Merge branch 'master' of ssh://github.com/netblue30/firejail

38 files changed, 156 insertions, 82 deletions

diff --git a/etc/firejail.config b/etc/firejail.config
index e8bf45751..c3c355e3d 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -163,12 +163,12 @@
 # Xpra server command extra parameters. None by default; this is an example.
 # xpra-extra-params --dpi 96
 
-# Screen size for --x11=xvfb, default 800x600x24.  The third dimension is
+# Screen size for --x11=xvfb, default 800x600x24. The third dimension is
 # color depth; use 24 unless you know exactly what you're doing.
 # xvfb-screen 640x480x24
 # xvfb-screen 800x600x24
 # xvfb-screen 1024x768x24
 # xvfb-screen 1280x1024x24
 
-# Xvfb command extra parameters.  None by default; this is an example.
+# Xvfb command extra parameters. None by default; this is an example.
 # xvfb-extra-params -pixdepths 8 24 32
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 4e3590fed..e4497f832 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -44,8 +44,7 @@ blacklist /usr/share/perl*
 # it is needed so that Firefox can run applications with Terminal=true in
 # their .desktop file (depending on what is installed). The reason is that
 # this is done via glib, which currently uses a hardcoded list of terminal
-# emulators:
-#   https://gitlab.gnome.org/GNOME/glib/-/issues/338
+# emulators: https://gitlab.gnome.org/GNOME/glib/-/issues/338.
 # And in this list, rxvt comes before xterm.
 blacklist ${PATH}/rxvt
 
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 29d5a8700..b0d1b7a66 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -547,6 +547,7 @@ blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mirage
 blacklist ${HOME}/.config/monero-project
 blacklist ${HOME}/.config/mono
+blacklist ${HOME}/.config/mov-cli
 blacklist ${HOME}/.config/mpDris2
 blacklist ${HOME}/.config/mpd
 blacklist ${HOME}/.config/mps-youtube
@@ -623,6 +624,7 @@ blacklist ${HOME}/.config/slimjet
 blacklist ${HOME}/.config/smplayer
 blacklist ${HOME}/.config/smtube
 blacklist ${HOME}/.config/smuxi
+blacklist ${HOME}/.config/sniffnet
 blacklist ${HOME}/.config/snox
 blacklist ${HOME}/.config/sound-juicer
 blacklist ${HOME}/.config/specialmailcollectionsrc
diff --git a/etc/profile-a-l/1password.profile b/etc/profile-a-l/1password.profile
index 690086099..63a04330b 100644
--- a/etc/profile-a-l/1password.profile
+++ b/etc/profile-a-l/1password.profile
@@ -13,7 +13,7 @@ whitelist ${HOME}/.config/1Password
 
 private-etc @tls-ca
 
-# Needed for keychain things, talking to Firefox, possibly other things?  Not sure how to narrow down
+# Needed for keychain things, talking to Firefox, possibly other things?
 ignore dbus-user none
 
 # Redirect
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile
index 2e6e8f1af..8b70756ba 100644
--- a/etc/profile-a-l/abrowser.profile
+++ b/etc/profile-a-l/abrowser.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/mozilla/abrowser
 mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/abrowser
 whitelist ${HOME}/.mozilla
+whitelist /usr/share/abrowser
 
 # private-etc must first be enabled in firefox-common.profile
 #private-etc abrowser
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index b31f3f1b2..6abd87c92 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -14,6 +14,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -26,6 +27,7 @@ netfilter
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 notv
 nou2f
@@ -39,8 +41,13 @@ private-cache
 private-dev
 private-tmp
 
-# dbus needed for MPRIS
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own org.atheme.audacious
+dbus-user.own org.mpris.MediaPlayer2.audacious
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
+dbus-user.talk org.mpris.MediaPlayer2.Player
+dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile
index a962bfe02..7d2fe143c 100644
--- a/etc/profile-a-l/basilisk.profile
+++ b/etc/profile-a-l/basilisk.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/moonchild productions/basilisk
 mkdir ${HOME}/.moonchild productions
 whitelist ${HOME}/.cache/moonchild productions/basilisk
 whitelist ${HOME}/.moonchild productions
+whitelist /usr/share/basilisk
 
 # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
 seccomp
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 071a279b0..b3994c974 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -9,8 +9,8 @@ include globals.local
 # noexec /tmp is included in chromium-common.profile and breaks Brave
 ignore noexec /tmp
 # TOR is installed in ${HOME}.
-# NOTE: chromium-common.profile enables apparmor. To keep that intact
-# you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
+# Note: chromium-common.profile enables apparmor. To keep that intact,
+# uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
 # Alternatively you can add 'ignore apparmor' to your brave.local.
 ignore noexec ${HOME}
 # Causes slow starts (#4604)
diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile
index 7a14d9464..05e1a69f1 100644
--- a/etc/profile-a-l/cachy-browser.profile
+++ b/etc/profile-a-l/cachy-browser.profile
@@ -13,26 +13,21 @@ mkdir ${HOME}/.cache/cachy
 mkdir ${HOME}/.cachy
 whitelist ${HOME}/.cache/cachy
 whitelist ${HOME}/.cachy
+whitelist /usr/share/cachy-browser
 
 # Add the next lines to your cachy-browser.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
 #whitelist ${HOME}/.mozilla
 
 # To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local.
-# NOTE: start KeePassXC before CachyBrowser and keep it open to allow communication between them.
+# Note: Start KeePassXC before CachyBrowser and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 
-whitelist /usr/share/doc
-whitelist /usr/share/gtk-doc/html
-whitelist /usr/share/mozilla
-whitelist /usr/share/webext
-include whitelist-usr-share-common.inc
-
 # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
 #private-bin dbus-launch,dbus-send,cachy-browser,sh
 # Add the next line to your cachy-browser.local to enable private-etc.
-# NOTE: private-etc must first be enabled in firefox-common.local.
+# Note: private-etc must first be enabled in firefox-common.local.
 #private-etc cachy-browser
 
 dbus-user filter
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile
index d0b8cc0ef..d0bf9797e 100644
--- a/etc/profile-a-l/cliqz.profile
+++ b/etc/profile-a-l/cliqz.profile
@@ -15,6 +15,7 @@ mkdir ${HOME}/.config/cliqz
 whitelist ${HOME}/.cache/cliqz
 whitelist ${HOME}/.cliqz
 whitelist ${HOME}/.config/cliqz
+whitelist /usr/share/cliqz
 
 # private-etc must first be enabled in firefox-common.profile
 #private-etc cliqz
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index d1fff0004..a303c5979 100644
--- a/etc/profile-a-l/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
@@ -12,6 +12,8 @@ mkdir ${HOME}/.8pecxstudios
 mkdir ${HOME}/.cache/8pecxstudios
 whitelist ${HOME}/.8pecxstudios
 whitelist ${HOME}/.cache/8pecxstudios
+whitelist /usr/share/8pecxstudios
+whitelist /usr/share/cyberfox
 
 # private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
 # private-etc must first be enabled in firefox-common.profile
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile
index c39c0d843..265bf5615 100644
--- a/etc/profile-a-l/discord-ptb.profile
+++ b/etc/profile-a-l/discord-ptb.profile
@@ -1,17 +1,17 @@
-# Firejail profile for discord-ptb   
+# Firejail profile for discord-ptb
 # This file is overwritten after every install/update
 # Persistent local customizations
-include discord-ptb.local   
+include discord-ptb.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/discordptb   
+noblacklist ${HOME}/.config/discordptb
 
-mkdir ${HOME}/.config/discordptb   
-whitelist ${HOME}/.config/discordptb   
+mkdir ${HOME}/.config/discordptb
+whitelist ${HOME}/.config/discordptb
 
-private-bin discord-ptb,DiscordPTB   
-private-opt discord-ptb,DiscordPTB   
+private-bin discord-ptb,DiscordPTB
+private-opt discord-ptb,DiscordPTB
 
 # Redirect
 include discord-common.profile
diff --git a/etc/profile-a-l/firedragon.profile b/etc/profile-a-l/firedragon.profile
index 77487161e..3177fb989 100644
--- a/etc/profile-a-l/firedragon.profile
+++ b/etc/profile-a-l/firedragon.profile
@@ -13,6 +13,7 @@ mkdir ${HOME}/.cache/firedragon
 mkdir ${HOME}/.firedragon
 whitelist ${HOME}/.cache/firedragon
 whitelist ${HOME}/.firedragon
+whitelist /usr/share/firedragon
 
 # Add the next lines to your firedragon.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index 6dc1fca8a..f12750fda 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -74,7 +74,6 @@ whitelist ${HOME}/.zotero
 whitelist ${HOME}/dwhelper
 whitelist /usr/share/lua
 whitelist /usr/share/lua*
-whitelist /usr/share/vulkan
 
