int pivot_root(const char *new_root, const char *put_old);
 void syscall_helper(int argc, char **argv) {
 	(void) argc;
 
+	if (argc < 3)
+		return;
+
 	if (strcmp(argv[2], "mount") == 0) {
 		int rv = mount(NULL, NULL, NULL, 0, NULL);
 		(void) rv;
-- 
cgit v1.2.3-54-g00ecf


From 80302df0d4e9062de637889c0d9c8c7461070805 Mon Sep 17 00:00:00 2001
From: Reiner Herrmann <reiner@reiner-h.de>
Date: Thu, 15 Jun 2017 15:52:38 +0200
Subject: test: fix symrun test by calling faudit through symlink to firejail

---
 test/arguments/symrun.sh | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/test/arguments/symrun.sh b/test/arguments/symrun.sh
index d28f024a8..db5f06835 100755
--- a/test/arguments/symrun.sh
+++ b/test/arguments/symrun.sh
@@ -1,30 +1,31 @@
 #!/bin/bash
 
 mkdir symtest
-ln -s /usr/bin/firejail symtest/argtest
+ln -s /usr/bin/firejail symtest/faudit
 
-# search for argtest in current directory
+# search for faudit in current directory
 export PATH=$PATH:.
+export FIREJAIL_TEST_ARGUMENTS=yes
 
 echo "TESTING: 2.1 - simple args"
-symtest/argtest arg1 arg2
+symtest/faudit arg1 arg2
 
 # simple quotes, testing spaces in file names
 echo "TESTING: 2.2 - args with space and \""
-symtest/argtest "arg1 tail" "arg2 tail"
+symtest/faudit "arg1 tail" "arg2 tail"
 
 echo "TESTING: 2.3 - args with space and '"
-symtest/argtest 'arg1 tail' 'arg2 tail'
+symtest/faudit 'arg1 tail' 'arg2 tail'
 
 # escaped space in file names
 echo "TESTING: 2.4 - args with space and \\"
-symtest/argtest arg1\ tail arg2\ tail
+symtest/faudit arg1\ tail arg2\ tail
 
 # & char appears in URLs - URLs should be quoted
 echo "TESTING: 2.5 - args with & and \""
-symtest/argtest "arg1&tail" "arg2&tail"
+symtest/faudit "arg1&tail" "arg2&tail"
 
 echo "TESTING: 2.6 - args with & and '"
-symtest/argtest 'arg1&tail' 'arg2&tail'
+symtest/faudit 'arg1&tail' 'arg2&tail'
 
 rm -fr symtest
-- 
cgit v1.2.3-54-g00ecf


From 294dce8859c3e9aa22bb32d7485903f6fb5e7e25 Mon Sep 17 00:00:00 2001
From: Reiner Herrmann <reiner@reiner-h.de>
Date: Thu, 15 Jun 2017 15:53:18 +0200
Subject: test: minor cleanup/fixes

---
 test/arguments/joinrun.exp |  4 ----
 test/arguments/joinrun.sh  | 10 +++++-----
 test/arguments/outrun.sh   |  6 +++---
 3 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/test/arguments/joinrun.exp b/test/arguments/joinrun.exp
index 097becacc..97972e5e8 100755
--- a/test/arguments/joinrun.exp
+++ b/test/arguments/joinrun.exp
@@ -35,10 +35,6 @@ expect {
 	timeout {puts "TESTING ERROR 3.2.3\n";exit}
 	"#arg2 tail#"
 }
-
-# todo: remove exit and fix it
-exit
-
 expect {
 	timeout {puts "TESTING ERROR 3.3.1\n";exit}
 	"Arguments:"
diff --git a/test/arguments/joinrun.sh b/test/arguments/joinrun.sh
index 3ed166839..b00ea0e80 100755
--- a/test/arguments/joinrun.sh
+++ b/test/arguments/joinrun.sh
@@ -5,18 +5,18 @@ firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1 arg2
 
 # simple quotes, testing spaces in file names
 echo "TESTING: 3.2 - args with space and \""
-firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --quiet faudit "arg1 tail" "arg2 tail"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1 tail" "arg2 tail"
 
 echo "TESTING: 3.3 - args with space and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1 tail' 'arg2 tail'
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1 tail' 'arg2 tail'
 
 # escaped space in file names
 echo "TESTING: 3.4 - args with space and \\"
-firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --quiet faudit arg1\ tail arg2\ tail
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit arg1\ tail arg2\ tail
 
