Merge branch 'master' into clawsmail-clamav

53 files changed, 274 insertions, 106 deletions

diff --git a/etc/profile-a-l/DiscordPTB.profile b/etc/profile-a-l/DiscordPTB.profile
new file mode 100644
index 000000000..4570f0103
--- /dev/null
+++ b/etc/profile-a-l/DiscordPTB.profile
@@ -0,0 +1,10 @@
+# Firejail profile for DiscordPTB
+# This file is overwritten after every install/update
+# Persistent local customizations
+include DiscordPTB.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include discord-ptb.profile
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index 7a36302f1..9ebbf1cb0 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -28,7 +28,6 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
-hostname agetpkg
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile
new file mode 100644
index 000000000..f05653719
--- /dev/null
+++ b/etc/profile-a-l/ani-cli.profile
@@ -0,0 +1,39 @@
+# Firejail profile for ani-cli
+# Description: Shell script to watch Anime from the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ani-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ani-cli
+noblacklist ${HOME}/.local/state/ani-cli
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-proc.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/ani-cli
+mkdir ${HOME}/.local/state/ani-cli
+whitelist ${HOME}/.cache/ani-cli
+whitelist ${HOME}/.local/state/ani-cli
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+
+#machine-id
+nodvd
+noprinters
+notv
+
+disable-mnt
+private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohup,patch,sed,sh,sort,tail,tput,tr,uname,wc
+#private-cache
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+# Redirect
+include mpv.profile
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 0655c2e6f..cc9c893de 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -1,5 +1,5 @@
 # Firejail profile for apostrophe
-# Description: Distraction free Markdown editor for GNU/Linux made with GTK+
+# Description: Distraction free Markdown editor for GNU/Linux made with GTK
 # This file is overwritten after every install/update
 # Persistent local customizations
 include apostrophe.local
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index ef875c5b7..487e0c5f8 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -23,7 +23,6 @@ include disable-shell.inc
 
 apparmor
 caps.drop all
-hostname archiver
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
index d8c073c8d..910dd8a91 100644
--- a/etc/profile-a-l/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
@@ -16,5 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp !chroot
 
-read-only ${HOME}/.config/awesome/autorun.sh
 #restrict-namespaces
diff --git a/etc/profile-a-l/blink-common-hardened.inc.profile b/etc/profile-a-l/blink-common-hardened.inc.profile
new file mode 100644
index 000000000..c092a9746
--- /dev/null
+++ b/etc/profile-a-l/blink-common-hardened.inc.profile
@@ -0,0 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include blink-common-hardened.inc.local
+
+caps.drop all
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+
+#restrict-namespaces
diff --git a/etc/profile-a-l/blink-common.profile b/etc/profile-a-l/blink-common.profile
new file mode 100644
index 000000000..ff17dc479
--- /dev/null
+++ b/etc/profile-a-l/blink-common.profile
@@ -0,0 +1,40 @@
+# Firejail profile for blink-common
+# Description: Common profile for Blink-based applications
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blink-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+#include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# If your kernel allows the creation of user namespaces by unprivileged users
+# (for example, if running `unshare -U echo enabled` prints "enabled"), you
+# can add the next line to your blink-common.local.
+#include blink-common-hardened.inc.profile
+
+apparmor
+caps.keep sys_admin,sys_chroot
+netfilter
+nodvd
+nogroups
+noinput
+notv
+
+disable-mnt
+private-cache
+
+dbus-system none
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile
index d24f76262..e65f76a60 100644
--- a/etc/profile-a-l/bluefish.profile
+++ b/etc/profile-a-l/bluefish.profile
@@ -1,5 +1,5 @@
 # Firejail profile for bluefish
-# Description: Advanced Gtk+ text editor for web and software development
+# Description: Advanced GTK text editor for web and software development
 # This file is overwritten after every install/update
 # Persistent local customizations
 include bluefish.local
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 7b0f7bdf0..9f83b8232 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -1,5 +1,5 @@
 # Firejail profile for celluloid
-# Description: Simple GTK+ frontend for mpv
+# Description: Simple GTK frontend for mpv
 # This file is overwritten after every install/update
 # Persistent local customizations
 include celluloid.local
diff --git a/etc/profile-a-l/chafa.profile b/etc/profile-a-l/chafa.profile
index 72f79681d..f21a34f36 100644
--- a/etc/profile-a-l/chafa.profile
+++ b/etc/profile-a-l/chafa.profile
@@ -39,6 +39,7 @@ nosound
 notv
 nou2f
 novideo
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 seccomp.block-secondary
 tracelog
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile
index c3944bd65..0e0416de1 100644
--- a/etc/profile-a-l/chromium-common-hardened.inc.profile
+++ b/etc/profile-a-l/chromium-common-hardened.inc.profile
@@ -1,11 +1,10 @@
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
+# Firejail profile alias for blink-common-hardened.inc
+# This file is overwritten after every install/update
+# Persistent local customizations
 include chromium-common-hardened.inc.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
 
