add restrict-namespaces to (almost) all profiles

author: smitsohu <smitsohu@gmail.com> 2022-12-20 01:04:13 +0100
committer: smitsohu <smitsohu@gmail.com> 2022-12-20 01:39:53 +0100
commit: e4f0f91ebdafaa3d9e073ee90f2aea5692ec5045 (patch)
tree: e58ccfb5efb851219cd665652a522f0dee56acac /etc/profile-a-l
parent: RELNOTES: add build items (diff)
download: firejail-e4f0f91ebdafaa3d9e073ee90f2aea5692ec5045.tar.gz
firejail-e4f0f91ebdafaa3d9e073ee90f2aea5692ec5045.tar.zst
firejail-e4f0f91ebdafaa3d9e073ee90f2aea5692ec5045.zip
327 files changed, 487 insertions, 3 deletions
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 04f58abb9..48a2afdf2 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -54,3 +54,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile
index 7913fdea9..1cd207996 100644
--- a/etc/profile-a-l/2048-qt.profile
+++ b/etc/profile-a-l/2048-qt.profile
@@ -40,3 +40,5 @@ seccomp
 disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile
index af026fc86..4a850f1bd 100644
--- a/etc/profile-a-l/Cryptocat.profile
+++ b/etc/profile-a-l/Cryptocat.profile
@@ -28,3 +28,5 @@ seccomp
 private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile
index 09149350d..462bfa517 100644
--- a/etc/profile-a-l/Fritzing.profile
+++ b/etc/profile-a-l/Fritzing.profile
@@ -36,3 +36,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile
index 8d56c0d95..b229c151d 100644
--- a/etc/profile-a-l/JDownloader.profile
+++ b/etc/profile-a-l/JDownloader.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index ce3d0630f..eb7a5254f 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -46,3 +46,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index ee9420d62..96c56d85d 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -56,3 +56,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index 2f58d9146..184036f24 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -55,3 +55,4 @@ tracelog
 private-dev
 # private-tmp - breaks programs that depend on akonadi
+# restrict-namespaces
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
index 8e6935fb8..d88a1fcad 100644
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -49,3 +49,4 @@ private-dev
 private-tmp
 deterministic-shutdown
+# restrict-namespaces
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 5dc306147..9612ffdd2 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -62,3 +62,4 @@ read-write ${HOME}/.config/menus
 read-write ${HOME}/.gnome/apps
 read-write ${HOME}/.local/share/applications
 read-write ${HOME}/.local/share/flatpak/exports
+restrict-namespaces
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
index ee6be4bc9..0f7407f05 100644
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile
index e00aef423..4e994c025 100644
--- a/etc/profile-a-l/alpine.profile
+++ b/etc/profile-a-l/alpine.profile
@@ -100,3 +100,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}/.signature
+restrict-namespaces
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index 7211f0cf7..3171d738e 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -44,3 +44,5 @@ dbus-user.talk org.freedesktop.Notifications
 #dbus-user.own org.kde.klauncher
 #dbus-user.talk org.kde.knotify
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
index bce22fbfd..ccf7231bd 100644
--- a/etc/profile-a-l/amule.profile
+++ b/etc/profile-a-l/amule.profile
@@ -40,3 +40,4 @@ private-bin amule
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
index add75c849..3dfa0f95a 100644
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -40,3 +40,4 @@ private-cache
 # noexec /tmp breaks 'Android Profiler'
 #noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index 45d000012..466f60bda 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -54,3 +54,5 @@ private-tmp
 dbus-user none
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile
index fd92f63db..4c2dcf0e6 100644
--- a/etc/profile-a-l/anydesk.profile
+++ b/etc/profile-a-l/anydesk.profile
@@ -33,3 +33,5 @@ disable-mnt
 private-bin anydesk
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile
index 0d3131f8c..80ee71831 100644
--- a/etc/profile-a-l/aosp.profile
+++ b/etc/profile-a-l/aosp.profile
@@ -40,3 +40,5 @@ protocol unix,inet,inet6
 #seccomp
 private-tmp
+#restrict-namespaces
diff --git a/etc/profile-a-l/apktool.profile b/etc/profile-a-l/apktool.profile
index e03ff3084..9f1940a4d 100644
--- a/etc/profile-a-l/apktool.profile
+++ b/etc/profile-a-l/apktool.profile
@@ -35,3 +35,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index ca4dec918..dab91fe7d 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -69,3 +69,5 @@ dbus-user filter
 dbus-user.own org.gnome.gitlab.somas.Apostrophe
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile
index 7db947be8..766c2c96d 100644
--- a/etc/profile-a-l/arch-audit.profile
+++ b/etc/profile-a-l/arch-audit.profile
@@ -49,3 +49,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile
index 6ad75d68c..3e3f77576 100644
--- a/etc/profile-a-l/archaudit-report.profile
+++ b/etc/profile-a-l/archaudit-report.profile
@@ -36,3 +36,4 @@ private-bin arch-audit,archaudit-report,bash,cat,comm,cut,date,fold,grep,pacman,
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index b82563099..b0f83aa32 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -49,3 +49,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile
index c93cecf9f..341fe1ed8 100644
--- a/etc/profile-a-l/ardour5.profile
+++ b/etc/profile-a-l/ardour5.profile
@@ -40,3 +40,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
index bb0bc3513..85ea76939 100644
--- a/etc/profile-a-l/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
@@ -33,3 +33,4 @@ seccomp
 private-cache
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index f108a6291..17eb2451c 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -53,3 +53,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
index 53697a367..272e06219 100644
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -44,3 +44,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
index 556a354e7..db388eee1 100644
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@@ -45,3 +45,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index b83b6bb10..b1347b0d9 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -65,3 +65,4 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile
index 26eddf1b6..f28f77748 100644
--- a/etc/profile-a-l/assogiate.profile
+++ b/etc/profile-a-l/assogiate.profile
@@ -51,3 +51,4 @@ dbus-system none
 memory-deny-write-execute
 read-write ${HOME}/.local/share/mime
+restrict-namespaces
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
index 445aa3985..c09ad7936 100644
--- a/etc/profile-a-l/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@@ -45,3 +45,4 @@ dbus-system none
 # mdwe is disabled due to breaking hardware accelerated decoding
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index 8ec6f433e..f24aff108 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -49,3 +49,4 @@ private-tmp
 # webkit gtk killed by memory-deny-write-execute
 #memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index fe23049f4..b31f3f1b2 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -42,3 +42,5 @@ private-tmp
 # dbus needed for MPRIS
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index 2831fec72..078e3bf26 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -44,3 +44,5 @@ private-tmp
 # problems on Fedora 27
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index 6c8a90c0b..74dba7411 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -51,3 +51,4 @@ dbus-user.talk ca.desrt.dconf
 dbus-system none
 # memory-deny-write-execute - breaks on Arch
+restrict-namespaces
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index 8e898b5ee..73a2e1806 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -52,3 +52,5 @@ private-tmp
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 5f26a39f5..02c1d8768 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -46,3 +46,4 @@ private-tmp
 # dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
index ee63f0ead..834eac11a 100644
--- a/etc/profile-a-l/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
@@ -39,3 +39,4 @@ private-dev
 private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile
index 4cb556f6e..8707dca5b 100644
--- a/etc/profile-a-l/avidemux.profile
+++ b/etc/profile-a-l/avidemux.profile
@@ -55,3 +55,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile
index 0a80a2203..e2646095c 100644
--- a/etc/profile-a-l/aweather.profile
+++ b/etc/profile-a-l/aweather.profile
@@ -37,3 +37,5 @@ tracelog
 private-bin aweather
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
index 5d1bf5071..ee9280fe8 100644
--- a/etc/profile-a-l/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
@@ -17,3 +17,4 @@ protocol unix,inet,inet6
 seccomp
 read-only ${HOME}/.config/awesome/autorun.sh
+restrict-namespaces
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile
