Merge branch 'master' into kuesji/master

56 files changed, 669 insertions, 108 deletions

diff --git a/etc/firejail.config b/etc/firejail.config
index c671efef9..f5b3d5efa 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -35,11 +35,6 @@
 # cannot be overridden by --noblacklist or --ignore.
 # disable-mnt no
 
-# Set the limit for file copy in several --private-* options. The size is set
-# in megabytes. By default we allow up to 500MB.
-# Note: the files are copied in RAM.
-# file-copy-limit 500
-
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
 
@@ -77,18 +72,35 @@
 # Enable or disable overlayfs features, default enabled.
 # overlayfs yes
 
+# Set the limit for file copy in several --private-* options. The size is set
+# in megabytes. By default we allow up to 500MB.
+# Note: the files are copied in RAM.
+# file-copy-limit 500
+
+# Enable or disable private-bin feature, default enabled.
+# private-bin yes
+
 # Remove /usr/local directories from private-bin list, default disabled.
 # private-bin-no-local no
 
 # Enable or disable private-cache feature, default enabled
 # private-cache yes
 
+# Enable or disable private-etc feature, default enabled.
+# private-etc yes
+
 # Enable or disable private-home feature, default enabled
 # private-home yes
 
 # Enable or disable private-lib feature, default enabled
 # private-lib yes
 
+# Enable or disable private-opt feature, default enabled.
+# private-opt yes
+
+# Enable or disable private-srv feature, default enabled.
+# private-srv yes
+
 # Enable --quiet as default every time the sandbox is started. Default disabled.
 # quiet-by-default no
 