-caps.drop all
-nonewprivs
-noroot
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-
-#restrict-namespaces
+# Redirect
+include blink-common-hardened.inc.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index f1f2f5f68..878e0fe1d 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -17,42 +17,21 @@ noblacklist /usr/lib/chromium/chrome-sandbox
 # to have access to Gnome extensions (extensions.gnome.org) via browser connector
 #include allow-python3.inc
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
-
 mkdir ${HOME}/.local/share/pki
 mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.pki
 whitelist /usr/share/mozilla/extensions
 whitelist /usr/share/webext
-include whitelist-common.inc
 include whitelist-run-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
 # If your kernel allows the creation of user namespaces by unprivileged users
 # (for example, if running `unshare -U echo enabled` prints "enabled"), you
 # can add the next line to your chromium-common.local.
 #include chromium-common-hardened.inc.profile
 
-apparmor
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-noinput
-notv
 ?BROWSER_DISABLE_U2F: nou2f
 
-disable-mnt
-private-cache
 ?BROWSER_DISABLE_U2F: private-dev
 #private-tmp - issues when using multiple browser sessions
 
@@ -61,7 +40,9 @@ blacklist ${PATH}/wget
 blacklist ${PATH}/wget2
 
 #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
-dbus-system none
 
 # The file dialog needs to work without d-bus.
 ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
+
+# Redirect
+include blink-common.profile
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index e0f1bca94..7fefc68b1 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -1,5 +1,5 @@
 # Firejail profile for claws-mail
-# Description: Fast, lightweight and user-friendly GTK based email client
+# Description: Fast, lightweight and user-friendly GTK-based email client
 # This file is overwritten after every install/update
 # Persistent local customizations
 include claws-mail.local
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile
index 504bce0b1..321d59783 100644
--- a/etc/profile-a-l/clipit.profile
+++ b/etc/profile-a-l/clipit.profile
@@ -1,5 +1,5 @@
 # Firejail profile for clipit
-# Description: Lightweight GTK+ clipboard manager
+# Description: Lightweight GTK clipboard manager
 # This file is overwritten after every install/update
 # Persistent local customizations
 include clipit.local
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 8b7d2317c..180282869 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -1,5 +1,5 @@
 # Firejail profile for com.github.bleakgrey.tootle
-# Description: Gtk Mastodon client
+# Description: GTK Mastodon client
 # This file is overwritten after every install/update
 # Persistent local customizations
 include com.github.bleakgrey.tootle.local
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile
index 1774669f1..09f80d7bb 100644
--- a/etc/profile-a-l/corebird.profile
+++ b/etc/profile-a-l/corebird.profile
@@ -1,5 +1,5 @@
 # Firejail profile for corebird
-# Description: Native Gtk+ Twitter client for the Linux desktop
+# Description: Native GTK Twitter client for the Linux desktop
 # This file is overwritten after every install/update
 # Persistent local customizations
 include corebird.local
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index e896f3537..9b05b4416 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -45,5 +45,4 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-read-only ${HOME}/.config/cower/config
 restrict-namespaces
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
index 4eb89503a..71afecd7a 100644
--- a/etc/profile-a-l/deadbeef.profile
+++ b/etc/profile-a-l/deadbeef.profile
@@ -1,5 +1,5 @@
 # Firejail profile for deadbeef
-# Description: A GTK+ audio player for GNU/Linux
+# Description: A GTK audio player for GNU/Linux
 # This file is overwritten after every install/update
 # Persistent local customizations
 include deadbeef.local
diff --git a/etc/profile-a-l/dino-im.profile b/etc/profile-a-l/dino-im.profile
index ae0549d3e..3f4e3a381 100644
--- a/etc/profile-a-l/dino-im.profile
+++ b/etc/profile-a-l/dino-im.profile
@@ -1,5 +1,5 @@
 # Firejail profile for dino-im
-# Description: Modern XMPP Chat Client using GTK+/Vala, Ubuntu specific bin name
+# Description: Modern XMPP Chat Client using GTK/Vala, Ubuntu specific bin name
 # This file is overwritten after every install/update
 # Persistent local customizations
 include dino-im.local
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index 1f7134ff2..fe2b59a1e 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -1,5 +1,5 @@
 # Firejail profile for dino
-# Description: Modern XMPP Chat Client using GTK+/Vala
+# Description: Modern XMPP Chat Client using GTK/Vala
 # This file is overwritten after every install/update
 # Persistent local customizations
 include dino.local
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile
new file mode 100644
index 000000000..c39c0d843
--- /dev/null
+++ b/etc/profile-a-l/discord-ptb.profile
@@ -0,0 +1,17 @@
+# Firejail profile for discord-ptb   
+# This file is overwritten after every install/update
+# Persistent local customizations
+include discord-ptb.local   
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/discordptb   
+
+mkdir ${HOME}/.config/discordptb   
+whitelist ${HOME}/.config/discordptb   
+
+private-bin discord-ptb,DiscordPTB   
+private-opt discord-ptb,DiscordPTB   
+
+# Redirect
+include discord-common.profile
diff --git a/etc/profile-a-l/electron-common.profile b/etc/profile-a-l/electron-common.profile
index 73b6d1067..bb48d6332 100644
--- a/etc/profile-a-l/electron-common.profile
+++ b/etc/profile-a-l/electron-common.profile
@@ -7,40 +7,21 @@ include electron-common.local
 noblacklist ${HOME}/.config/Electron
 noblacklist ${HOME}/.config/electron*-flag*.conf
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Electron
 whitelist ${HOME}/.config/electron*-flag*.conf
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
 # If your kernel allows the creation of user namespaces by unprivileged users
 # (for example, if running `unshare -U echo enabled` prints "enabled"), you
 # can add the next line to your electron-common.local.
 #include electron-common-hardened.inc.profile
 