index 05637d247..b60b5715c 100644
--- a/etc/profile-a-l/ballbuster.profile
+++ b/etc/profile-a-l/ballbuster.profile
@@ -49,3 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index 24bb53981..084b7c702 100644
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@@ -52,3 +52,5 @@ private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kb
 private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index c78caad77..661356ff6 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -79,3 +79,4 @@ dbus-user.talk org.gnome.keyring.SystemPrompter
 dbus-system none
 read-only ${HOME}/.mozilla/firefox/profiles.ini
+restrict-namespaces
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
index 40f50e991..31ef66a58 100644
--- a/etc/profile-a-l/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -41,3 +41,4 @@ private-tmp
 # dbus-system none
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile
index dbd3d38f1..a78d202a2 100644
--- a/etc/profile-a-l/barrier.profile
+++ b/etc/profile-a-l/barrier.profile
@@ -42,3 +42,4 @@ private-cache
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile
index 8dc3847a0..a962bfe02 100644
--- a/etc/profile-a-l/basilisk.profile
+++ b/etc/profile-a-l/basilisk.profile
@@ -22,5 +22,8 @@ ignore seccomp
 #private-etc basilisk
 #private-opt basilisk
+restrict-namespaces
+ignore restrict-namespaces
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
index b43c670b6..d566b94e8 100644
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@@ -44,3 +44,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index bc1cb18ac..85a1a58c7 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -56,3 +56,5 @@ private-tmp
 dbus-user none
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index e6675e0d3..b6b52601e 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -60,3 +60,4 @@ dbus-user.talk org.freedesktop.Tracker1
 dbus-system none
 env WEBKIT_FORCE_SANDBOX=0
+restrict-namespaces
diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile
index 390d002ed..9fc01a2fd 100644
--- a/etc/profile-a-l/bitcoin-qt.profile
+++ b/etc/profile-a-l/bitcoin-qt.profile
@@ -47,3 +47,4 @@ private-dev
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index 773fa7500..988a1479e 100644
--- a/etc/profile-a-l/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
@@ -38,3 +38,4 @@ private-dev
 private-tmp
 read-write /var/lib/bitlbee
+restrict-namespaces
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile
index 233f9a96f..753254ffc 100644
--- a/etc/profile-a-l/blackbox.profile
+++ b/etc/profile-a-l/blackbox.profile
@@ -16,3 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp
+restrict-namespaces
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
index a352ab8d8..45ae345c3 100644
--- a/etc/profile-a-l/bleachbit.profile
+++ b/etc/profile-a-l/bleachbit.profile
@@ -40,3 +40,4 @@ dbus-system none
 # memory-deny-write-execute breaks some systems, see issue #1850
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile
index 8ee852ab5..cd8fac61f 100644
--- a/etc/profile-a-l/blender.profile
+++ b/etc/profile-a-l/blender.profile
@@ -37,3 +37,5 @@ protocol unix,inet,inet6,netlink
 seccomp !mbind
 private-dev
+restrict-namespaces
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 0e38889c0..9badb4357 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -39,3 +39,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
index 3bd8c79d0..6e7a87e5f 100644
--- a/etc/profile-a-l/blobby.profile
+++ b/etc/profile-a-l/blobby.profile
@@ -48,3 +48,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 9dfbd8f8e..e6926ee29 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -47,3 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile
index ac949d561..d24f76262 100644
--- a/etc/profile-a-l/bluefish.profile
+++ b/etc/profile-a-l/bluefish.profile
@@ -37,3 +37,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
index 0ab28fffe..a483c2b0a 100644
--- a/etc/profile-a-l/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
@@ -31,3 +31,5 @@ seccomp !chroot,!ioperm
 private-cache
 private-dev
+# restrict-namespaces
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile
index f80ad9f20..12d7062ab 100644
--- a/etc/profile-a-l/brasero.profile
+++ b/etc/profile-a-l/brasero.profile
@@ -33,3 +33,5 @@ tracelog
 private-cache
 # private-dev
 # private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
index bd6719b62..cf5f462ae 100644
--- a/etc/profile-a-l/build-systems-common.profile
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -63,3 +63,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile
index 5bfe3751b..b28f982fc 100644
--- a/etc/profile-a-l/bzflag.profile
+++ b/etc/profile-a-l/bzflag.profile
@@ -44,3 +44,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
index acfc1ba0a..b347941d7 100644
--- a/etc/profile-a-l/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@@ -35,3 +35,5 @@ seccomp !chroot
 private-dev
 private-tmp
+# restrict-namespaces
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
index 6fccf2122..c2972f902 100644
--- a/etc/profile-a-l/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -37,3 +37,4 @@ private-dev
 # noexec ${HOME}
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index fb3a6df7e..b2248ad06 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -52,3 +52,4 @@ private-tmp
 # dbus-system none
 # memory-deny-write-execute - breaks on Arch
+restrict-namespaces
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
index f2d9c282d..7cb56efee 100644
--- a/etc/profile-a-l/cantata.profile
+++ b/etc/profile-a-l/cantata.profile
@@ -37,3 +37,5 @@ seccomp
 # private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
 private-bin cantata,mpd,perl
 private-dev
+restrict-namespaces
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile
index d076c3ca0..e2df341e9 100644
--- a/etc/profile-a-l/catfish.profile
+++ b/etc/profile-a-l/catfish.profile
@@ -46,3 +46,5 @@ tracelog
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index e9affe09e..e4e32b265 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -43,3 +43,5 @@ private-tmp
 # dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 48522c002..0c4335e8f 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -64,3 +64,4 @@ dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.config/celluloid
+restrict-namespaces
diff --git a/etc/profile-a-l/chafa.profile b/etc/profile-a-l/chafa.profile
index b042ac189..72f79681d 100644
--- a/etc/profile-a-l/chafa.profile
+++ b/etc/profile-a-l/chafa.profile
@@ -53,3 +53,4 @@ dbus-user none
 dbus-system none
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile
index 835b884ad..3baa80d50 100644
--- a/etc/profile-a-l/checkbashisms.profile
+++ b/etc/profile-a-l/checkbashisms.profile
@@ -52,3 +52,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index 1e498259c..8aed77c04 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -58,3 +58,5 @@ dbus-user filter
 dbus-user.own org.gnome.Cheese
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/cherrytree.profile b/etc/profile-a-l/cherrytree.profile
index fe0c7cfe8..528d6203e 100644
--- a/etc/profile-a-l/cherrytree.profile
+++ b/etc/profile-a-l/cherrytree.profile
@@ -40,3 +40,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile
index 19addd285..c3944bd65 100644
--- a/etc/profile-a-l/chromium-common-hardened.inc.profile
+++ b/etc/profile-a-l/chromium-common-hardened.inc.profile
@@ -7,3 +7,5 @@ nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp !chroot
+#restrict-namespaces
diff --git a/etc/profile-a-l/cin.profile b/etc/profile-a-l/cin.profile
index 3e62d7ba2..0930c9361 100644
--- a/etc/profile-a-l/cin.profile
+++ b/etc/profile-a-l/cin.profile
@@ -34,3 +34,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/clamav.profile b/etc/profile-a-l/clamav.profile
index f5f665215..ddd0eb1f9 100644
--- a/etc/profile-a-l/clamav.profile
+++ b/etc/profile-a-l/clamav.profile
@@ -37,3 +37,4 @@ dbus-system none
 read-only ${HOME}
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile
index 842416171..9fc73ee55 100644
--- a/etc/profile-a-l/clamtk.profile
+++ b/etc/profile-a-l/clamtk.profile
@@ -27,3 +27,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 268cf01b4..4f4e8e7bf 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -51,3 +51,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
index b1509f391..ee01fa653 100644
--- a/etc/profile-a-l/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
@@ -38,3 +38,5 @@ private-tmp
 dbus-system none
 # dbus-user none
+restrict-namespaces
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
index a8d57d63d..652809f1b 100644
--- a/etc/profile-a-l/clion.profile
+++ b/etc/profile-a-l/clion.profile
@@ -40,3 +40,4 @@ private-dev
 # private-tmp
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index 4086f46ba..3f3748e1a 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -48,3 +48,5 @@ private-tmp
 # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it.