 # & char appears in URLs - URLs should be quoted
 echo "TESTING: 3.5 - args with & and \""
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit "arg1&tail" "arg2&tail"
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit "arg1&tail" "arg2&tail"
 
 echo "TESTING: 3.6 - args with & and '"
-firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --quiet faudit 'arg1&tail' 'arg2&tail'
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --join=joinrun faudit 'arg1&tail' 'arg2&tail'
diff --git a/test/arguments/outrun.sh b/test/arguments/outrun.sh
index e2b3046d6..5bc3b1e37 100755
--- a/test/arguments/outrun.sh
+++ b/test/arguments/outrun.sh
@@ -8,15 +8,15 @@ echo "TESTING: 4.2 - args with space and \""
 firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1 tail" "arg2 tail"
 
 echo "TESTING: 4.3 - args with space and '"
-firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --output=out faudit 'arg1 tail' 'arg2 tail'
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1 tail' 'arg2 tail'
 
 # escaped space in file names
 echo "TESTING: 4.4 - args with space and \\"
-firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --output=out faudit arg1\ tail arg2\ tail
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit arg1\ tail arg2\ tail
 
 # & char appears in URLs - URLs should be quoted
 echo "TESTING: 4.5 - args with & and \""
 firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit "arg1&tail" "arg2&tail"
 
 echo "TESTING: 4.6 - args with & and '"
-firejail--env=FIREJAIL_TEST_ARGUMENTS=yes  --output=out faudit 'arg1&tail' 'arg2&tail'
+firejail --env=FIREJAIL_TEST_ARGUMENTS=yes --output=out faudit 'arg1&tail' 'arg2&tail'
-- 
cgit v1.2.3-54-g00ecf


From a4deb5681ec924523b018196db39214ac0c1875e Mon Sep 17 00:00:00 2001
From: Fred Barclay <Fred-Barclay@users.noreply.github.com>
Date: Thu, 15 Jun 2017 11:54:26 -0500
Subject: Uncomment private-dev for vlc profile. Since private-dev now allows
 video devices, we can probably enable private-dev in the profile.

---
 etc/vlc.profile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/vlc.profile b/etc/vlc.profile
index efd6d04a6..b36e844ff 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -24,7 +24,7 @@ seccomp
 shell none
 
 private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
-# private-dev
+private-dev
 private-tmp
 
 noexec ${HOME}
-- 
cgit v1.2.3-54-g00ecf


From 05fbfe63890826cb46e140da556010449695b6f2 Mon Sep 17 00:00:00 2001
From: Fred Barclay <Fred-Barclay@users.noreply.github.com>
Date: Thu, 15 Jun 2017 12:02:43 -0500
Subject: test: add novideo to profiles (part 1)

---
 etc/0ad.profile        | 1 +
 etc/7z.profile         | 2 ++
 etc/atom-beta.profile  | 1 +
 etc/atom.profile       | 1 +
 etc/atool.profile      | 1 +
 etc/atril.profile      | 1 +
 etc/audacity.profile   | 1 +
 etc/aweather.profile   | 1 +
 etc/baloo_file.profile | 1 +
 etc/bibletime.profile  | 1 +
 etc/bleachbit.profile  | 1 +
 etc/bless.profile      | 1 +
 etc/brasero.profile    | 2 +-
 etc/catfish.profile    | 1 +
 etc/cherrytree.profile | 1 +
 etc/clementine.profile | 1 +
 etc/clipit.profile     | 1 +
 etc/deadbeef.profile   | 1 +
 etc/deluge.profile     | 1 +
 etc/dia.profile        | 1 +
 etc/dino.profile       | 1 +
 etc/dragon.profile     | 1 +
 etc/dropbox.profile    | 1 +
 etc/elinks.profile     | 3 ++-
 etc/engrampa.profile   | 1 +
 etc/eog.profile        | 1 +
 etc/eom.profile        | 1 +
 etc/evince.profile     | 1 +
 28 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/etc/0ad.profile b/etc/0ad.profile
index 596cb845a..e946c1418 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -29,6 +29,7 @@ netfilter
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/7z.profile b/etc/7z.profile
index 9cd8ade75..c7c857dc8 100644
--- a/etc/7z.profile
+++ b/etc/7z.profile
@@ -15,6 +15,8 @@ blacklist /tmp/.X11-unix
 
