• support for AppArmor
• fix for CVE-2019-16884, make sure writes to /proc for the SELinux and AppArmor labels are on procfs
• exec supports --preserve-fds
• seccomp: fix lookup for pseudo syscalls, seccomp now works fine on non native archs
• cgroup: ignore rootless errors if manager != systemd
• error: always write errors to stderr
• chroot: follow symlinks for the last component
• set $HOME if it is not already defined