-apparmor
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-noinput
-notv
 nou2f
 novideo
 
-disable-mnt
-private-cache
 private-dev
 private-tmp
 
 dbus-user none
-dbus-system none
+
+# Redirect
+include blink-common.profile
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 9f4fabd68..766fe523b 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -24,7 +24,6 @@ whitelist ${HOME}/.config/electron-mail
 # there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 machine-id
 nosound
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index 48a826f2e..7b4994a85 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -18,6 +18,7 @@ whitelist /opt/Element
 private-opt Element
 
 dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
 
 # Redirect
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index bf5b67255..8eee662ad 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -8,6 +8,7 @@ include email-common.local
 #include globals.local
 
 noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.bsfilter
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.signature
@@ -20,6 +21,9 @@ noblacklist /var/spool/mail
 
 noblacklist ${DOCUMENTS}
 
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -30,15 +34,18 @@ include disable-xdg.inc
 mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.config/mimeapps.list
 mkfile ${HOME}/.signature
+whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.bsfilter
 whitelist ${HOME}/.config/mimeapps.list
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.signature
 whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
 whitelist ${HOME}/Mail
 whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/bogofilter
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /var/lib/clamav 
@@ -71,7 +78,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,clamav,gnupg,hosts.conf,mailname,timezone
+private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone
 private-tmp
 # encrypting and signing email
 writable-run-user
@@ -86,6 +93,5 @@ dbus-user.talk org.gnome.seahorse.*
 dbus-user.talk org.mozilla.*
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.signature
 restrict-namespaces
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index 1118c3bf0..e1d107dc7 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -10,18 +10,21 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
+machine-id
 net none
 no3d
 nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -29,6 +32,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 tracelog
 
 # private-bin engrampa
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 4f39bec55..78e2751b3 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -29,6 +29,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -45,6 +46,10 @@ private-dev
 private-etc @x11
 # private-tmp
 
+dbus-user filter
+dbus-user.own org.gnome.ArchiveManager1
+dbus-user.own org.gnome.FileRoller
+dbus-user.talk ca.desrt.dconf
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
index a5fd05bc7..78f1327c5 100644
--- a/etc/profile-a-l/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -15,7 +15,6 @@ include disable-programs.inc
 
 apparmor
 caps.drop all
-hostname file
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 0e1d30958..42d59157c 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -14,6 +14,9 @@ include globals.local
 # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
 # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
 
+# (Ignore entry from disable-common.inc)
+ignore read-only ${HOME}/.mozilla/firefox/profiles.ini
+
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
 noblacklist ${RUNUSER}/*firefox*
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index c8414ad1b..7cef2dbbb 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -1,5 +1,5 @@
 # Firejail profile for gajim
-# Description: GTK+-based Jabber client
+# Description: GTK-based Jabber client
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gajim.local
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 96ded592d..44d62cc86 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-#hostname galculator - breaks Arch Linux
 #ipc-namespace
 net none
 nodvd
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
index 9c8200dc4..9643820e7 100644
--- a/etc/profile-a-l/gallery-dl.profile
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -15,4 +15,4 @@ private-bin gallery-dl
 private-etc gallery-dl.conf
 
