Merge branch 'release-0.9.62' of https://github.com/netblue30/firejail into release-0.9.62

45 files changed, 111 insertions, 62 deletions

diff --git a/etc/allow-common-devel.inc b/etc/allow-common-devel.inc
index 1d794462c..63174eda6 100644
--- a/etc/allow-common-devel.inc
+++ b/etc/allow-common-devel.inc
@@ -1,17 +1,21 @@
-# Rust
-noblacklist ${HOME}/.cargo/config
-noblacklist ${HOME}/.cargo/registry
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-common-devel.local
 
 # Git
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 
+# Java
+noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.java
+
 # Python
 noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
 
-# Java
-noblacklist ${HOME}/.gradle
-noblacklist ${HOME}/.java
+# Rust
+noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/registry
diff --git a/etc/allow-java.inc b/etc/allow-java.inc
index 5204d2dea..24d18fb77 100644
--- a/etc/allow-java.inc
+++ b/etc/allow-java.inc
@@ -1,6 +1,9 @@
-noblacklist ${HOME}/.java
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-java.local
 
+noblacklist ${HOME}/.java
 noblacklist ${PATH}/java
-noblacklist /usr/lib/java
 noblacklist /etc/java
+noblacklist /usr/lib/java
 noblacklist /usr/share/java
diff --git a/etc/allow-lua.inc b/etc/allow-lua.inc
index 51d76f9b1..fbdee22ee 100644
--- a/etc/allow-lua.inc
+++ b/etc/allow-lua.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-lua.local
+
 noblacklist ${PATH}/lua*
 noblacklist /usr/include/lua*
 noblacklist /usr/lib/lua
diff --git a/etc/allow-perl.inc b/etc/allow-perl.inc
index d37328936..f44e1e3cc 100644
--- a/etc/allow-perl.inc
+++ b/etc/allow-perl.inc
@@ -1,5 +1,9 @@
-noblacklist ${PATH}/cpan*
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-perl.local
+
 noblacklist ${PATH}/core_perl
+noblacklist ${PATH}/cpan*
 noblacklist ${PATH}/perl
 noblacklist ${PATH}/site_perl
 noblacklist ${PATH}/vendor_perl
diff --git a/etc/allow-php.inc b/etc/allow-php.inc
new file mode 100644
index 000000000..a0950dc26
--- /dev/null
+++ b/etc/allow-php.inc
@@ -0,0 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-php.local
+
+noblacklist ${PATH}/php*
+noblacklist /usr/lib/php*
+noblacklist /usr/share/php*
diff --git a/etc/allow-python2.inc b/etc/allow-python2.inc
index 8ea61648b..b0525e2e1 100644
--- a/etc/allow-python2.inc
+++ b/etc/allow-python2.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-python2.local
+
 noblacklist ${PATH}/python2*
 noblacklist /usr/include/python2*
 noblacklist /usr/lib/python2*
diff --git a/etc/allow-python3.inc b/etc/allow-python3.inc
index 91c7ffca4..c5660a97d 100644
--- a/etc/allow-python3.inc
+++ b/etc/allow-python3.inc
@@ -1,3 +1,7 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-python3.local
+
 noblacklist ${PATH}/python3*
 noblacklist /usr/include/python3*
 noblacklist /usr/lib/python3*
diff --git a/etc/allow-ruby.inc b/etc/allow-ruby.inc
new file mode 100644
index 000000000..a8c701219
--- /dev/null
+++ b/etc/allow-ruby.inc
@@ -0,0 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-ruby.local
+
+noblacklist ${PATH}/ruby
+noblacklist /usr/lib/ruby
diff --git a/etc/anki.profile b/etc/anki.profile
index c349376ff..a0a79ef48 100644
--- a/etc/anki.profile
+++ b/etc/anki.profile
@@ -42,7 +42,8 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 shell none
 tracelog
 
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
index 72e577d56..c478bbae9 100644
--- a/etc/aria2c.profile
+++ b/etc/aria2c.profile
@@ -7,6 +7,8 @@ include aria2c.local
 include globals.local
 
 noblacklist ${HOME}/.aria2
+noblacklist ${HOME}/.config/aria2
+noblacklist ${HOME}/.netrc
 
 include disable-common.inc
 include disable-devel.inc
@@ -35,6 +37,7 @@ seccomp
 shell none
 