 tracelog
 net none
+nosound
+novideo
 shell none
 private-dev
 nosound
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
index 5a42e28e8..367aa5672 100644
--- a/etc/atom-beta.profile
+++ b/etc/atom-beta.profile
@@ -19,6 +19,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/atom.profile b/etc/atom.profile
index fc9e49eab..726682617 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -19,6 +19,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/atool.profile b/etc/atool.profile
index 3f4b60312..a66b4b1c5 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -16,6 +16,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 netfilter
diff --git a/etc/atril.profile b/etc/atril.profile
index a9199f512..0abad494a 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -18,6 +18,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 67b625f2b..5b38d84e8 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -21,6 +21,7 @@ no3d
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/aweather.profile b/etc/aweather.profile
index 73bf1cc5a..9d8e336cd 100644
--- a/etc/aweather.profile
+++ b/etc/aweather.profile
@@ -22,6 +22,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 9caef7508..2fe6d1927 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -22,6 +22,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 # Baloo makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
diff --git a/etc/bibletime.profile b/etc/bibletime.profile
index 9b205456a..2162151a1 100644
--- a/etc/bibletime.profile
+++ b/etc/bibletime.profile
@@ -29,6 +29,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile
index 40c7a5c83..345dd119a 100644
--- a/etc/bleachbit.profile
+++ b/etc/bleachbit.profile
@@ -20,6 +20,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/bless.profile b/etc/bless.profile
index 436c06a15..c9ccfc02e 100644
--- a/etc/bless.profile
+++ b/etc/bless.profile
@@ -28,6 +28,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/brasero.profile b/etc/brasero.profile
index ac9ea8a7c..d013e0b8e 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -20,9 +20,9 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
-netfilter
 shell none
 tracelog
 
diff --git a/etc/catfish.profile b/etc/catfish.profile
index e0039a042..0deaca1b5 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -19,6 +19,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 258be50d6..0ac71ca3c 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -20,6 +20,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 seccomp
 protocol unix,inet,inet6,netlink
 tracelog
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 0f585e43e..ccacc632d 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 # Clementine makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
diff --git a/etc/clipit.profile b/etc/clipit.profile
index cd744a022..b671b253b 100644
--- a/etc/clipit.profile
+++ b/etc/clipit.profile
@@ -15,6 +15,7 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 8d50dedda..486df1d99 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -20,6 +20,7 @@ no3d
 nogroups
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/deluge.profile b/etc/deluge.profile
index db2d339c7..4e7d90e53 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -24,6 +24,7 @@ netfilter
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 
diff --git a/etc/dia.profile b/etc/dia.profile
index fc564b96d..4e009afd7 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -14,6 +14,7 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 
diff --git a/etc/dino.profile b/etc/dino.profile
index a979cad7c..6d63e894e 100644
--- a/etc/dino.profile
+++ b/etc/dino.profile
@@ -26,6 +26,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/dragon.profile b/etc/dragon.profile
index 661f663c3..d099f1d9d 100644
--- a/etc/dragon.profile
+++ b/etc/dragon.profile
@@ -18,6 +18,7 @@ netfilter
 nogroups
 nonewprivs
 noroot
+novideo
 shell none
 seccomp
 protocol unix,inet,inet6
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index e0097a8ea..19076704b 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps
 nonewprivs
 noroot
+novideo
 protocol unix,inet,inet6
 seccomp
 
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 76a7e6b94..597e43fb8 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -14,11 +14,12 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
+no3d
 nogroups
 nonewprivs
 noroot
 nosound
-no3d
+novideo
 protocol unix,inet,inet6
 seccomp
 netfilter
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index f409a8dd4..081a5f6b0 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -16,6 +16,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 netfilter
diff --git a/etc/eog.profile b/etc/eog.profile
index 447a41a86..1b9926ec9 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -24,6 +24,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/eom.profile b/etc/eom.profile
index d2622ebcf..b5eedd989 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -19,6 +19,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/evince.profile b/etc/evince.profile
index 51ed3fbf3..6719244da 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -22,6 +22,7 @@ nogroups
 nonewprivs
 noroot
 nosound
+novideo
 protocol unix
 seccomp
 shell none
-- 
cgit v1.2.3-54-g00ecf


From 19c2c137bf99210f4ba48af57b3c9ac0624debd0 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Thu, 15 Jun 2017 20:53:29 -0400
Subject: curl profile