 # Redirect
-include youtube-dl.profile
+include yt-dlp.profile
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile
index 4eb94edf4..4066a1ebf 100644
--- a/etc/profile-a-l/gdu.profile
+++ b/etc/profile-a-l/gdu.profile
@@ -26,7 +26,7 @@ nosound
 notv
 nou2f
 novideo
-# block the socket syscall to simulate an be empty protocol line, see #639
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 seccomp.block-secondary
 x11 none
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index a19a20ba7..ba0837780 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -91,5 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5
 dbus-user.talk org.mozilla.*
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 3a929774a..e8d4c013f 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -25,7 +25,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-hostname geekbench
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index 95adc6840..f81a49e4f 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -1,5 +1,5 @@
 # Firejail profile for geeqie
-# Description: Image viewer using GTK+
+# Description: Image viewer using GTK
 # This file is overwritten after every install/update
 # Persistent local customizations
 include geeqie.local
diff --git a/etc/profile-a-l/gtk-lbry-viewer.profile b/etc/profile-a-l/gtk-lbry-viewer.profile
index e1fb53b16..6d143bbe0 100644
--- a/etc/profile-a-l/gtk-lbry-viewer.profile
+++ b/etc/profile-a-l/gtk-lbry-viewer.profile
@@ -1,12 +1,14 @@
 # Firejail profile for gtk-lbry-viewer
-# Description: Gtk front-end to lbry-viewer
+# Description: GTK front-end to lbry-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-lbry-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk-lbry-viewer
+
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include lbry-viewer.profile
diff --git a/etc/profile-a-l/gtk-pipe-viewer.profile b/etc/profile-a-l/gtk-pipe-viewer.profile
index 9c212ff6e..059961742 100644
--- a/etc/profile-a-l/gtk-pipe-viewer.profile
+++ b/etc/profile-a-l/gtk-pipe-viewer.profile
@@ -1,12 +1,14 @@
 # Firejail profile for gtk-pipe-viewer
-# Description: Gtk front-end to pipe-viewer
+# Description: GTK front-end to pipe-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-pipe-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk-pipe-viewer
+
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include pipe-viewer.profile
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile
index 978b3d896..5f1933258 100644
--- a/etc/profile-a-l/gtk-straw-viewer.profile
+++ b/etc/profile-a-l/gtk-straw-viewer.profile
@@ -1,12 +1,14 @@
 # Firejail profile for gtk-straw-viewer
-# Description: Gtk front-end to straw-viewer
+# Description: GTK front-end to straw-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-straw-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk-straw-viewer
+
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include straw-viewer.profile
diff --git a/etc/profile-a-l/gtk-youtube-viewer.profile b/etc/profile-a-l/gtk-youtube-viewer.profile
index c814f0fef..2bbd8910e 100644
--- a/etc/profile-a-l/gtk-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk-youtube-viewer.profile
@@ -1,12 +1,14 @@
 # Firejail profile for gtk-youtube-viewer
-# Description: Gtk front-end to youtube-viewer
+# Description: GTK front-end to youtube-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-youtube-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk-youtube-viewer
+
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk-youtube-viewers-common.profile b/etc/profile-a-l/gtk-youtube-viewers-common.profile
new file mode 100644
index 000000000..049448a23
--- /dev/null
+++ b/etc/profile-a-l/gtk-youtube-viewers-common.profile
@@ -0,0 +1,22 @@
+# Firejail profile for gtk-youtube-viewer clones
+# Description: common profile for Trizen's gtk Youtube viewers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-youtube-viewers-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+ignore quiet
+
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
+private-bin firefox,xterm
+
+dbus-user filter
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
diff --git a/etc/profile-a-l/gtk2-youtube-viewer.profile b/etc/profile-a-l/gtk2-youtube-viewer.profile
index 787c7bd90..8ff09f4d2 100644
--- a/etc/profile-a-l/gtk2-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk2-youtube-viewer.profile
@@ -1,17 +1,14 @@
 # Firejail profile for gtk2-youtube-viewer
-# Description: Gtk front-end to youtube-viewer
+# Description: GTK front-end to youtube-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk2-youtube-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk2-youtube-viewer
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}
-
-include whitelist-runuser-common.inc
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk3-youtube-viewer.profile b/etc/profile-a-l/gtk3-youtube-viewer.profile
index 988882622..fdcb438de 100644
--- a/etc/profile-a-l/gtk3-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk3-youtube-viewer.profile
@@ -1,17 +1,14 @@
 # Firejail profile for gtk3-youtube-viewer
-# Description: Gtk front-end to youtube-viewer
+# Description: GTK front-end to youtube-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk3-youtube-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk3-youtube-viewer
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}
-
-include whitelist-runuser-common.inc
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include youtube-viewer.profile
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
index 467bee3a0..0e4125791 100644
--- a/etc/profile-a-l/guvcview.profile
+++ b/etc/profile-a-l/guvcview.profile
@@ -1,5 +1,5 @@
 # Firejail profile for guvcview
-# Description: GTK+ base UVC Viewer
+# Description: GTK-based UVC Viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include guvcview.local
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile
index 488665154..e0ef23cce 100644
--- a/etc/profile-a-l/handbrake.profile
+++ b/etc/profile-a-l/handbrake.profile
@@ -1,5 +1,5 @@
 # Firejail profile for handbrake
-# Description: Versatile DVD ripper and video transcoder (GTK+ GUI)
+# Description: Versatile DVD ripper and video transcoder (GTK GUI)
 # This file is overwritten after every install/update
 # Persistent local customizations
 include handbrake.local
diff --git a/etc/profile-a-l/jami.profile b/etc/profile-a-l/jami.profile
new file mode 100644
index 000000000..deff54bcd
--- /dev/null
+++ b/etc/profile-a-l/jami.profile
@@ -0,0 +1,18 @@
+# Firejail profile for jami
+# Description: An encrypted peer-to-peer messenger
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jami.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+noblacklist ${HOME}/.config/jami.net
+
+mkdir ${HOME}/.config/jami.net
+mkdir ${HOME}/Videos/Jami
+whitelist ${HOME}/.config/jami.net
+whitelist ${HOME}/Videos/Jami
+
+# Redirect
+include jami-gnome.profile
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index f7959ca81..4e8c8e449 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -93,6 +93,7 @@ private-etc
 private-tmp
 