 # GNOME Shell integration (chrome-gnome-shell) needs dbus and python
 noblacklist ${HOME}/.local/share/gnome-shell
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 42d12c5d9..9c8601e7b 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -29,9 +29,14 @@ mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.pki
+whitelist /usr/share/doc
+whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/mozilla
+whitelist /usr/share/webext
 include whitelist-common.inc
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 1fcbf0562..659519ca8 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -6,7 +6,7 @@ include firefox.local
 # Persistent global definitions
 include globals.local
 
-# NOTE: sandboxing web browsers is as important as it is complex. Users might be
+# Note: Sandboxing web browsers is as important as it is complex. Users might be
 # interested in creating custom profiles depending on use case (e.g. one for
 # general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
 # info. Here are a few links to get you going.
@@ -30,19 +30,14 @@ whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
 
 # Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support.
-# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them.
+# Note: Start KeePassXC before Firefox and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 
-whitelist /usr/share/doc
 whitelist /usr/share/firefox
 whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
-whitelist /usr/share/gtk-doc/html
-whitelist /usr/share/mozilla
-whitelist /usr/share/webext
 whitelist ${RUNUSER}/*firefox*
 whitelist ${RUNUSER}/psd/*firefox*
-include whitelist-usr-share-common.inc
 
 # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
 #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index 70a302138..ddfe57879 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -53,7 +53,7 @@ dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.gnome.evolution.dataserver.*
 #dbus-user.talk org.gnome.OnlineAccounts
 #dbus-user.talk org.gnome.ControlCenter
-# NOTE: dbus-system none fails, filter without rules works.
+# Note: dbus-system none fails, filter without rules works.
 dbus-system filter
 #dbus-system.talk org.freedesktop.timedate1
 #dbus-system.talk org.freedesktop.login1
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile
index 660343a29..b0a42fb77 100644
--- a/etc/profile-a-l/icecat.profile
+++ b/etc/profile-a-l/icecat.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/mozilla/icecat
 mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/icecat
 whitelist ${HOME}/.mozilla
+whitelist /usr/share/icecat
 
 # private-etc must first be enabled in firefox-common.profile
 #private-etc icecat
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index 27feccf40..a0244ef47 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -6,9 +6,9 @@ include krunner.local
 # Persistent global definitions
 include globals.local
 
-# - programs started in krunner run with this generic profile
-# - when a file is opened in krunner, the file viewer runs in its own sandbox
-#   with its own profile, if it is sandboxed automatically
+# Programs started in krunner run with this generic profile.
+# When a file is opened in krunner, the file viewer runs in its own sandbox
+# with its own profile, if it is sandboxed automatically.
 
 # noblacklist ${HOME}/.cache/krunner
 # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 5cf30ed40..82336969d 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -6,11 +6,10 @@ include kube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.cache/kube
 noblacklist ${HOME}/.config/kube
 noblacklist ${HOME}/.config/sink
+noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/kube
 noblacklist ${HOME}/.local/share/sink
 
@@ -22,23 +21,28 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-mkdir ${HOME}/.gnupg
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
 mkdir ${HOME}/.cache/kube
 mkdir ${HOME}/.config/kube
 mkdir ${HOME}/.config/sink
+mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.local/share/kube
 mkdir ${HOME}/.local/share/sink
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.cache/kube
 whitelist ${HOME}/.config/kube
 whitelist ${HOME}/.config/sink
+whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.local/share/kube
 whitelist ${HOME}/.local/share/sink
 whitelist ${RUNUSER}/gnupg
-whitelist /usr/share/kube
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
+whitelist /usr/share/kube
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -63,7 +67,6 @@ tracelog
 
 # disable-mnt
 # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
-# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin kube,sink_synchronizer
 private-cache
 private-dev
@@ -75,6 +78,8 @@ dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index b84cbb119..65a4a3787 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -19,21 +19,16 @@ whitelist ${HOME}/.librewolf
 #whitelist ${HOME}/.mozilla
 
 # To enable KeePassXC Plugin add one of the following lines to your librewolf.local.
-# NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them.
+# Note: Start KeePassXC before Librewolf and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 
-whitelist /usr/share/doc
-whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/librewolf
-whitelist /usr/share/mozilla
-whitelist /usr/share/webext
-include whitelist-usr-share-common.inc
 