 # dbus-user none
 # dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile
index 0356547cd..504bce0b1 100644
--- a/etc/profile-a-l/clipit.profile
+++ b/etc/profile-a-l/clipit.profile
@@ -59,5 +59,5 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute
-restrict-namespaces
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
index fa5693901..ad6332f78 100644
--- a/etc/profile-a-l/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -27,3 +27,5 @@ seccomp
 private-bin cmus
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+restrict-namespaces
diff --git a/etc/profile-a-l/cointop.profile b/etc/profile-a-l/cointop.profile
index b4f73458c..c341c4ea2 100644
--- a/etc/profile-a-l/cointop.profile
+++ b/etc/profile-a-l/cointop.profile
@@ -60,3 +60,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile
index 79ab5e7b1..442d50259 100644
--- a/etc/profile-a-l/colorful.profile
+++ b/etc/profile-a-l/colorful.profile
@@ -49,3 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 7024ddb28..990b6bc5a 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -52,3 +52,5 @@ private-tmp
 # dbus-user.own com.github.bleakgrey.tootle
 # dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index 05768977d..5f2a1c3e6 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -63,3 +63,4 @@ read-only ${HOME}
 read-write ${HOME}/.cache/agenda
 read-write ${HOME}/.config/agenda
 read-write ${HOME}/.local/share/agenda
+restrict-namespaces
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index 06c6e5f84..21f37494b 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -60,3 +60,4 @@ private-tmp
 read-only ${HOME}
 read-write ${HOME}/.cache/com.github.johnfactotum.Foliate
 read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate
+restrict-namespaces
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile
index 667f9805c..07a6a6813 100644
--- a/etc/profile-a-l/com.github.phase1geo.minder.profile
+++ b/etc/profile-a-l/com.github.phase1geo.minder.profile
@@ -58,3 +58,5 @@ dbus-user filter
 dbus-user.own com.github.phase1geo.minder
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/com.github.tchx84.Flatseal.profile b/etc/profile-a-l/com.github.tchx84.Flatseal.profile
index 20236c161..fd4494e92 100644
--- a/etc/profile-a-l/com.github.tchx84.Flatseal.profile
+++ b/etc/profile-a-l/com.github.tchx84.Flatseal.profile
@@ -62,3 +62,4 @@ dbus-user.talk org.gnome.Software
 dbus-system none
 read-write ${HOME}/.local/share/flatpak/overrides
+restrict-namespaces
diff --git a/etc/profile-a-l/conkeror.profile b/etc/profile-a-l/conkeror.profile
index 38edf0d21..6486990f5 100644
--- a/etc/profile-a-l/conkeror.profile
+++ b/etc/profile-a-l/conkeror.profile
@@ -34,3 +34,5 @@ protocol unix,inet,inet6
 seccomp
 disable-mnt
+restrict-namespaces
diff --git a/etc/profile-a-l/conky.profile b/etc/profile-a-l/conky.profile
index 49a0a40ff..39e6d3cf9 100644
--- a/etc/profile-a-l/conky.profile
+++ b/etc/profile-a-l/conky.profile
@@ -43,3 +43,4 @@ private-dev
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile
index 41b9f79a1..1774669f1 100644
--- a/etc/profile-a-l/corebird.profile
+++ b/etc/profile-a-l/corebird.profile
@@ -35,3 +35,4 @@ private-bin corebird
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 2245903a4..e896f3537 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -46,3 +46,4 @@ private-tmp
 memory-deny-write-execute
 read-only ${HOME}/.config/cower/config
+restrict-namespaces
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
index 24a149c5f..793de8ab4 100644
--- a/etc/profile-a-l/coyim.profile
+++ b/etc/profile-a-l/coyim.profile
@@ -46,3 +46,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile
index 7928dd93c..7df7b4480 100644
--- a/etc/profile-a-l/crawl.profile
+++ b/etc/profile-a-l/crawl.profile
@@ -44,3 +44,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
index ba0dfb1a6..842191f3f 100644
--- a/etc/profile-a-l/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -43,3 +43,4 @@ private-opt none
 private-tmp
 private-srv none
+restrict-namespaces
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 3fa6ab764..3e5878574 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -58,3 +58,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index a3a16fa0c..63d89ec36 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -53,3 +53,4 @@ private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile
index 20d5657eb..f871b80aa 100644
--- a/etc/profile-a-l/darktable.profile
+++ b/etc/profile-a-l/darktable.profile
@@ -41,3 +41,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 95f24a0ad..b259c7e93 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -56,3 +56,4 @@ private-tmp
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index 110c9f58e..876e637b2 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -50,3 +50,5 @@ dbus-user filter
 dbus-user.own ca.desrt.dconf-editor
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
index 56583838e..5136445da 100644
--- a/etc/profile-a-l/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
@@ -50,3 +50,4 @@ private-lib
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index be1f2eece..8ea5d178e 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -51,3 +51,4 @@ dbus-user none
 dbus-system none
 # memory-deny-write-execute - breaks on Arch
+restrict-namespaces
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
index 205424a62..4eb89503a 100644
--- a/etc/profile-a-l/deadbeef.profile
+++ b/etc/profile-a-l/deadbeef.profile
@@ -32,3 +32,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 397a89bee..a10bbab5b 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -60,4 +60,4 @@ seccomp
 # deterministic-shutdown
 # memory-deny-write-execute
 # read-only ${HOME}
-# restrict-namespaces
+restrict-namespaces
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
index d8a27da62..ebc751e1a 100644
--- a/etc/profile-a-l/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -43,3 +43,5 @@ seccomp
 private-bin deluge,deluge-console,deluge-gtk,deluge-web,deluged,python*,sh,uname
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile
index 2b03f0ea0..71579905e 100644
--- a/etc/profile-a-l/desktopeditors.profile
+++ b/etc/profile-a-l/desktopeditors.profile
@@ -42,3 +42,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index 42318527c..ef31fc3eb 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -50,3 +50,4 @@ private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 4b4bfbc5f..0579547af 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -56,3 +56,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/dex2jar.profile b/etc/profile-a-l/dex2jar.profile
index 0908c16f1..b71387b2f 100644
--- a/etc/profile-a-l/dex2jar.profile
+++ b/etc/profile-a-l/dex2jar.profile
@@ -39,3 +39,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
index 30db25ee9..efcdb7ce4 100644
--- a/etc/profile-a-l/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -54,3 +54,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index a6de5e05e..048b92800 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -56,3 +56,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index c1f0e3a14..05f0dfba8 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -43,3 +43,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile
index 19b99b5fd..c7cecf23e 100644
--- a/etc/profile-a-l/dillo.profile
+++ b/etc/profile-a-l/dillo.profile
@@ -37,3 +37,4 @@ private-dev
 private-tmp
 deterministic-shutdown
+restrict-namespaces
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index 6802c7eed..1f7134ff2 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -53,3 +53,5 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-system filter
 # Integration with systemd-logind or elogind
 dbus-system.talk org.freedesktop.login1
+restrict-namespaces
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 6e8e30bfe..15f6e441d 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile