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 518587957..0e575e5eb 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -39,6 +39,8 @@ blacklist ${HOME}/.WebStorm*
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.ZAP
 blacklist ${HOME}/.abook
+blacklist ${HOME}/.addressbook
+blacklist ${HOME}/.alpine-smime
 blacklist ${HOME}/.aMule
 blacklist ${HOME}/.android
 blacklist ${HOME}/.anydesk
@@ -589,6 +591,7 @@ blacklist ${HOME}/.kodi
 blacklist ${HOME}/.librewolf
 blacklist ${HOME}/.lincity-ng
 blacklist ${HOME}/.links
+blacklist ${HOME}/.links2
 blacklist ${HOME}/.linphone-history.db
 blacklist ${HOME}/.linphonerc
 blacklist ${HOME}/.lmmsrc.xml
@@ -809,6 +812,7 @@ blacklist ${HOME}/.netactview
 blacklist ${HOME}/.neverball
 blacklist ${HOME}/.newsbeuter
 blacklist ${HOME}/.newsboat
+blacklist ${HOME}/.newsrc
 blacklist ${HOME}/.nicotine
 blacklist ${HOME}/.node-gyp
 blacklist ${HOME}/.npm
@@ -829,6 +833,14 @@ blacklist ${HOME}/.paradoxinteractive
 blacklist ${HOME}/.parallelrealities/blobwars
 blacklist ${HOME}/.pcsxr
 blacklist ${HOME}/.penguin-command
+blacklist ${HOME}/.pine-crash
+blacklist ${HOME}/.pine-debug1
+blacklist ${HOME}/.pine-debug2
+blacklist ${HOME}/.pine-debug3
+blacklist ${HOME}/.pine-debug4
+blacklist ${HOME}/.pine-interrupted-mail
+blacklist ${HOME}/.pinerc
+blacklist ${HOME}/.pinercex
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
 blacklist ${HOME}/.purple
@@ -866,6 +878,7 @@ blacklist ${HOME}/.teeworlds
 blacklist ${HOME}/.texlive20*
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
+blacklist ${HOME}/.tin
 blacklist ${HOME}/.tooling
 blacklist ${HOME}/.tor-browser*
 blacklist ${HOME}/.torcs
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 454a15ab2..4009853d3 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -10,6 +10,8 @@ noblacklist ${HOME}/.cache/0ad
 noblacklist ${HOME}/.config/0ad
 noblacklist ${HOME}/.local/share/0ad
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile
new file mode 100644
index 000000000..0b5cf0df0
--- /dev/null
+++ b/etc/profile-a-l/alpine.profile
@@ -0,0 +1,104 @@
+# Firejail profile for alpine
+# Description: Text-based email and newsgroups reader
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpine.local
+# Persistent global definitions
+include globals.local
+
+# Workaround for bug https://github.com/netblue30/firejail/issues/2747
+# firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)'
+
+noblacklist /var/mail
+noblacklist /var/spool/mail
+noblacklist ${DOCUMENTS}
+noblacklist ${HOME}/.addressbook
+noblacklist ${HOME}/.alpine-smime
+noblacklist ${HOME}/.mailcap
+noblacklist ${HOME}/.mh_profile
+noblacklist ${HOME}/.mime.types
+noblacklist ${HOME}/.newsrc
+noblacklist ${HOME}/.pine-crash
+noblacklist ${HOME}/.pine-debug1
+noblacklist ${HOME}/.pine-debug2
+noblacklist ${HOME}/.pine-debug3
+noblacklist ${HOME}/.pine-debug4
+noblacklist ${HOME}/.pine-interrupted-mail
+noblacklist ${HOME}/.pinerc
+noblacklist ${HOME}/.pinercex
+noblacklist ${HOME}/.signature
+noblacklist ${HOME}/mail
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+#whitelist ${DOCUMENTS}
+#whitelist ${DOWNLOADS}
+#whitelist ${HOME}/.addressbook
+#whitelist ${HOME}/.alpine-smime
+#whitelist ${HOME}/.mailcap
+#whitelist ${HOME}/.mh_profile
+#whitelist ${HOME}/.mime.types
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.pine-crash
+#whitelist ${HOME}/.pine-interrupted-mail
+#whitelist ${HOME}/.pinerc
+#whitelist ${HOME}/.pinercex
+#whitelist ${HOME}/.pine-debug1
+#whitelist ${HOME}/.pine-debug2
+#whitelist ${HOME}/.pine-debug3
+#whitelist ${HOME}/.pine-debug4
+#whitelist ${HOME}/.signature
+#whitelist ${HOME}/mail
+whitelist /var/mail
+whitelist /var/spool/mail
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin alpine
+private-cache
+private-dev
+private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+private-tmp
+writable-run-user
+writable-var
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}/.signature
diff --git a/etc/profile-a-l/alpinef.profile b/etc/profile-a-l/alpinef.profile
new file mode 100644
index 000000000..97b97fe5f
--- /dev/null
+++ b/etc/profile-a-l/alpinef.profile
@@ -0,0 +1,14 @@
+# Firejail profile for alpinef
+# Description: Text-based email and newsgroups reader using function keys
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpinef.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin alpinef
+
+# Redirect
+include alpine.profile
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 54abdb234..01566314f 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -31,6 +31,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/apostrophe
 whitelist /usr/share/texlive
 whitelist /usr/share/texmf
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index 721a6c082..854fe5cb9 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.local/share/bijiben
 whitelist ${HOME}/.local/share/bijiben
 whitelist ${HOME}/.cache/tracker
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/bijiben
 whitelist /usr/share/tracker
 whitelist /usr/share/tracker3
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index f02161b9b..1c539cc93 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -17,6 +17,8 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
index 0283a6934..8803a4d9d 100644
--- a/etc/profile-a-l/chromium-browser-privacy.profile
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -6,6 +6,8 @@ include chromium-browser-privacy.local
 noblacklist ${HOME}/.cache/ungoogled-chromium
 noblacklist ${HOME}/.config/ungoogled-chromium
 
+blacklist /usr/libexec
+
 mkdir ${HOME}/.cache/ungoogled-chromium
 mkdir ${HOME}/.config/ungoogled-chromium
 whitelist ${HOME}/.cache/ungoogled-chromium
diff --git a/etc/profile-a-l/ddgr.profile b/etc/profile-a-l/ddgr.profile
new file mode 100644
index 000000000..b1d41ddf7
--- /dev/null
+++ b/etc/profile-a-l/ddgr.profile
@@ -0,0 +1,13 @@
+# Firejail profile for ddgr
+# Description: Search DuckDuckGo from your terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ddgr.local
+# Persistent global definitions
+include globals.local
+
+private-bin ddgr
+
+# Redirect
+include googler-common.profile
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile
index 8120725d2..5a29eb24b 100644
--- a/etc/profile-a-l/elinks.profile
+++ b/etc/profile-a-l/elinks.profile
@@ -1,6 +1,7 @@
 # Firejail profile for elinks
 # Description: Advanced text-mode WWW browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include elinks.local
 # Persistent global definitions
@@ -8,37 +9,10 @@ include globals.local
 
 noblacklist ${HOME}/.elinks
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+mkdir ${HOME}/.elinks
+whitelist ${HOME}/.elinks
 