 # Add the next line to your librewolf.local to enable private-bin (Arch Linux).
 #private-bin dbus-launch,dbus-send,librewolf,sh
 # Add the next line to your librewolf.local to enable private-etc.
-# NOTE: private-etc must first be enabled in firefox-common.local.
+# Note: private-etc must first be enabled in firefox-common.local.
 #private-etc librewolf
 
 dbus-user filter
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index 15474c96e..7b0135695 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -6,8 +6,9 @@ include minetest.local
 # Persistent global definitions
 include globals.local
 
-# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:
-#   screenshot_path = /home/<USER>/.minetest/screenshots
+# In order to save in-game screenshots to a persistent location,
+# edit ~/.minetest/minetest.conf:
+# screenshot_path = /home/<USER>/.minetest/screenshots
 
 noblacklist ${HOME}/.cache/minetest
 noblacklist ${HOME}/.minetest
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile
index c5f764912..8007b887a 100644
--- a/etc/profile-m-z/mov-cli.profile
+++ b/etc/profile-m-z/mov-cli.profile
@@ -8,9 +8,13 @@ include mov-cli.local
 # added by included profile
 #include globals.local
 
+noblacklist ${HOME}/.config/mov-cli
+
 include disable-proc.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.config/mov-cli
+whitelist ${HOME}/.config/mov-cli
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index bd01d4082..fd35483be 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -9,7 +9,7 @@ include globals.local
 
 # In order to save screenshots to a persistent location,
 # edit ~/.config/mpv/foobar.conf:
-#    screenshot-directory=~/Pictures
+# screenshot-directory=~/Pictures
 
 # mpv has a powerful Lua API and some of the Lua scripts interact with
 # external resources which are blocked by firejail. In such cases you need to
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index f3b0c8a49..4c463521c 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,7 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
 
-# NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
 # using the `#!/usr/bin/env node` shebang. By sandboxing node the full
 # node.js stack will be firejailed. The only exception is nvm, which is implemented
 # as a sourced shell function, not an executable binary. Hence it is not
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile
index db4113f94..7d0e01d98 100644
--- a/etc/profile-m-z/noprofile.profile
+++ b/etc/profile-m-z/noprofile.profile
@@ -1,17 +1,16 @@
 # This is the weakest possible firejail profile.
-# If a program still fail with this profile, it is incompatible with firejail.
+# If a program still fails with this profile, it is incompatible with firejail.
 # (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)
 #
 # Usage:
-#   1. download
-#   2. firejail --profile=noprofile.profile /path/to/program
+# $ firejail --profile=noprofile.profile /path/to/program
 
 # Keep in mind that even with this profile some things are done
-# which can break the program.
-# - some env-vars are cleared
-# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'
-# - a new private pid-namespace is created
-# - a minimal hardcoded blacklist is applied
+# which can break the program:
+# - some env-vars are cleared;
+# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes';
+# - a new private pid-namespace is created;
+# - a minimal hardcoded blacklist is applied;
 # - ...
 
 noblacklist /sys/fs
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
index 24701b657..ab4e24595 100644
--- a/etc/profile-m-z/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
@@ -12,6 +12,8 @@ mkdir ${HOME}/.cache/moonchild productions/pale moon
 mkdir ${HOME}/.moonchild productions
 whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
+whitelist /usr/share/moonchild productions
+whitelist /usr/share/palemoon
 
 # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
 seccomp
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index 3ff033e0b..e274b6443 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -23,8 +23,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.pingus
 whitelist ${HOME}/.pingus
+# Debian keeps games data under /usr/share/games
+whitelist /usr/share/games/pingus
 whitelist /usr/share/pingus
-whitelist /usr/share/games/pingus      # Debian keeps games data under /usr/share/games
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile
index 87aa69bcb..b1acf8b2e 100644
--- a/etc/profile-m-z/rtin.profile
+++ b/etc/profile-m-z/rtin.profile
@@ -1,6 +1,6 @@
 # Firejail profile for rtin
 # Description: ncurses-based Usenet newsreader
-#              symlink to tin, same as `tin -r`
+# symlink to tin, same as `tin -r`
 # This file is overwritten after every install/update
 # Persistent local customizations
 include rtin.local
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 3e1899ef3..8cb4e4173 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -11,7 +11,9 @@ ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Signal
 
-# These lines are needed to allow Firefox to open links
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
 