---
 README.md                 |  5 +++++
 RELNOTES                  |  1 +
 etc/curl.profile          | 35 +++++++++++++++++++++++++++++++++++
 etc/disable-programs.inc  |  2 ++
 etc/wget.profile          |  1 +
 platform/debian/conffiles |  1 +
 6 files changed, 45 insertions(+)
 create mode 100644 etc/curl.profile

diff --git a/README.md b/README.md
index fa5b9199f..bc0ba475a 100644
--- a/README.md
+++ b/README.md
@@ -63,3 +63,8 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 
 `````
 # Current development version: 0.9.49
+
+## New profiles:
+
+curl
+
diff --git a/RELNOTES b/RELNOTES
index 684a0c731..b7a0c49e7 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,6 @@
 firejail (0.9.49) baseline; urgency=low
   * work in progress!
+  * new profiles: curl
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 20:00:00 -0500
 
diff --git a/etc/curl.profile b/etc/curl.profile
new file mode 100644
index 000000000..58b5f050a
--- /dev/null
+++ b/etc/curl.profile
@@ -0,0 +1,35 @@
+quiet
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/curl.local
+
+# curl profile
+noblacklist ~/.curlrc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+#ipc-namespace
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+protocol unix,inet,inet6
+seccomp
+shell none
+
+blacklist /tmp/.X11-unix
+
+# private-bin curl
+private-dev
+# private-etc resolv.conf
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 41889cc5f..4d77218de 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -170,6 +170,7 @@ blacklist ${HOME}/.config/xviewer
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
+blacklist ${HOME}/.curlrc
 blacklist ${HOME}/.dia
 blacklist ${HOME}/.dillo
 blacklist ${HOME}/.dosbox
@@ -339,6 +340,7 @@ blacklist ${HOME}/.vst
 blacklist ${HOME}/.w3m
 blacklist ${HOME}/.warzone2100-3.*
 blacklist ${HOME}/.weechat
+blacklist ${HOME}/.wgetrc
 blacklist ${HOME}/.wine
 blacklist ${HOME}/.wine64
 blacklist ${HOME}/.xiphos
diff --git a/etc/wget.profile b/etc/wget.profile
index 306ec4417..801e034ea 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local
 include /etc/firejail/wget.local
 
 # wget profile
+noblacklist ~/.wgetrc
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 7d36714c1..1fb8c86e7 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -307,3 +307,4 @@
 /etc/firejail/darktable.profile
 /etc/firejail/waterfox.profile
 /etc/firejail/handbrake.profile
+/etc/firejail/curl.profile
-- 
cgit v1.2.3-54-g00ecf


From 5d485d66fc444677917ed11f46b50067dabe9245 Mon Sep 17 00:00:00 2001
From: startx2017 <vradu.startx@yandex.com>
Date: Fri, 16 Jun 2017 08:37:52 -0400
Subject: mplayer and smplayer profiles

---
 README                     |  4 +++-
 etc/disable-programs.inc   |  2 ++
 etc/mplayer.profile        | 31 +++++++++++++++++++++++++++++++
 etc/smplayer.profile       | 32 ++++++++++++++++++++++++++++++++
 src/firecfg/firecfg.config |  2 ++
 5 files changed, 70 insertions(+), 1 deletion(-)
 create mode 100644 etc/mplayer.profile
 create mode 100644 etc/smplayer.profile

diff --git a/README b/README
index 22f835a10..2c3fbf67b 100644
--- a/README
+++ b/README
@@ -401,9 +401,11 @@ startx2017 (https://github.com/startx2017)
 	- firecfg fix: create ~/.local/share/applications directory if it doesn't exist
 	- firejail.config cleanup
 	- --quiet fixes
-	- 0.9.38-LTS branch maintainer
+	- bugfixes branches maintainer
 	- firemon --top speed-up
 	- Blender and 2048-qt profiles
+	- handbrake profile
+	- mplayer and smplayer profiles
 thewisenerd (https://github.com/thewisenerd)
 	- allow multiple private-home commands
 	- use $SHELL variable if the shell is not specified
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 4d77218de..3b2c150fc 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -140,6 +140,7 @@ blacklist ${HOME}/.config/redshift.conf
 blacklist ${HOME}/.config/scribus
 blacklist ${HOME}/.config/skypeforlinux
 blacklist ${HOME}/.config/slimjet
+blacklist ${HOME}/.config/smplayer
 blacklist ${HOME}/.config/spotify
 blacklist ${HOME}/.config/stellarium
 blacklist ${HOME}/.config/synfig
@@ -306,6 +307,7 @@ blacklist ${HOME}/.mcabberrc
 blacklist ${HOME}/.mediathek3
 blacklist ${HOME}/.mozilla
 blacklist ${HOME}/.mpdconf
+blacklist ${HOME}/.mplayer
 blacklist ${HOME}/.msmtprc
 blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.mutt
diff --git a/etc/mplayer.profile b/etc/mplayer.profile
new file mode 100644
index 000000000..879223e1a
--- /dev/null
+++ b/etc/mplayer.profile
@@ -0,0 +1,31 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/mplayer.local
+
+# mplayer profile
+noblacklist ${HOME}/.mplayer
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+#ipc-namespace
+netfilter
+# nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-dev
+private-tmp
+private-bin mplayer
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/smplayer.profile b/etc/smplayer.profile
new file mode 100644
index 000000000..6a5c115b7
--- /dev/null
+++ b/etc/smplayer.profile
@@ -0,0 +1,32 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/smplayer.local
+
+# smplayer profile
+noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.mplayer
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+#ipc-namespace
+netfilter
+# nogroups
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+private-dev
+private-tmp
+private-bin smplayer,mplayer
+
+noexec ${HOME}
+noexec /tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 444b304ab..7bac70887 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -153,6 +153,7 @@ mediathekview
 meld
 midori
 mousepad
+mplayer
 mpv
 multimc5
 mumble
@@ -199,6 +200,7 @@ skanlite
 skype
 skypeforlinux
 slack
+smplayer
 soffice
 spectacle
 spotify
-- 
cgit v1.2.3-54-g00ecf


From e339675f6dfde10e5eda380fde4e84c3195d087c Mon Sep 17 00:00:00 2001
From: startx2017 <vradu.startx@yandex.com>
Date: Fri, 16 Jun 2017 08:40:31 -0400
Subject: mplayer and smplayer profiles

---
 README.md                 | 2 +-
 platform/debian/conffiles | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bc0ba475a..b9b50d788 100644
--- a/README.md
+++ b/README.md
@@ -66,5 +66,5 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 
 ## New profiles:
 
-curl
+curl, mplayer2, SMPlayer
 
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 1fb8c86e7..ad01c9b2a 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -308,3 +308,5 @@
 /etc/firejail/waterfox.profile
 /etc/firejail/handbrake.profile
 /etc/firejail/curl.profile
+/etc/firejail/mplayer.profile
+/etc/firejail/smplayer.profile
-- 
cgit v1.2.3-54-g00ecf


From e4b03bc316965e6e27bb88d340a5fe0b34669ca1 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Mon, 19 Jun 2017 21:08:52 -0400
Subject: added calibre profile

---
 README.md                  |  2 +-
 etc/calibre.profile        | 35 +++++++++++++++++++++++++++++++++++
 etc/disable-programs.inc   |  2 ++
 etc/ebook-viewer.profile   | 10 ++++++++++
 platform/debian/conffiles  |  2 ++
 src/firecfg/firecfg.config |  2 ++
 src/firejail/x11.c         |  4 ++--
 7 files changed, 54 insertions(+), 3 deletions(-)
 create mode 100644 etc/calibre.profile
 create mode 100644 etc/ebook-viewer.profile

diff --git a/README.md b/README.md
index b9b50d788..aef7e96fa 100644
--- a/README.md
+++ b/README.md
@@ -66,5 +66,5 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 
 ## New profiles:
 
-curl, mplayer2, SMPlayer
+curl, mplayer2, SMPlayer, Calibre, ebook-viewer
 
diff --git a/etc/calibre.profile b/etc/calibre.profile
new file mode 100644
index 000000000..b75e0c276
--- /dev/null
+++ b/etc/calibre.profile
@@ -0,0 +1,35 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/calibre.local
+
+noblacklist ~/.config/calibre
+noblacklist ~/.cache/calibre
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+#include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+#ipc-namespace
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+#private-bin
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 3b2c150fc..7a3ca37ed 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -62,6 +62,7 @@ blacklist ${HOME}/.config/borg
 blacklist ${HOME}/.config/brasero
 blacklist ${HOME}/.config/brave
 blacklist ${HOME}/.config/caja
+blacklist ${HOME}/.config/calibre
 blacklist ${HOME}/.config/catfish
 blacklist ${HOME}/.config/cherrytree
 blacklist ${HOME}/.config/chromium
@@ -361,6 +362,7 @@ blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/QuiteRss
 blacklist ${HOME}/.cache/attic
 blacklist ${HOME}/.cache/borg
+blacklist ${HOME}/.cache/calibre
 blacklist ${HOME}/.cache/champlain