index 0efebd9a6..0d52805b7 100644
--- a/etc/profile-a-l/dnscrypt-proxy.profile
+++ b/etc/profile-a-l/dnscrypt-proxy.profile
@@ -51,3 +51,4 @@ dbus-system none
 # mdwe can break modules/plugins
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile
index 13efd2fa8..40ccab8c7 100644
--- a/etc/profile-a-l/dnsmasq.profile
+++ b/etc/profile-a-l/dnsmasq.profile
@@ -40,3 +40,5 @@ private
 private-dev
 private-tmp
 writable-var
+restrict-namespaces
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index b8a29beb7..acaf2e021 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -60,3 +60,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/dooble.profile b/etc/profile-a-l/dooble.profile
index 427d70e97..6e8d32848 100644
--- a/etc/profile-a-l/dooble.profile
+++ b/etc/profile-a-l/dooble.profile
@@ -38,3 +38,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
index 845277396..1edbb7ca0 100644
--- a/etc/profile-a-l/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -41,3 +41,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile
index 14c5e7155..742385855 100644
--- a/etc/profile-a-l/dragon.profile
+++ b/etc/profile-a-l/dragon.profile
@@ -39,3 +39,4 @@ private-bin dragon
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index b533ad590..9d9fa291b 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -51,3 +51,4 @@ dbus-user none
 dbus-system none
 # memory-deny-write-execute - breaks on Arch
+# restrict-namespaces
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
index ffbd06cb6..bd6fb6dcc 100644
--- a/etc/profile-a-l/drill.profile
+++ b/etc/profile-a-l/drill.profile
@@ -52,3 +52,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile
index 5d83485d2..4fdf1bbfe 100644
--- a/etc/profile-a-l/dropbox.profile
+++ b/etc/profile-a-l/dropbox.profile
@@ -46,3 +46,4 @@ private-dev
 private-tmp
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index 9db24f5a3..920eb7697 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -53,3 +53,4 @@ private-tmp
 # dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index ad3a38bfa..78a996f71 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -51,3 +51,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile
index 7e9be653d..5b44f4ccd 100644
--- a/etc/profile-a-l/emacs.profile
+++ b/etc/profile-a-l/emacs.profile
@@ -30,3 +30,4 @@ seccomp
 read-write ${HOME}/.emacs
 read-write ${HOME}/.emacs.d
+restrict-namespaces
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 89c44bf76..86fb27514 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -81,3 +81,4 @@ dbus-system none
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.signature
+restrict-namespaces
diff --git a/etc/profile-a-l/empathy.profile b/etc/profile-a-l/empathy.profile
index 5ca640d30..9a128d7af 100644
--- a/etc/profile-a-l/empathy.profile
+++ b/etc/profile-a-l/empathy.profile
@@ -24,3 +24,5 @@ seccomp
 private-cache
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
index d9abe52b0..37a6c088b 100644
--- a/etc/profile-a-l/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -55,3 +55,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index 37eb21546..1118c3bf0 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -38,3 +38,5 @@ private-dev
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
index 2d3367255..45a1125b4 100644
--- a/etc/profile-a-l/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
@@ -59,3 +59,4 @@ private-opt Enpass
 private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index f25f2a291..83abb551e 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -49,3 +49,5 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index 37b7fdf11..adda53660 100644
--- a/etc/profile-a-l/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -61,3 +61,5 @@ private-tmp
 # breaks preferences
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/epiphany.profile b/etc/profile-a-l/epiphany.profile
index 225811226..a8d00d045 100644
--- a/etc/profile-a-l/epiphany.profile
+++ b/etc/profile-a-l/epiphany.profile
@@ -34,3 +34,5 @@ nonewprivs
 notv
 protocol unix,inet,inet6
 seccomp
+restrict-namespaces
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
index 60d50a7fa..2fe0a4af4 100644
--- a/etc/profile-a-l/equalx.profile
+++ b/etc/profile-a-l/equalx.profile
@@ -60,3 +60,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index 8fa6cd3b4..7d27f12c9 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -53,3 +53,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index eec9f86db..95115d484 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -64,3 +64,5 @@ dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.gtk.vfs.Daemon
 dbus-user.talk org.gtk.vfs.Metadata
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 6f959df6e..517bb6206 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -43,3 +43,5 @@ seccomp
 private-dev
 private-tmp
 writable-var
+restrict-namespaces
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index dd5e32f49..45331487c 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -54,3 +54,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 321cb0145..2daf1ff15 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -53,3 +53,5 @@ private-tmp
 # dbus-user filter
 # dbus-user.own org.kde.Falkon
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile
index 5679f7cc1..434371aee 100644
--- a/etc/profile-a-l/fbreader.profile
+++ b/etc/profile-a-l/fbreader.profile
@@ -36,3 +36,5 @@ seccomp
 private-bin fbreader,FBReader
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index ee775566e..248cb5b49 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -47,3 +47,4 @@ private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 83de90908..6aa24cc86 100644
--- a/etc/profile-a-l/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -56,3 +56,5 @@ dbus-user.talk org.freedesktop.secrets
 #dbus-user.talk org.freedesktop.Notifications
 #dbus-user.talk org.gnome.OnlineAccounts
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 9b0262f5b..be5ab8627 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -40,3 +40,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
index e11baa536..3a044542f 100644
--- a/etc/profile-a-l/ferdi.profile
+++ b/etc/profile-a-l/ferdi.profile
@@ -44,3 +44,5 @@ seccomp !chroot
 disable-mnt
 private-dev
 private-tmp
+# restrict-namespaces
diff --git a/etc/profile-a-l/fetchmail.profile b/etc/profile-a-l/fetchmail.profile
index cb01fc5dd..ea90239e0 100644
--- a/etc/profile-a-l/fetchmail.profile
+++ b/etc/profile-a-l/fetchmail.profile
@@ -31,3 +31,5 @@ seccomp
 #private-bin bash,chmod,fetchmail,procmail
 private-dev
+restrict-namespaces
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index 42de048d7..160f26f78 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -54,3 +54,4 @@ dbus-user none
 dbus-system none
 # memory-deny-write-execute - it breaks old versions of ffmpeg
+restrict-namespaces
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile
index 9ab7e36d3..bf8475758 100644
--- a/etc/profile-a-l/file-manager-common.profile
+++ b/etc/profile-a-l/file-manager-common.profile
@@ -49,3 +49,5 @@ private-dev
 #dbus-user none
 #dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 06744cdd3..ef4e0e117 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -46,3 +46,5 @@ private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
 # private-tmp
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
index bcb2abc8b..a5fd05bc7 100644
--- a/etc/profile-a-l/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -44,3 +44,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile
index 273e6180c..e80a875f1 100644
--- a/etc/profile-a-l/filezilla.profile
+++ b/etc/profile-a-l/filezilla.profile
@@ -41,3 +41,5 @@ seccomp
 private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 491ce2eeb..13313cb67 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -68,3 +68,5 @@ blacklist ${PATH}/wget2