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
+private-bin elinks
 
-include whitelist-runuser-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin elinks
-private-cache
-private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
-private-tmp
+# Redirect
+include links-common.profile
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 8e8047b00..fe7913e77 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.local/share/Trash
 noblacklist ${HOME}/.Steam
 noblacklist ${HOME}/.steam
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index d44d419c1..fdff1e4b5 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -8,6 +8,8 @@ include globals.local
 
 noblacklist ${HOME}/.etr
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index adcb29063..a9e39b15c 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -13,6 +13,8 @@ include globals.local
 noblacklist ${HOME}/.config/evince
 noblacklist ${DOCUMENTS}
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 0b8a8cd6c..4e651ed61 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -13,6 +13,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+whitelist /usr/libexec/file-roller
 whitelist /usr/share/file-roller
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index b22a78458..7874c882f 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -17,6 +17,8 @@ include globals.local
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
 
+blacklist /usr/libexec
+
 mkdir ${HOME}/.cache/mozilla/firefox
 mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/firefox
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index fa56d2b2d..b4ad81046 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -18,6 +18,7 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.frogatto
 whitelist ${HOME}/.frogatto
+whitelist /usr/libexec/frogatto
 whitelist /usr/share/frogatto
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index f2da60c87..3a8c055f2 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -7,6 +7,7 @@ include gapplication.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index 7ec8ba810..f894a42ca 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -31,6 +31,7 @@ whitelist ${HOME}/.cache/gfeeds
 whitelist ${HOME}/.cache/org.gabmus.gfeeds
 whitelist ${HOME}/.config/org.gabmus.gfeeds.json
 whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/gfeeds
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index cf2ac2f75..23aab343f 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -18,6 +18,8 @@ noblacklist ${HOME}/.local/share/maps-places.json
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index 763d67b92..fee5f88b9 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -13,6 +13,8 @@ noblacklist ${HOME}/*.kdbx
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
new file mode 100644
index 000000000..2d0bce52b
--- /dev/null
+++ b/etc/profile-a-l/googler-common.profile
@@ -0,0 +1,62 @@
+# Firejail profile for googler clones
+# Description: common profile for googler clones
+# This file is overwritten after every install/update
+# Persistent local customizations
+include googler-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+noblacklist ${HOME}/.w3m
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist ${HOME}/.w3m
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin env,python3*,sh,w3m
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/googler.profile b/etc/profile-a-l/googler.profile
new file mode 100644
index 000000000..9d67006f6
--- /dev/null
+++ b/etc/profile-a-l/googler.profile
@@ -0,0 +1,13 @@
+# Firejail profile for googler
+# Description: Search Google from your terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include googler.local
+# Persistent global definitions
+include globals.local
+
+private-bin googler
+
+# Redirect
+include googler-common.profile
diff --git a/etc/profile-a-l/gunzip.profile b/etc/profile-a-l/gunzip.profile
index 6e97c6b78..584d88f85 100644
--- a/etc/profile-a-l/gunzip.profile
+++ b/etc/profile-a-l/gunzip.profile
@@ -7,5 +7,7 @@ include gunzip.local
 # added by included profile
 #include globals.local
 
+include allow-bin-sh.inc
+
 # Redirect
 include gzip.profile
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index f72af0b4a..b887de147 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -8,6 +8,9 @@ include globals.local
 
 noblacklist ${HOME}/.config/hexchat
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
@@ -48,7 +51,7 @@ tracelog
 
 disable-mnt
 # debug note: private-bin requires perl, python, etc on some systems
-private-bin hexchat,python*
+private-bin hexchat,python*,sh
 private-dev
 #private-lib - python problems
 private-tmp
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index c352a5d89..f71dcf82b 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -22,6 +22,8 @@ noblacklist ${HOME}/.config/vivaldi
 noblacklist ${HOME}/.local/share/torbrowser
 noblacklist ${HOME}/.mozilla
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
index b72632bf4..b7091f1fc 100644
--- a/etc/profile-a-l/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -8,6 +8,10 @@ include globals.local
 