 # disable-mnt
+# Add your custom event hook commands to 'private-bin' in your aria2c.local
 private-bin aria2c,gzip
 # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772)
 #private-cache
diff --git a/etc/artha.profile b/etc/artha.profile
index f1d30a415..e7278fe10 100644
--- a/etc/artha.profile
+++ b/etc/artha.profile
@@ -16,7 +16,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-mkdir ${HOME}/.config/artha.conf
+mkfile ${HOME}/.config/artha.conf
 mkdir ${HOME}/.config/enchant
 whitelist ${HOME}/.config/artha.conf
 whitelist ${HOME}/.config/enchant
diff --git a/etc/baobab.profile b/etc/baobab.profile
index c419aa202..e8287b448 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -6,7 +6,7 @@ include baobab.local
 # Persistent global definitions
 include globals.local
 
-include disable-common.inc
+# include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 caps.drop all
 net none
 no3d
-nodbus
+#nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/beaker.profile b/etc/beaker.profile
index 21eeac4b3..cc1886a49 100644
--- a/etc/beaker.profile
+++ b/etc/beaker.profile
@@ -13,7 +13,6 @@ include disable-interpreters.inc
 
 mkdir ${HOME}/.config/Beaker Browser
 whitelist ${HOME}/.config/Beaker Browser
-whitelist ${DOWNLOADS}
 include whitelist-common.inc
 
 # Redirect
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index d06eb7a65..ab68c7f13 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -41,7 +41,7 @@ tracelog
 
 private-bin celluloid,env,gnome-mpv,python*,youtube-dl
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
 private-dev
 private-tmp
 
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile
index 7b88e417a..c54fb0e19 100644
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@@ -37,7 +37,7 @@ notv
 shell none
 
 disable-mnt
-private-dev
+?BROWSER_DISABLE_U2F: private-dev
 # private-tmp - problems with multiple browser sessions
 
 # the file dialog needs to work without d-bus
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index 33c0a3369..1790b0b17 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -16,7 +16,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/doc
+whitelist /usr/share/doc/claws-mail
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-usr-share-common.inc
diff --git a/etc/cmus.profile b/etc/cmus.profile
index 7e12a06de..fa1e5d722 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -27,4 +27,4 @@ seccomp
 shell none
 
 private-bin cmus
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
diff --git a/etc/digikam.profile b/etc/digikam.profile
index 1b80981f7..e66434444 100644
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@@ -32,7 +32,8 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6,netlink
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 shell none
 
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index a489a8fbb..207ee32e5 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -119,6 +119,7 @@ blacklist ${HOME}/.config/akonadi*
 blacklist ${HOME}/.config/akregatorrc
 blacklist ${HOME}/.config/ardour4
 blacklist ${HOME}/.config/ardour5
+blacklist ${HOME}/.config/aria2
 blacklist ${HOME}/.config/arkrc
 blacklist ${HOME}/.config/artha.conf
 blacklist ${HOME}/.config/asunder
diff --git a/etc/ephemeral.profile b/etc/ephemeral.profile
index fa7746da5..c688c2324 100644
--- a/etc/ephemeral.profile
+++ b/etc/ephemeral.profile
@@ -55,7 +55,7 @@ tracelog
 
 disable-mnt
 private-cache
-private-dev
+?BROWSER_DISABLE_U2F: private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
diff --git a/etc/evince.profile b/etc/evince.profile
index ba68e45b4..143a347e6 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -47,7 +47,7 @@ tracelog
 private-bin evince,evince-previewer,evince-thumbnailer
 private-cache
 private-dev
-private-etc alternatives,fonts,group,machine-id,passwd
+private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
 # private-lib might break two-page-view on some systems
-private-lib evince,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
+private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
diff --git a/etc/exiftool.profile b/etc/exiftool.profile
index e455d32c7..e9c7d290a 100644
--- a/etc/exiftool.profile
+++ b/etc/exiftool.profile
@@ -17,6 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /usr/share/perl5
+whitelist /usr/share/perl-image-exiftool
 include whitelist-usr-share-common.inc
 
 apparmor
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index 67c0ed311..b392087e8 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -47,7 +47,7 @@ tracelog
 private-bin ffmpeg
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,hosts,pkcs11,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl
 private-tmp
 
 # memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 7777d07ce..323070289 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -52,7 +52,7 @@ shell none
 #tracelog
 
 disable-mnt
-private-dev
+?BROWSER_DISABLE_U2F: private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
-#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
diff --git a/etc/freecad.profile b/etc/freecad.profile
index 079c85fb1..6f0f52a55 100644
--- a/etc/freecad.profile
+++ b/etc/freecad.profile
@@ -9,6 +9,10 @@ include globals.local
 noblacklist ${HOME}/.config/FreeCAD
 noblacklist ${DOCUMENTS}
 
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -33,7 +37,7 @@ protocol unix
 seccomp
 shell none
 
-private-bin freecad,freecadcmd
+private-bin freecad,freecadcmd,python*
 private-cache
 private-dev
 private-tmp
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 6d575e850..7dd6f270e 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -42,6 +42,6 @@ tracelog
 
 # private-bin gedit
 private-dev
-private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-3.0.so.*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
+private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
 
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index d032c93e6..835205f03 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -26,14 +26,12 @@ include whitelist-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
-machine-id
 netfilter
 no3d
 nodvd
 nogroups
 nonewprivs
 noroot
-nosound
 notv
 nou2f
 novideo
diff --git a/etc/i2prouter.profile b/etc/i2prouter.profile
index e46fb3317..d9e7f1c8f 100644
--- a/etc/i2prouter.profile
+++ b/etc/i2prouter.profile
@@ -6,19 +6,19 @@ include i2prouter.local
 # Persistent global definitions
 include globals.local
 
-# Notice: default browser will not be able to automatically open, due to sandbox.
+# Notice: default browser will most likely not be able to automatically open, due to sandbox.
 # Auto-opening default browser can be disabled in the I2P router console.
-# This profile will not currently work with any Arch User Repository i2p packages,
-# use the distro-independent official java installer instead
+# This profile will not currently work with any Arch User Repository I2P packages,
+# use the distro-independent official I2P java installer instead
 
-# Only needed if i2prouter binary is in home directory, java installer does this
+# Only needed if i2prouter binary is in home directory, official I2P java installer does this
 ignore noexec ${HOME}
 
 noblacklist ${HOME}/.config/i2p
 noblacklist ${HOME}/.i2p
 noblacklist ${HOME}/.local/share/i2p
 noblacklist ${HOME}/i2p
-# Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this
+# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this
 noblacklist /usr/sbin
 
 # Allow java (blacklisted by disable-devel.inc)
@@ -40,13 +40,13 @@ whitelist ${HOME}/.config/i2p
 whitelist ${HOME}/.i2p
 whitelist ${HOME}/.local/share/i2p
 whitelist ${HOME}/i2p
-# Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this
+# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this
 whitelist /usr/sbin/wrapper*
 
 include whitelist-common.inc
 
-# May break I2P if wrapper is placed in the home directory
-# If using ubuntu official ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/
+# May break I2P if wrapper is placed in the home directory; official I2P java installer does this
+# If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/
 #apparmor
 caps.drop all
 ipc-namespace
@@ -67,5 +67,5 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,i2p,java-8-openjdk,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-8-openjdk,java-9-openjdk,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/keepass.profile b/etc/keepass.profile
index 57a24d821..9852f8a79 100644
--- a/etc/keepass.profile
+++ b/etc/keepass.profile
@@ -34,7 +34,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
diff --git a/etc/mpv.profile b/etc/mpv.profile
index 6e587fc6a..56cd66199 100644
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@@ -27,6 +27,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+whitelist /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 673c9fd0b..99945bdc9 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -32,14 +32,13 @@ nou2f
 novideo
 protocol unix
 seccomp
-# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
 shell none
 tracelog
 