 # Gnome connector, KDE connect and power management on KDE Plasma.
 dbus-user none
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index d5034ef8e..0984055a3 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -65,3 +65,5 @@ dbus-user.talk org.kde.KWin
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 ?ALLOW_TRAY: dbus-user.own org.kde.*
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/flowblade.profile b/etc/profile-a-l/flowblade.profile
index 4bb1b2a71..740dc153f 100644
--- a/etc/profile-a-l/flowblade.profile
+++ b/etc/profile-a-l/flowblade.profile
@@ -35,3 +35,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile
index 1210f365c..2ae87be48 100644
--- a/etc/profile-a-l/fluxbox.profile
+++ b/etc/profile-a-l/fluxbox.profile
@@ -16,3 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp
+restrict-namespaces
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile
index fcd4afa44..88ae56c82 100644
--- a/etc/profile-a-l/font-manager.profile
+++ b/etc/profile-a-l/font-manager.profile
@@ -54,3 +54,4 @@ private-dev
 private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/fontforge.profile b/etc/profile-a-l/fontforge.profile
index f18250fdb..756ca4fae 100644
--- a/etc/profile-a-l/fontforge.profile
+++ b/etc/profile-a-l/fontforge.profile
@@ -38,3 +38,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index 796081ece..a614d7d9f 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -55,3 +55,5 @@ dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
index 4a2e13d89..e21789d73 100644
--- a/etc/profile-a-l/franz.profile
+++ b/etc/profile-a-l/franz.profile
@@ -44,3 +44,5 @@ seccomp !chroot
 disable-mnt
 private-dev
 private-tmp
+# restrict-namespaces
diff --git a/etc/profile-a-l/freecad.profile b/etc/profile-a-l/freecad.profile
index e0330b52a..53315c249 100644
--- a/etc/profile-a-l/freecad.profile
+++ b/etc/profile-a-l/freecad.profile
@@ -42,3 +42,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/freeciv.profile b/etc/profile-a-l/freeciv.profile
index 1690f6eb9..0788acce1 100644
--- a/etc/profile-a-l/freeciv.profile
+++ b/etc/profile-a-l/freeciv.profile
@@ -44,3 +44,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/freecol.profile b/etc/profile-a-l/freecol.profile
index 3092e830a..f1b2ffcb7 100644
--- a/etc/profile-a-l/freecol.profile
+++ b/etc/profile-a-l/freecol.profile
@@ -55,3 +55,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
index c3f32de03..ae5843f7f 100644
--- a/etc/profile-a-l/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -50,3 +50,5 @@ private-srv none
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile
index ab6877de8..133d66f0d 100644
--- a/etc/profile-a-l/freshclam.profile
+++ b/etc/profile-a-l/freshclam.profile
@@ -33,3 +33,4 @@ writable-var
 writable-var-log
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index 521d50b3b..067fe3caa 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -49,3 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index bb60d98a5..86a8a8fc6 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -46,3 +46,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/ftp.profile b/etc/profile-a-l/ftp.profile
index 15b68eb08..f448ab932 100644
--- a/etc/profile-a-l/ftp.profile
+++ b/etc/profile-a-l/ftp.profile
@@ -51,3 +51,4 @@ dbus-system none
 memory-deny-write-execute
 noexec ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index ee4226852..8ca349d1c 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -52,3 +52,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index 3d4d4b4e7..d4d578dd4 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -75,4 +75,5 @@ dbus-system.talk org.freedesktop.login1
 # Add the next line to your gajim.local to enable location plugin support.
 #dbus-system.talk org.freedesktop.GeoClue2
+restrict-namespaces
 join-or-start gajim
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 95afc8020..0fba8ac07 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -50,3 +50,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 6fac9affc..106e0eda6 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -70,3 +70,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 60fac668e..313b34a53 100644
--- a/etc/profile-a-l/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -40,3 +40,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
index 33441ac0e..5b434342b 100644
--- a/etc/profile-a-l/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
@@ -58,3 +58,4 @@ private-lib GConf,libpython*,python2*
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile
index 783183bea..4eb94edf4 100644
--- a/etc/profile-a-l/gdu.profile
+++ b/etc/profile-a-l/gdu.profile
@@ -37,6 +37,7 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
 # gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features.
 # Depending on workflow and use case the sandbox can be hardened by adding the
diff --git a/etc/profile-a-l/geany.profile b/etc/profile-a-l/geany.profile
index 021abefb3..ec1d68e0d 100644
--- a/etc/profile-a-l/geany.profile
+++ b/etc/profile-a-l/geany.profile
@@ -32,3 +32,5 @@ seccomp
 private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index cc2119f2a..ad9b45b57 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -91,3 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5
 dbus-system none
 read-only ${HOME}/.mozilla/firefox/profiles.ini
+restrict-namespaces
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index 28a79b646..dbb3ab971 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -49,3 +49,5 @@ private-tmp
 # makes settings immutable
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 19ac4e026..cda47a7e9 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -55,3 +55,4 @@ dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.geekbench5
+restrict-namespaces
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index 268c3b334..95adc6840 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -34,3 +34,5 @@ seccomp
 # private-bin geeqie
 private-dev
+restrict-namespaces
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index 7b42fadd1..d3d49433b 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -67,3 +67,5 @@ dbus-user filter
 dbus-user.own org.gabmus.gfeeds
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
index b40c96e5b..02c4f9509 100644
--- a/etc/profile-a-l/gget.profile
+++ b/etc/profile-a-l/gget.profile
@@ -56,3 +56,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index e908e5cd9..9c719ddb1 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -56,3 +56,5 @@ private-tmp
 dbus-user filter
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index 400c8c54f..083b85a91 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -63,3 +63,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
index ffd1b1f13..d315619b7 100644
--- a/etc/profile-a-l/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -58,3 +58,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 6c6a0bfd4..2f7068d68 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -84,3 +84,5 @@ read-only ${HOME}/.git-credentials
 # Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts.
 read-only ${HOME}/.ssh
+restrict-namespaces
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile
index 76636cc03..78d6cb2a1 100644
--- a/etc/profile-a-l/git.profile
+++ b/etc/profile-a-l/git.profile
@@ -65,3 +65,4 @@ private-cache
 private-dev
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 4c4ddd2d2..85f08d52e 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -61,3 +61,5 @@ dbus-user.talk ca.desrt.dconf
 # Add the next line to your gitg.local if you need keyring access.
 #dbus-user.talk org.freedesktop.secrets
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 012bc6159..0f9ed9592 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -41,3 +41,4 @@ private-opt Gitter
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile
index 9bdbd0e37..bd332a6d5 100644
--- a/etc/profile-a-l/gjs.profile
+++ b/etc/profile-a-l/gjs.profile
@@ -42,3 +42,5 @@ tracelog
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
index 311d7f127..92ba70113 100644
--- a/etc/profile-a-l/gl-117.profile
+++ b/etc/profile-a-l/gl-117.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
index 162d292f8..d61b566d8 100644
--- a/etc/profile-a-l/glaxium.profile
+++ b/etc/profile-a-l/glaxium.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/globaltime.profile b/etc/profile-a-l/globaltime.profile
index 5e823a5a8..46553d457 100644
--- a/etc/profile-a-l/globaltime.profile
+++ b/etc/profile-a-l/globaltime.profile
@@ -34,3 +34,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index edd2cd9ee..d4e4caebe 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -51,3 +51,4 @@ writable-run-user
 # dbus-system none
 # memory-deny-write-execute - breaks on Arch
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
index 0c19faab3..812923b2d 100644
--- a/etc/profile-a-l/gnome-books.profile
+++ b/etc/profile-a-l/gnome-books.profile
@@ -43,3 +43,4 @@ tracelog
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
index fe3a392b4..e171224c0 100644
--- a/etc/profile-a-l/gnome-builder.profile
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -37,3 +37,4 @@ seccomp
 private-dev
 read-write ${HOME}/.bash_history
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index 11fdb9828..3926146ff 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -52,3 +52,5 @@ dbus-user filter
 dbus-user.own org.gnome.Calculator
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index 482992778..b0d3f1d34 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -60,3 +60,4 @@ dbus-system filter
 #dbus-system.talk org.freedesktop.GeoClue2
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index af5b61fe6..2e11f335b 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -56,3 +56,4 @@ private-tmp
 # dbus-system none
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index 815ede80b..78bd54b64 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -51,3 +51,5 @@ private-cache
 private-dev
 private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index cc8f3fea0..8af9870bf 100644
--- a/etc/profile-a-l/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -44,3 +44,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index f96f750dd..2326115c3 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -38,3 +38,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile
index 24fa9721a..c8af97a61 100644
--- a/etc/profile-a-l/gnome-documents.profile
+++ b/etc/profile-a-l/gnome-documents.profile
@@ -41,3 +41,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-font-viewer.profile b/etc/profile-a-l/gnome-font-viewer.profile
index 294729152..17d266537 100644
--- a/etc/profile-a-l/gnome-font-viewer.profile
+++ b/etc/profile-a-l/gnome-font-viewer.profile
@@ -35,3 +35,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index f734f23bd..f0493c645 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -49,3 +49,4 @@ dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.cache/mesa_shader_cache
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index 5f9679cc7..45b6fd880 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -59,3 +59,4 @@ private-tmp
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 105996b38..43e0a1ec1 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -50,3 +50,5 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index f93d9ca24..b619b0f27 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -51,3 +51,4 @@ dbus-system none
 # Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}.