 # noexec ${HOME} breaks plugins
 ignore noexec ${HOME}
+# Add the following to your kodi.local if you use a CEC Adapter.
+#ignore nogroups
+#ignore noroot
+#ignore private-dev
 
 noblacklist ${HOME}/.kodi
 noblacklist ${MUSIC}
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index e4440eac0..b1a24888c 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -14,6 +14,8 @@ noblacklist ${HOME}/.config/libreoffice
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
new file mode 100644
index 000000000..cd885b1d4
--- /dev/null
+++ b/etc/profile-a-l/links-common.profile
@@ -0,0 +1,63 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include links-common.local
+
+# common profile for links browsers
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Additional noblacklist files/directories (blacklisted in disable-programs.inc)
+# used as associated programs can be added in your links-common.local.
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+# Add 'ignore machine-id' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+machine-id
+netfilter
+# Add 'ignore no3d' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+# Add 'ignore nosound' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# Add  'private-bin PROGRAM1,PROGRAM2' to your links-common.local  if you want to use user-configured programs.
+private-bin sh
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+# Add the next line to your links-common.local to allow external media players.
+# private-etc alsa,asound.conf,machine-id,openal,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index a1eeda14a..8ce39cc7f 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -9,58 +9,10 @@ include globals.local
 
 noblacklist ${HOME}/.links
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# Additional noblacklist files/directories (blacklisted in disable-programs.inc)
-# used as associated programs can be added in your links.local.
-include disable-programs.inc
-include disable-xdg.inc
-
 mkdir ${HOME}/.links
 whitelist ${HOME}/.links
-whitelist ${DOWNLOADS}
-include whitelist-runuser-common.inc
-include whitelist-var-common.inc
-
-caps.drop all
-ipc-namespace
-# Add 'ignore machine-id' to your links.local if you want to restrict access to
-# the user-configured associated media player.
-machine-id
-netfilter
-# Add 'ignore no3d' to your links.local if you want to restrict access to
-# the user-configured associated media player.
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-# Add 'ignore nosound' to your links.local if you want to restrict access to
-# the user-configured associated media player.
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
 
-disable-mnt
-# Add  'private-bin PROGRAM1,PROGRAM2' to your links.local  if you want to use user-configured programs.
-private-bin links,sh
-private-cache
-private-dev
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
-# Add the next line to your links.local to allow external media players.
-# private-etc alsa,asound.conf,machine-id,openal,pulse
-private-tmp
+private-bin links
 
-memory-deny-write-execute
+# Redirect
+include links-common.profile
diff --git a/etc/profile-a-l/links2.profile b/etc/profile-a-l/links2.profile
new file mode 100644
index 000000000..5f91dfcd2
--- /dev/null
+++ b/etc/profile-a-l/links2.profile
@@ -0,0 +1,18 @@
+# Firejail profile for links2
+# Description: Text WWW browser with a graphic version
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include links2.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.links2
+
+mkdir ${HOME}/.links2
+whitelist ${HOME}/.links2
+
+private-bin links2
+
+# Redirect
+include links-common.profile
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index 087c02964..bd56a8221 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -25,6 +25,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/com.github.fabiocolacio.marker
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile
new file mode 100644
index 000000000..fcd1e24e5
--- /dev/null
+++ b/etc/profile-m-z/mcomix.profile
@@ -0,0 +1,74 @@
+# Firejail profile for mcomix
+# Description: A comic book and manga viewer in python
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mcomix.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/mcomix
+noblacklist ${HOME}/.local/share/mcomix
+noblacklist ${DOCUMENTS}
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+# mcomix <= 1.2 uses python2
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/mcomix
+mkdir ${HOME}/.local/share/mcomix
+whitelist /usr/share/mcomix
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+include whitelist-runuser-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+# mcomix <= 1.2 uses python2
+private-bin 7z,lha,mcomix,mutool,python*,rar,sh,unrar,unzip
+private-cache
+private-dev
+# mcomix <= 1.2 uses gtk-2.0
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.config/mcomix
+read-write ${HOME}/.local/share/mcomix
+#to allow ${HOME}/.local/share/recently-used.xbel
+read-write ${HOME}/.local/share
+# used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails
+read-write ${HOME}/.thumbnails
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index 972838729..f07b9166a 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.megaglest
 whitelist ${HOME}/.megaglest
 whitelist /usr/share/megaglest
+whitelist /usr/share/games/megaglest    # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 1225cc107..2a8bb3acf 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -29,6 +29,8 @@ include allow-python3.inc
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
+blacklist /usr/libexec
+
 # Add the next line to your meld.local if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
index 2536d0b38..1028e374a 100644
--- a/etc/profile-m-z/minecraft-launcher.profile
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -31,7 +31,6 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 310f36ea1..af5c214f7 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -35,6 +35,8 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 035a7e625..e3ceb3bd4 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -14,6 +14,8 @@ include allow-bin-sh.inc
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index 3889d87d2..f1fdfcbad 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.pingus
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile
new file mode 100644
index 000000000..0e52d7fc4
--- /dev/null
+++ b/etc/profile-m-z/qcomicbook.profile
@@ -0,0 +1,68 @@
+# Firejail profile for qcomicbook
+# Description: A comic book and manga viewer in QT
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qcomicbook.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/PawelStolowski
+noblacklist ${HOME}/.config/PawelStolowski
+noblacklist ${HOME}/.local/share/PawelStolowski
+noblacklist ${DOCUMENTS}
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/PawelStolowski
+mkdir ${HOME}/.config/PawelStolowski
+mkdir ${HOME}/.local/share/PawelStolowski
+whitelist /usr/share/qcomicbook
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,Trolltech.conf,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.cache/PawelStolowski
+read-write ${HOME}/.config/PawelStolowski
+read-write ${HOME}/.local/share/PawelStolowski
+#to allow ${HOME}/.local/share/recently-used.xbel
+read-write ${HOME}/.local/share
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile
new file mode 100644
index 000000000..cd84ce05e
--- /dev/null
+++ b/etc/profile-m-z/rtin.profile
@@ -0,0 +1,8 @@
+# Firejail profile for rtin
+# Description: ncurses-based Usenet newsreader
+#              symlink to tin, same as `tin -r`
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rtin.local
+
+include tin.profile
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
index aac3e721f..b1989e474 100644
--- a/etc/profile-m-z/scorched3d.profile
+++ b/etc/profile-m-z/scorched3d.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.scorched3d
 whitelist ${HOME}/.scorched3d
 whitelist /usr/share/scorched3d
+whitelist /usr/share/games/scorched3d
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index 131dcbb68..7799ab7ed 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -6,6 +6,9 @@ include seahorse-adventures.local
 # Persistent global definitions
 include globals.local
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
@@ -20,6 +23,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/seahorse-adventures
+whitelist /usr/share/games/seahorse-adventures
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -42,7 +46,7 @@ tracelog
 