 blacklist ${HOME}/.cache/chromium
 blacklist ${HOME}/.cache/qupzilla
diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile
new file mode 100644
index 000000000..ba28e3550
--- /dev/null
+++ b/etc/ebook-viewer.profile
@@ -0,0 +1,10 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ebook-viewer.local
+
+# Firejail profile for ebook-viewer (Calibre)
+include /etc/firejail/calibre.profile
+net none
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index ad01c9b2a..05b5a819f 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -310,3 +310,5 @@
 /etc/firejail/curl.profile
 /etc/firejail/mplayer.profile
 /etc/firejail/smplayer.profile
+/etc/firejail/ebook-viewer.profile
+/etc/firejail/calibre.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 7bac70887..1ac8234ab 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -23,6 +23,7 @@ bless
 blender
 brasero
 brave
+calibre
 catfish
 cherrytree
 chromium
@@ -50,6 +51,7 @@ dolphin
 dosbox
 dragon
 dropbox
+ebook-viewer
 elinks
 empathy
 eog
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 5ce156603..79ebc3b1b 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -639,7 +639,7 @@ void x11_start_xpra(int argc, char **argv) {
 
 	// build the start command
 	char *server_argv[256] = {		  // rest initialyzed to NULL
-		 "xpra", "start", display_str, "--no-daemon",
+		 "xpra", "start", display_str, "--no-daemon", "--use-display",
 	};
 	unsigned pos = 0;
 	while (server_argv[pos] != NULL) pos++;
@@ -736,7 +736,7 @@ void x11_start_xpra(int argc, char **argv) {
 	}
 
 	// add a small delay, on some systems it takes some time for the server to start
-	sleep(1);
+	sleep(5);
 
 	// check X11 socket
 	char *fname;
-- 
cgit v1.2.3-54-g00ecf


From 1ecfc64057acacd60f19e252c0c69c2870d76820 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Mon, 19 Jun 2017 21:24:51 -0400
Subject: handbrake fixes

---
 etc/ghb.profile            | 9 +++++++++
 etc/handbrake-gtk.profile  | 9 +++++++++
 platform/debian/conffiles  | 2 ++
 src/firecfg/firecfg.config | 2 ++
 4 files changed, 22 insertions(+)
 create mode 100644 etc/ghb.profile
 create mode 100644 etc/handbrake-gtk.profile

diff --git a/etc/ghb.profile b/etc/ghb.profile
new file mode 100644
index 000000000..2068c3136
--- /dev/null
+++ b/etc/ghb.profile
@@ -0,0 +1,9 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/ghb.local
+
+# HandBrake
+include /etc/firejail/handbrake.profile
diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile
new file mode 100644
index 000000000..a162352de
--- /dev/null
+++ b/etc/handbrake-gtk.profile
@@ -0,0 +1,9 @@
+# Persistent global definitions go here
+include /etc/firejail/globals.local
+
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include /etc/firejail/handbrake-gtk.local
+
+# HandBrake
+include /etc/firejail/handbrake.profile
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index 05b5a819f..f35168735 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -312,3 +312,5 @@
 /etc/firejail/smplayer.profile
 /etc/firejail/ebook-viewer.profile
 /etc/firejail/calibre.profile
+/etc/firejail/handbrake-gtk.profile
+/etc/firejail/ghb.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 1ac8234ab..c68db372b 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -74,6 +74,7 @@ galculator
 geany
 gedit
 geeqie
+ghb
 gimp
 gitter
 gjs
@@ -102,6 +103,7 @@ gthumb
 gucharmap
 gwenview
 handbrake
+handbrake-gtk
 hedgewars
 hexchat
 highlight
-- 
cgit v1.2.3-54-g00ecf


From 8a4d0273c3238fa595117604135788d1b6daaa7c Mon Sep 17 00:00:00 2001
From: Fabian Würfl <fabian.wuerfl@gmx.at>
Date: Wed, 21 Jun 2017 13:55:32 +0200
Subject: Fix typo in usage example command

---
 src/firejail/usage.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 76930e1de..6f8298589 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -220,7 +220,7 @@ void usage(void) {
 	printf("\tstart Mozilla Firefox\n");
 	printf("    $ firejail --debug firefox\n");
 	printf("\tdebug Firefox sandbox\n");
-	printf("    $ firejail --private --sna=8.8.8.8 firefox\n");
+	printf("    $ firejail --private --dns=8.8.8.8 firefox\n");
 	printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n");
 	printf("\tserver setting.\n");
 	printf("    $ firejail --net=eth0 firefox\n");
-- 
cgit v1.2.3-54-g00ecf