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index 2f5e033ad..d14b2a5a1 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -73,3 +73,5 @@ dbus-user.own org.gnome.Maps
 dbus-system filter
 #dbus-system.talk org.freedesktop.NetworkManager
 dbus-system.talk org.freedesktop.GeoClue2
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
index 444f6ed34..052e9ba9c 100644
--- a/etc/profile-a-l/gnome-mplayer.profile
+++ b/etc/profile-a-l/gnome-mplayer.profile
@@ -31,3 +31,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index 8c2ff90ea..ec033dbf0 100644
--- a/etc/profile-a-l/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -44,3 +44,4 @@ private-dev
 private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
index abf3dd759..ce4e5edd8 100644
--- a/etc/profile-a-l/gnome-nettool.profile
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -46,3 +46,5 @@ private-tmp
 dbus-user none
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index bd39ab0c9..0d7fb2de8 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -59,3 +59,5 @@ dbus-user filter
 dbus-user.own org.gnome.PasswordSafe
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 5c848d0af..1d0291aa2 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -40,3 +40,4 @@ tracelog
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index 0086edab0..6d90773aa 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -38,3 +38,4 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index e4120743a..fb019227f 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -56,3 +56,4 @@ dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.local/share/gnome-pomodoro
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index 483783195..75f3199e2 100644
--- a/etc/profile-a-l/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -50,3 +50,4 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so
 private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
index 44c608e8c..8f2ab7fd6 100644
--- a/etc/profile-a-l/gnome-ring.profile
+++ b/etc/profile-a-l/gnome-ring.profile
@@ -30,3 +30,4 @@ disable-mnt
 # private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
index 415d8eb04..b71d77621 100644
--- a/etc/profile-a-l/gnome-schedule.profile
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -61,4 +61,3 @@ disable-mnt
 private-cache
 private-dev
 writable-var
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index 95e1309ad..74238a109 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -48,3 +48,5 @@ dbus-user filter
 dbus-user.own org.gnome.Screenshot
 dbus-user.talk org.gnome.Shell.Screenshot
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index 0faf17c2f..d07bd80a7 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -41,3 +41,5 @@ private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index ae2f79e35..4c74c0a61 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -53,3 +53,4 @@ writable-var-log
 memory-deny-write-execute
 # Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}.
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 097a4d5aa..ae7ea83d8 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -61,3 +61,4 @@ dbus-system none
 #dbus-system.talk org.freedesktop.login1
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile
index 3b9e44f66..dfeeff950 100644
--- a/etc/profile-a-l/gnome-twitch.profile
+++ b/etc/profile-a-l/gnome-twitch.profile
@@ -37,3 +37,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index ddffb8942..147b84a19 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -46,3 +46,4 @@ private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index bd20bb2bc..c9145d78e 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -46,3 +46,5 @@ private-tmp
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index 9df2f06a4..d7944ae24 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -57,3 +57,5 @@ dbus-user filter
 dbus-user.own org.gnome.Gnote
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index bc69f4729..bdbcf9baf 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -47,3 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index 57ad9bedc..36a2cae07 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -42,3 +42,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile
index c1119dcb0..327648cd1 100644
--- a/etc/profile-a-l/goldendict.profile
+++ b/etc/profile-a-l/goldendict.profile
@@ -55,3 +55,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile
index 1eaa68c1d..8807a239d 100644
--- a/etc/profile-a-l/goobox.profile
+++ b/etc/profile-a-l/goobox.profile
@@ -32,3 +32,5 @@ tracelog
 private-dev
 # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 # private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