@@ -21,11 +23,9 @@ whitelist ${HOME}/.config/Signal
 private-etc @tls-ca
 
 dbus-user filter
-
 # allow D-Bus notifications
 dbus-user.talk org.freedesktop.Notifications
-
-# allow D-Bus communication with Firefox browsers for opening links
+# allow D-Bus communication with firefox for opening links
 dbus-user.talk org.mozilla.*
 
 ignore dbus-user none
diff --git a/etc/profile-m-z/sniffnet.profile b/etc/profile-m-z/sniffnet.profile
new file mode 100644
index 000000000..eb18c1f01
--- /dev/null
+++ b/etc/profile-m-z/sniffnet.profile
@@ -0,0 +1,49 @@
+# Firejail profile for sniffnet
+# Description: Network traffic monitor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sniffnet.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/sniffnet
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+#caps.drop all
+caps.keep net_admin,net_raw
+netfilter
+nodvd
+nogroups
+noinput
+# nonewprivs - breaks network traffic capture for unprivileged users
+# noroot
+notv
+nou2f
+novideo
+#seccomp
+tracelog
+
+disable-mnt
+#private-bin sniffnet
+# private-dev prevents (some) interfaces from being shown.
+private-etc @network,@tls-ca
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#restrict-namespaces
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index f07b10319..c893a92fb 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -16,6 +16,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.cache/spotify
@@ -34,6 +35,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 notv
 nou2f
@@ -50,8 +52,11 @@ private-opt spotify
 private-srv none
 private-tmp
 
-# dbus needed for MPRIS
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own org.mpris.MediaPlayer2.spotify
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.mpris.MediaPlayer2.Player
+dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 63d629a32..99317c9dc 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -133,9 +133,9 @@ whitelist ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc
 
-# NOTE: The following were intentionally left out as they are alternative
+# Note: The following were intentionally left out as they are alternative
 # (i.e.: unnecessary and/or legacy) paths whose existence may potentially
-# clobber other paths (see #4225).  If you use any, either add the entry to
+# clobber other paths (see #4225). If you use any, either add the entry to
 # steam.local or move the contents to a path listed above (or open an issue if
 # it's missing above).
 #mkdir ${HOME}/.config/RogueLegacyStorageContainer
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 5df207e25..f2405a7d3 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -47,10 +47,7 @@ whitelist ${HOME}/.thunderbird
 
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
-whitelist /usr/share/mozilla
 whitelist /usr/share/thunderbird
-whitelist /usr/share/webext
-include whitelist-usr-share-common.inc
 
 # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required
 #machine-id
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
index a03a6caa0..35ff14e88 100644
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@@ -24,8 +24,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.tin
 mkfile ${HOME}/.newsrc
 # Note: files/directories directly in ${HOME} can't be whitelisted, as
-#       tin saves .newsrc by renaming a temporary file, which is not possible for
-#       bind-mounted files.
+# tin saves .newsrc by renaming a temporary file, which is not possible for
+# bind-mounted files.
 #whitelist ${HOME}/.newsrc
 #whitelist ${HOME}/.tin
 #include whitelist-common.inc
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index ba68ccb53..2578eb0be 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -7,7 +7,6 @@ include trojita.local
 include globals.local
 
 noblacklist ${HOME}/.abook
-noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.cache/flaska.net/trojita
 noblacklist ${HOME}/.config/flaska.net
 
@@ -19,11 +18,16 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
 mkdir ${HOME}/.abook
 mkdir ${HOME}/.cache/flaska.net/trojita
 mkdir ${HOME}/.config/flaska.net
 whitelist ${HOME}/.abook
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.cache/flaska.net/trojita
 whitelist ${HOME}/.config/flaska.net
 include whitelist-common.inc
@@ -49,7 +53,6 @@ seccomp
 tracelog
 
 # disable-mnt
-# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin trojita
 private-cache
 private-dev
@@ -58,6 +61,8 @@ private-tmp
 
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile
index 18f1ca79a..bf6f45e41 100644
--- a/etc/profile-m-z/waterfox.profile
+++ b/etc/profile-m-z/waterfox.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/waterfox
 mkdir ${HOME}/.waterfox
 whitelist ${HOME}/.cache/waterfox
 whitelist ${HOME}/.waterfox
+whitelist /usr/share/waterfox
 
 # Add the next lines to your watefox.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 8a8833968..ce69738eb 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -774,6 +774,7 @@ slashem
 smplayer
 smtube
 smuxi-frontend-gnome
+sniffnet
 snox
 soffice
 sol