 # private-bin mupdf,rm,sh,tempfile
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
 
-memory-deny-write-execute
+# memory-deny-write-execute
 read-only ${HOME}
diff --git a/etc/musescore.profile b/etc/musescore.profile
index 9750a31f4..b3693c956 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -33,7 +33,8 @@ noroot
 notv
 novideo
 protocol unix,inet,inet6
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 shell none
 tracelog
 
diff --git a/etc/neverputt.profile b/etc/neverputt.profile
index 93fb14e07..d370d1218 100644
--- a/etc/neverputt.profile
+++ b/etc/neverputt.profile
@@ -5,5 +5,7 @@ include neverputt.local
 # added by included profile
 #include globals.local
 
+private-bin neverputt
+
 # Redirect
 include neverball.profile
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile
index 5bbe1386f..0ae9f08af 100644
--- a/etc/pavucontrol.profile
+++ b/etc/pavucontrol.profile
@@ -16,11 +16,12 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-mkfile ${HOME}/.config/pavucontrol.ini
-whitelist ${HOME}/.config/pavucontrol.ini
+# whitelisting in ${HOME} is broken, see #3112
+#mkfile ${HOME}/.config/pavucontrol.ini
+#whitelist ${HOME}/.config/pavucontrol.ini
 whitelist /usr/share/pavucontrol
 whitelist /usr/share/pavucontrol-qt
-include whitelist-common.inc
+#include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -39,6 +40,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
 disable-mnt
 private-bin pavucontrol
@@ -48,4 +50,5 @@ private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
 private-lib
 private-tmp
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+# mdwe is broken under Wayland, but works under Xorg.
+#memory-deny-write-execute
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
index 087f90966..16fffe517 100644
--- a/etc/psi-plus.profile
+++ b/etc/psi-plus.profile
@@ -36,10 +36,10 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 shell none
 
 disable-mnt
 private-dev
 private-tmp
-
diff --git a/etc/quassel.profile b/etc/quassel.profile
index a78d1edcd..c65089e20 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -19,7 +19,8 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6
-seccomp
+# QtWebengine needs chroot to set up its own sandbox
+seccomp !chroot
 
 private-cache
 private-tmp
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile
index aa6902854..a402aca5a 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/standardnotes-desktop.profile
@@ -39,5 +39,5 @@ seccomp !chroot
 disable-mnt
 private-dev
 private-tmp
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg
 
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile
index a8b5d109e..f9daf8f09 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/start-tor-browser.profile
@@ -36,5 +36,5 @@ shell none
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index dcf6dd201..7bfc3cf0d 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -87,6 +87,9 @@ include globals.local
 # Allow lua (blacklisted by disable-interpreters.inc)
 #include allow-lua.inc
 
+# Allow ruby (blacklisted by disable-interpreters.inc)
+#include allow-ruby.inc
+
 # Allows files commonly used by IDEs
 #include allow-common-devel.inc
 
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 1183cd2f7..b40a18fa3 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -50,5 +50,5 @@ shell none
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/udiskie.profile b/etc/udiskie.profile
index f6e85d60e..265f6429d 100644
--- a/etc/udiskie.profile
+++ b/etc/udiskie.profile
@@ -31,7 +31,7 @@ notv
 nou2f
 novideo
 protocol unix
-seccomp
+seccomp !request_key
 shell none
 tracelog
 
diff --git a/etc/wget.profile b/etc/wget.profile
index 4bf354652..9c2cddb67 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -35,6 +35,6 @@ shell none
 
 # private-bin wget
 private-dev
-# private-etc alternatives,ca-certificates,crypto-policie,pki,resolv.conf,ssl
+# private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 # private-tmp
 
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index 490255fa6..a56ecef1b 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -18,16 +18,12 @@ whitelist ${HOME}/.config/Wire
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
 
-caps.drop all
+caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 notv
 nou2f
-protocol unix,inet,inet6,netlink
-seccomp
 shell none
 
 # Note: The current version of Wire is located in /opt/wire-desktop/wire-desktop, and therefore
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 74c07d96b..5fa72c9dc 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -56,7 +56,7 @@ tracelog
 private-bin env,ffmpeg,python*,youtube-dl
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
+private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
 private-tmp
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 97148c6b6..e3d7a35a1 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -295,7 +295,6 @@ hedgewars
 hexchat
 highlight
 hugin
-i2prouter
 icecat
 icedove
 iceweasel