index 71e41b289..4af6ce36b 100644
--- a/etc/profile-a-l/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
@@ -39,3 +39,4 @@ private-bin bash,dirname,google-earth,grep,ls,sed,sh
 private-dev
 private-opt google
+restrict-namespaces
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
index b84ae83b7..c2a7d89fd 100644
--- a/etc/profile-a-l/google-play-music-desktop-player.profile
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
@@ -39,3 +39,5 @@ seccomp
 disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
index 74cfd5b89..da7c24581 100644
--- a/etc/profile-a-l/googler-common.profile
+++ b/etc/profile-a-l/googler-common.profile
@@ -58,3 +58,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile
index 40c3b434d..e05cdf424 100644
--- a/etc/profile-a-l/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
@@ -30,3 +30,5 @@ tracelog
 # private-bin gpa,gpg
 private-dev
+restrict-namespaces
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
index 78546f547..848960f5f 100644
--- a/etc/profile-a-l/gpg-agent.profile
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -49,3 +49,5 @@ tracelog
 # private-bin gpg-agent,gpg
 private-cache
 private-dev
+restrict-namespaces
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile
index bc4fb060b..250c9c396 100644
--- a/etc/profile-a-l/gpg.profile
+++ b/etc/profile-a-l/gpg.profile
@@ -51,3 +51,4 @@ private-dev
 # installing/upgrading archlinux-keyring extremely slow.
 read-write /etc/pacman.d/gnupg
 read-write /usr/share/pacman/keyrings
+restrict-namespaces
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
index 937ef14fe..1012f5774 100644
--- a/etc/profile-a-l/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -48,3 +48,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
index 628205015..53a6f94e2 100644
--- a/etc/profile-a-l/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -38,3 +38,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index 8ff0d92bb..368482fa3 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -52,3 +52,5 @@ dbus-user.own de.haeckerfelix.gradio
 dbus-user.own org.mpris.MediaPlayer2.gradio
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile
index 6d9c54967..5073e79c9 100644
--- a/etc/profile-a-l/gramps.profile
+++ b/etc/profile-a-l/gramps.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index ab0915cd6..02a49134c 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -44,3 +44,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gthumb.profile b/etc/profile-a-l/gthumb.profile
index b9e3d8e25..9654f0ffc 100644
--- a/etc/profile-a-l/gthumb.profile
+++ b/etc/profile-a-l/gthumb.profile
@@ -34,3 +34,5 @@ private-bin gthumb
 private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index 793fb0440..5fd92fd4f 100644
--- a/etc/profile-a-l/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -53,3 +53,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/guayadeque.profile b/etc/profile-a-l/guayadeque.profile
index 594c99863..35ce2816b 100644
--- a/etc/profile-a-l/guayadeque.profile
+++ b/etc/profile-a-l/guayadeque.profile
@@ -32,3 +32,4 @@ private-bin guayadeque
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index 774652fd5..68b78ec62 100644
--- a/etc/profile-a-l/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -51,3 +51,4 @@ private-tmp
 # dbus-system none
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
index e8f64e4e0..db307e940 100644
--- a/etc/profile-a-l/guvcview.profile
+++ b/etc/profile-a-l/guvcview.profile
@@ -52,3 +52,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 93af4d1f8..8f7f74e0d 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -52,3 +52,4 @@ private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.prel
 # dbus-system none
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile
index 1f13232f2..488665154 100644
--- a/etc/profile-a-l/handbrake.profile
+++ b/etc/profile-a-l/handbrake.profile
@@ -36,3 +36,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile
index 8d665ce68..e5b0a06af 100644
--- a/etc/profile-a-l/hashcat.profile
+++ b/etc/profile-a-l/hashcat.profile
@@ -43,3 +43,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
index a1a491ca1..fd8246aae 100644
--- a/etc/profile-a-l/hasher-common.profile
+++ b/etc/profile-a-l/hasher-common.profile
@@ -56,3 +56,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
index 9c6f162c6..2de09ea93 100644
--- a/etc/profile-a-l/hedgewars.profile
+++ b/etc/profile-a-l/hedgewars.profile
@@ -35,3 +35,5 @@ tracelog
 disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index c730187a9..df7f8f3a3 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -55,3 +55,4 @@ private-dev
 private-tmp
 # memory-deny-write-execute - breaks python
+restrict-namespaces
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile
index 04a603794..d77f49ce0 100644
--- a/etc/profile-a-l/highlight.profile
+++ b/etc/profile-a-l/highlight.profile
@@ -41,3 +41,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index cf06b397f..91b73e8e9 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -56,3 +56,4 @@ dbus-user none
 dbus-system none
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile
index 22a3ecf51..09af8f0f5 100644
--- a/etc/profile-a-l/host.profile
+++ b/etc/profile-a-l/host.profile
@@ -49,3 +49,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile
index d4587a303..c4085cf9c 100644
--- a/etc/profile-a-l/hugin.profile
+++ b/etc/profile-a-l/hugin.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index 8fd80564a..13dc06ecc 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index c131381c8..757af67b0 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -69,3 +69,5 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
index e96b1843c..a0c3f2d97 100644
--- a/etc/profile-a-l/i3.profile
+++ b/etc/profile-a-l/i3.profile
@@ -16,3 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp
+restrict-namespaces
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
index 727dabb77..e16f3f1d5 100644
--- a/etc/profile-a-l/iagno.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -37,3 +37,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index 0d976222f..31f65962f 100644
--- a/etc/profile-a-l/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -39,3 +39,4 @@ private-dev
 # private-tmp
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/imagej.profile b/etc/profile-a-l/imagej.profile
index 29aeb006b..60e97b24c 100644
--- a/etc/profile-a-l/imagej.profile
+++ b/etc/profile-a-l/imagej.profile
@@ -38,3 +38,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile
index 889e4ba65..ee341423a 100644
--- a/etc/profile-a-l/img2txt.profile
+++ b/etc/profile-a-l/img2txt.profile
@@ -50,3 +50,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/impressive.profile b/etc/profile-a-l/impressive.profile
index 7306de4b3..d9a256c11 100644
--- a/etc/profile-a-l/impressive.profile
+++ b/etc/profile-a-l/impressive.profile
@@ -54,3 +54,4 @@ dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.cache/mesa_shader_cache
+restrict-namespaces
diff --git a/etc/profile-a-l/imv.profile b/etc/profile-a-l/imv.profile
index 43085bb9b..94333a610 100644
--- a/etc/profile-a-l/imv.profile
+++ b/etc/profile-a-l/imv.profile
@@ -54,3 +54,4 @@ dbus-user none
 dbus-system none
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index d461add95..1034c225f 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -60,3 +60,4 @@ dbus-user none
 dbus-system none
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/io.github.lainsce.Notejot.profile b/etc/profile-a-l/io.github.lainsce.Notejot.profile
index 483772a1e..cb2f30350 100644
--- a/etc/profile-a-l/io.github.lainsce.Notejot.profile
+++ b/etc/profile-a-l/io.github.lainsce.Notejot.profile
@@ -57,3 +57,5 @@ dbus-user filter
 dbus-user.own io.github.lainsce.Notejot
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index cdf78ea94..983c31bcb 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -59,3 +59,4 @@ dbus-system none
 # memory-deny-write-execute
 # read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/itch.profile b/etc/profile-a-l/itch.profile
index 85ea915c7..1c4ddebdb 100644
--- a/etc/profile-a-l/itch.profile
+++ b/etc/profile-a-l/itch.profile
@@ -39,3 +39,4 @@ private-dev
 private-tmp
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile
index fc1f7e42c..5fe484029 100644
--- a/etc/profile-a-l/jami-gnome.profile
+++ b/etc/profile-a-l/jami-gnome.profile
@@ -39,3 +39,4 @@ private-dev
 private-tmp
 env QT_QPA_PLATFORM=xcb
+restrict-namespaces
diff --git a/etc/profile-a-l/jd-gui.profile b/etc/profile-a-l/jd-gui.profile
index 628a646c2..e34b3e676 100644
--- a/etc/profile-a-l/jd-gui.profile
+++ b/etc/profile-a-l/jd-gui.profile
@@ -41,3 +41,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
index f55305a08..3136b412e 100644
--- a/etc/profile-a-l/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -40,3 +40,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/jitsi.profile b/etc/profile-a-l/jitsi.profile
index 23f7b720d..c0bda1cbf 100644
--- a/etc/profile-a-l/jitsi.profile
+++ b/etc/profile-a-l/jitsi.profile
@@ -28,3 +28,5 @@ tracelog
 disable-mnt
 private-cache
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index dee252281..66d63283a 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
index a98f09d7d..81d4f3458 100644
--- a/etc/profile-a-l/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -35,3 +35,5 @@ novideo
 private-dev
 # private-tmp
+# restrict-namespaces - breaks privileged helpers
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index 8dba3b4e9..73417bf11 100644
--- a/etc/profile-a-l/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
@@ -40,3 +40,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index 6331e3990..bde52f30e 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -46,3 +46,5 @@ private-tmp
 dbus-user none
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
index dc6e58c99..152f73d5d 100644
--- a/etc/profile-a-l/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -60,4 +60,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
 join-or-start kate
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 61802383d..c01000af1 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -52,3 +52,5 @@ private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cach
 private-tmp
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index 6e1de1abd..ea56f2d39 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -67,3 +67,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile
index 8b02142c3..2f426e191 100644
--- a/etc/profile-a-l/kdeinit4.profile
+++ b/etc/profile-a-l/kdeinit4.profile
@@ -34,3 +34,4 @@ private-bin kbuildsycoca4,kded4,kdeinit4,knotify4
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
index 872e6d9aa..d4933d816 100644
--- a/etc/profile-a-l/kdenlive.profile
+++ b/etc/profile-a-l/kdenlive.profile
@@ -38,3 +38,5 @@ private-dev
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 947e35750..e0b3eadfd 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -55,3 +55,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/keepass.profile b/etc/profile-a-l/keepass.profile
index db3bbd76f..648ed95cf 100644
--- a/etc/profile-a-l/keepass.profile
+++ b/etc/profile-a-l/keepass.profile
@@ -43,3 +43,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
index c8b895fc2..935fe3933 100644
--- a/etc/profile-a-l/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -47,3 +47,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 827951071..80374690c 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -106,5 +106,7 @@ dbus-user.talk org.xfce.ScreenSaver