 dbus-user filter
+dbus-user.own org.freedesktop.secrets
 dbus-user.own org.keepassxc.KeePassXC.*
 dbus-user.talk com.canonical.Unity
 dbus-user.talk org.freedesktop.ScreenSaver
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 5183a9327..5cf30ed40 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -77,5 +77,4 @@ dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces
diff --git a/etc/profile-a-l/lbry-viewer.profile b/etc/profile-a-l/lbry-viewer.profile
index f6a02ac83..aad1330e0 100644
--- a/etc/profile-a-l/lbry-viewer.profile
+++ b/etc/profile-a-l/lbry-viewer.profile
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/lbry-viewer
 whitelist ${HOME}/.cache/lbry-viewer
 whitelist ${HOME}/.config/lbry-viewer
 
-private-bin gtk-lbry-viewer,lbry-viewer
+private-bin lbry-viewer
 
 # Redirect
 include youtube-viewers-common.profile
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile
index 27b27a20b..ef0029c73 100644
--- a/etc/profile-a-l/leafpad.profile
+++ b/etc/profile-a-l/leafpad.profile
@@ -1,5 +1,5 @@
 # Firejail profile for leafpad
-# Description: GTK+ based simple text editor
+# Description: GTK-based simple text editor
 # This file is overwritten after every install/update
 # Persistent local customizations
 include leafpad.local
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile
index 9157d910b..6ca8b8103 100644
--- a/etc/profile-a-l/linuxqq.profile
+++ b/etc/profile-a-l/linuxqq.profile
@@ -37,7 +37,5 @@ dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.mozilla.*
 ignore dbus-user none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
-
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile
new file mode 100644
index 000000000..2b0fc5275
--- /dev/null
+++ b/etc/profile-a-l/lobster.profile
@@ -0,0 +1,39 @@
+# Firejail profile for lobster
+# Description: Shell script to watch Movies/Webseries/Shows from the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lobster.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/lobster
+noblacklist ${HOME}/.local/share/lobster
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-proc.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/lobster
+mkdir ${HOME}/.local/share/lobster
+whitelist ${HOME}/.config/lobster
+whitelist ${HOME}/.local/share/lobster
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+
+#machine-id
+nodvd
+noprinters
+notv
+
+disable-mnt
+private-bin curl,cut,fzf,grep,head,lobster,mv,patch,rm,sed,sh,tail,tput,tr,uname
+#private-cache
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+# Redirect
+include mpv.profile