 disable-mnt
 private
-private-bin python*,seahorse-adventures
+private-bin bash,dash,python*,seahorse-adventures,sh
 private-cache
 private-dev
 private-etc machine-id
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 9ad772cd5..51f6c8b00 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -18,12 +18,14 @@ ignore dbus-system none
 
 noblacklist ${HOME}/.config/Slack
 
+include allow-bin-sh.inc
+
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
 
-private-bin locale,slack
+private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
 
 # Redirect
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index dd456f085..cfd7a63ea 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.local/share/supertux2
 whitelist ${HOME}/.local/share/supertux2
 whitelist /usr/share/supertux2
+whitelist /usr/share/games/supertux2    # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 6a0ed46e0..4eb8f921c 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -10,6 +10,8 @@ noblacklist ${HOME}/.config/supertuxkart
 noblacklist ${HOME}/.cache/supertuxkart
 noblacklist ${HOME}/.local/share/supertuxkart
 
+blacklist /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -26,6 +28,7 @@ whitelist ${HOME}/.config/supertuxkart
 whitelist ${HOME}/.cache/supertuxkart
 whitelist ${HOME}/.local/share/supertuxkart
 whitelist /usr/share/supertuxkart
+whitelist /usr/share/games/supertuxkart # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile
index e0c5aee9e..7463b761f 100644
--- a/etc/profile-m-z/telegram-desktop.profile
+++ b/etc/profile-m-z/telegram-desktop.profile
@@ -2,7 +2,7 @@
 # Description: Official Telegram Desktop client
 # This file is overwritten after every install/update
 # Persistent local customizations
-include tekegram-desktop.local
+include telegram-desktop.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
new file mode 100644
index 000000000..e0ed3090a
--- /dev/null
+++ b/etc/profile-m-z/tin.profile
@@ -0,0 +1,69 @@
+# Firejail profile for tin
+# Description: ncurses-based Usenet newsreader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tin.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.newsrc
+noblacklist ${HOME}/.tin
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.tin
+mkfile ${HOME}/.newsrc
+# Note: files/directories directly in ${HOME} can't be whitelisted, as
+#       tin saves .newsrc by renaming a temporary file, which is not possible for
+#       bind-mounted files.
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.tin
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin rtin,tin
+private-cache
+private-dev
+private-etc passwd,resolv.conf,terminfo,tin
+private-lib terminfo
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile
index d0bcbe79f..3cd496412 100644
--- a/etc/profile-m-z/tuxguitar.profile
+++ b/etc/profile-m-z/tuxguitar.profile
@@ -6,6 +6,9 @@ include tuxguitar.local
 # Persistent global definitions
 include globals.local
 