 dbus-system filter
 dbus-system.talk org.freedesktop.login1
+restrict-namespaces
 # Mutex is stored in /tmp by default, which is broken by private-tmp.
 join-or-start keepassxc
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile
index dee84482f..c70030a38 100644
--- a/etc/profile-a-l/kfind.profile
+++ b/etc/profile-a-l/kfind.profile
@@ -44,3 +44,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
index 9b6646725..dd45c1889 100644
--- a/etc/profile-a-l/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -41,3 +41,4 @@ private-dev
 private-tmp
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
index 637b00c35..424fb006e 100644
--- a/etc/profile-a-l/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -45,3 +45,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/kino.profile b/etc/profile-a-l/kino.profile
index 2df907376..a4c8486e1 100644
--- a/etc/profile-a-l/kino.profile
+++ b/etc/profile-a-l/kino.profile
@@ -34,3 +34,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 1c50ad2ea..5a028aeea 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/klatexformula.profile b/etc/profile-a-l/klatexformula.profile
index c7b5123d2..0c2d171b9 100644
--- a/etc/profile-a-l/klatexformula.profile
+++ b/etc/profile-a-l/klatexformula.profile
@@ -42,3 +42,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
index 4b8c9e414..0785b904d 100644
--- a/etc/profile-a-l/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -51,3 +51,5 @@ private-srv none
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 1bbc141e8..9724f4963 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -62,3 +62,5 @@ private-dev
 # private-tmp - interrupts connection to akonadi, breaks opening of email attachments
 # writable-run-user is needed for signing and encrypting emails
 writable-run-user
+# restrict-namespaces
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
index 135e8f3ad..992b312ee 100644
--- a/etc/profile-a-l/kmplayer.profile
+++ b/etc/profile-a-l/kmplayer.profile
@@ -38,3 +38,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
index b78d9c474..474a10a31 100644
--- a/etc/profile-a-l/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -51,3 +51,5 @@ tracelog
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
index 875d0ef76..e4781fea3 100644
--- a/etc/profile-a-l/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -43,3 +43,4 @@ private-dev
 private-tmp
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile
index 9e75b03eb..91030f453 100644
--- a/etc/profile-a-l/kopete.profile
+++ b/etc/profile-a-l/kopete.profile
@@ -37,3 +37,4 @@ private-dev
 private-tmp
 writable-var
+restrict-namespaces
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile
index 70d721e9f..a04376430 100644
--- a/etc/profile-a-l/krita.profile
+++ b/etc/profile-a-l/krita.profile
@@ -48,3 +48,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index 96eb6978d..27feccf40 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -35,3 +35,5 @@ protocol unix,inet,inet6
 seccomp
 # private-cache
+restrict-namespaces
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index cb06dd38f..da267b962 100644
--- a/etc/profile-a-l/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -67,3 +67,4 @@ private-tmp
 deterministic-shutdown
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 086a4500a..68ef6111a 100644
--- a/etc/profile-a-l/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -50,3 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 176c78515..0cdfe4f10 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -78,3 +78,4 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 read-only ${HOME}/.mozilla/firefox/profiles.ini
+restrict-namespaces
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index c3b2a1205..7ecf26d8e 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -44,3 +44,5 @@ private-bin kwin_x11
 private-dev
 private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 1883d7c86..18a024c7e 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -52,4 +52,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
 join-or-start kwrite
diff --git a/etc/profile-a-l/latex-common.profile b/etc/profile-a-l/latex-common.profile
index f6c28fafa..f1e1a897b 100644
--- a/etc/profile-a-l/latex-common.profile
+++ b/etc/profile-a-l/latex-common.profile
@@ -38,3 +38,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile
index ce62b8d5c..27b27a20b 100644
--- a/etc/profile-a-l/leafpad.profile
+++ b/etc/profile-a-l/leafpad.profile
@@ -38,3 +38,4 @@ private-dev
 private-lib
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
index 24d6261fb..6efe23ade 100644
--- a/etc/profile-a-l/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -48,3 +48,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
 read-write ${HOME}/.lesshst
+restrict-namespaces
diff --git a/etc/profile-a-l/librecad.profile b/etc/profile-a-l/librecad.profile
index 00447c6c1..40ec7b9c6 100644
--- a/etc/profile-a-l/librecad.profile
+++ b/etc/profile-a-l/librecad.profile
@@ -47,3 +47,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index e25eaa2e9..518928876 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -54,4 +54,5 @@ private-tmp
 dbus-system none
+restrict-namespaces
 join-or-start libreoffice
diff --git a/etc/profile-a-l/lifeograph.profile b/etc/profile-a-l/lifeograph.profile
index 280669b24..025156d2d 100644
--- a/etc/profile-a-l/lifeograph.profile
+++ b/etc/profile-a-l/lifeograph.profile
@@ -54,3 +54,5 @@ private-tmp
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index 75aac74d1..b0e9015ee 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -59,3 +59,5 @@ dbus-user.talk ca.desrt.dconf
 # Add the next line to your liferea.local if you use the 'Libsecret Support' plugin.
 #dbus-user.talk org.freedesktop.secrets
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile
index 79eca0a6f..d81e21636 100644
--- a/etc/profile-a-l/lincity-ng.profile
+++ b/etc/profile-a-l/lincity-ng.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index 4eec03855..22a4a2a2a 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -59,3 +59,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile
index e375f0c13..2273ed560 100644
--- a/etc/profile-a-l/linphone.profile
+++ b/etc/profile-a-l/linphone.profile
@@ -47,3 +47,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/lmms.profile b/etc/profile-a-l/lmms.profile
index b4582c4f5..35fca733a 100644
--- a/etc/profile-a-l/lmms.profile
+++ b/etc/profile-a-l/lmms.profile
@@ -37,3 +37,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
index 3108900ef..78b78662b 100644
--- a/etc/profile-a-l/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
@@ -39,3 +39,4 @@ private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/lugaru.profile b/etc/profile-a-l/lugaru.profile
index 2b61f4d48..f6436d93d 100644
--- a/etc/profile-a-l/lugaru.profile
+++ b/etc/profile-a-l/lugaru.profile
@@ -49,3 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile
index b7280b61c..4a8352831 100644
--- a/etc/profile-a-l/luminance-hdr.profile
+++ b/etc/profile-a-l/luminance-hdr.profile
@@ -36,3 +36,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 80cecd056..2658c5373 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -80,3 +80,5 @@ dbus-user filter
 dbus-user.own net.lutris.Lutris
 dbus-user.talk com.feralinteractive.GameMode
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile
index d8485ba65..589f1cf6b 100644
--- a/etc/profile-a-l/lximage-qt.profile
+++ b/etc/profile-a-l/lximage-qt.profile
@@ -35,3 +35,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/lxmusic.profile b/etc/profile-a-l/lxmusic.profile
index a5fc967be..1ecf3c9d7 100644
--- a/etc/profile-a-l/lxmusic.profile
+++ b/etc/profile-a-l/lxmusic.profile
@@ -37,3 +37,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index 02a9f8d82..caf8de104 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -39,3 +39,5 @@ private-cache
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
+restrict-namespaces
author	smitsohu <smitsohu@gmail.com>	2022-12-20 01:04:13 +0100
committer	smitsohu <smitsohu@gmail.com>	2022-12-20 01:39:53 +0100
commit	e4f0f91ebdafaa3d9e073ee90f2aea5692ec5045 (patch)
tree	e58ccfb5efb851219cd665652a522f0dee56acac /etc/profile-a-l
parent	RELNOTES: add build items (diff)
download	firejail-e4f0f91ebdafaa3d9e073ee90f2aea5692ec5045.tar.gz firejail-e4f0f91ebdafaa3d9e073ee90f2aea5692ec5045.tar.zst firejail-e4f0f91ebdafaa3d9e073ee90f2aea5692ec5045.zip