+# tuxguitar fails to launch
+ignore noexec ${HOME}
+
 noblacklist ${HOME}/.tuxguitar*
 noblacklist ${DOCUMENTS}
 noblacklist ${MUSIC}
@@ -41,6 +44,3 @@ tracelog
 
 private-dev
 private-tmp
-
-# noexec ${HOME} - tuxguitar may fail to launch
-noexec /tmp
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index 131213ed2..69b2c6c59 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -17,18 +17,32 @@ noblacklist ${HOME}/.w3m
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.w3m
+whitelist /usr/share/w3m
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.w3m
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
+ipc-namespace
+machine-id
 netfilter
 no3d
 nodvd
@@ -45,8 +59,14 @@ seccomp
 shell none
 tracelog
 
-# private-bin w3m
+disable-mnt
+private-bin perl,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile
index 3a93d2ec7..76935212f 100644
--- a/etc/profile-m-z/weechat.profile
+++ b/etc/profile-m-z/weechat.profile
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.weechat
 include disable-common.inc
 include disable-programs.inc
 
+whitelist /usr/share/weechat
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
index 7987af280..d5e25cfe7 100644
--- a/etc/profile-m-z/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
@@ -8,7 +8,6 @@ include xlinks.local
 #include globals.local
 
 noblacklist /tmp/.X11-unix
-noblacklist ${HOME}/.links
 
 include whitelist-common.inc
 
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2
new file mode 100644
index 000000000..1ae6a60ca
--- /dev/null
+++ b/etc/profile-m-z/xlinks2
@@ -0,0 +1,20 @@
+# Firejail profile for xlinks2
+# Description: Text WWW browser (X11)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xlinks2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist /tmp/.X11-unix
+
+include whitelist-common.inc
+
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
+# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin xlinks2
+private-etc fonts
+
+# Redirect
+include links2.profile
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index 93054bfed..dee154409 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/yelp
 whitelist ${HOME}/.config/yelp
+whitelist /usr/libexec/webkit2gtk-4.0
 whitelist /usr/share/doc
 whitelist /usr/share/groff
 whitelist /usr/share/help
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
index a39729685..d0e68c980 100644
--- a/etc/profile-m-z/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -17,12 +17,14 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-write-mnt.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/zathura
 mkdir ${HOME}/.local/share/zathura
 whitelist /usr/share/doc
 whitelist /usr/share/zathura
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -41,6 +43,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index fcc7fe949..18e4e8bce 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -59,14 +59,6 @@ include globals.local
 ##ignore noexec ${HOME}
 ##ignore noexec /tmp
 
-##blacklist PATH
-# Disable X11 (CLI only), see also 'x11 none' below
-#blacklist /tmp/.X11-unix
-# Disable Wayland
-#blacklist ${RUNUSER}/wayland-*
-# Disable RUNUSER (cli only; supersedes Disable Wayland)
-#blacklist ${RUNUSER}
-
 # It is common practice to add files/dirs containing program-specific configuration
 # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
 # (keep list sorted) and then disable blacklisting below.
@@ -109,6 +101,17 @@ include globals.local
 # Allow ssh (blacklisted by disable-common.inc)
 #include allow-ssh.inc
 
+##blacklist PATH
+# Disable X11 (CLI only), see also 'x11 none' below
+#blacklist /tmp/.X11-unix
+# Disable Wayland
+#blacklist ${RUNUSER}/wayland-*
+# Disable RUNUSER (cli only; supersedes Disable Wayland)
+#blacklist ${RUNUSER}
+# Remove the next blacklist if you system has no /usr/libexec dir,
+# otherwise try to add it.
+#blacklist /usr/libexec
+
 # disable-*.inc includes
 # remove disable-write-mnt.inc if you set disable-mnt
 #include disable-common.inc
@@ -189,7 +192,7 @@ include globals.local
 #  GUI: fonts,pango,X11
 #  GTK: dconf,gconf,gtk-2.0,gtk-3.0
 #  KDE: kde4rc,kde5rc
-#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,services,rpc,ssl
+#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 #    Extra: gai.conf,proxychains.conf
 #  Qt: Trolltech.conf
 ##private-lib LIBS