Merge branch 'master' into clawsmail-clamav

102 files changed, 601 insertions, 223 deletions

diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local
index e7236b0bc..557204d75 100644
--- a/etc/apparmor/firejail-local
+++ b/etc/apparmor/firejail-local
@@ -1,12 +1,12 @@
 # Site-specific additions and overrides for 'firejail-default'.
 # For more details, please see /etc/apparmor.d/local/README.
 
-# Here are some examples to allow running programs from home directory.
+# Here are some examples to allow running programs from your home directory.
 # Don't enable all of these, just pick a specific one or write a custom rule
 # instead as done below for torbrowser-launcher.
 #owner @HOME/** ix,
-#owner @HOME/bin/** ix
-#owner @HOME/.local/bin/** ix
+#owner @HOME/bin/** ix,
+#owner @HOME/.local/bin/** ix,
 
 # Uncomment to opt-in to apparmor for brave + ipfs
 #owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix,
diff --git a/etc/inc/allow-python2.inc b/etc/inc/allow-python2.inc
index b0525e2e1..0d4ab8c35 100644
--- a/etc/inc/allow-python2.inc
+++ b/etc/inc/allow-python2.inc
@@ -2,6 +2,7 @@
 # Persistent customizations should go in a .local file.
 include allow-python2.local
 
+noblacklist ${HOME}/.local/lib/python2*
 noblacklist ${PATH}/python2*
 noblacklist /usr/include/python2*
 noblacklist /usr/lib/python2*
diff --git a/etc/inc/allow-python3.inc b/etc/inc/allow-python3.inc
index d968886b0..0693fb7e7 100644
--- a/etc/inc/allow-python3.inc
+++ b/etc/inc/allow-python3.inc
@@ -2,6 +2,7 @@
 # Persistent customizations should go in a .local file.
 include allow-python3.local
 
+noblacklist ${HOME}/.local/lib/python3*
 noblacklist ${PATH}/python3*
 noblacklist /usr/include/python3*
 noblacklist /usr/lib/python3*
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 65159b951..4277100ce 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -69,6 +69,9 @@ blacklist ${HOME}/.xsessionrc
 blacklist /etc/X11/Xsession.d
 blacklist /etc/xdg/autostart
 read-only ${HOME}/.Xauthority
+read-only ${HOME}/.config/awesome/autorun.sh
+read-only ${HOME}/.config/openbox/autostart
+read-only ${HOME}/.config/openbox/environment
 
 # Session manager
 # see #3358
@@ -123,6 +126,7 @@ read-only ${HOME}/.config/kio_httprc
 read-only ${HOME}/.config/kiorc
 read-only ${HOME}/.config/kioslaverc
 read-only ${HOME}/.config/ksslcablacklist
+read-only ${HOME}/.config/lxqt
 read-only ${HOME}/.kde/share/apps/konsole
 read-only ${HOME}/.kde/share/apps/kssl
 read-only ${HOME}/.kde/share/config/*notifyrc
@@ -329,6 +333,7 @@ read-only ${HOME}/.ssh/config.d
 # Initialization files that allow arbitrary command execution
 read-only ${HOME}/.caffrc
 read-only ${HOME}/.cargo/env
+read-only ${HOME}/.config/mpv
 read-only ${HOME}/.config/nano
 read-only ${HOME}/.config/nvim
 read-only ${HOME}/.config/pkcs11
@@ -337,6 +342,7 @@ read-only ${HOME}/.elinks
 read-only ${HOME}/.emacs
 read-only ${HOME}/.emacs.d
 read-only ${HOME}/.exrc
+read-only ${HOME}/.gnupg/gpg.conf
 read-only ${HOME}/.gvimrc
 read-only ${HOME}/.homesick
 read-only ${HOME}/.iscreenrc
@@ -345,6 +351,7 @@ read-only ${HOME}/.local/share/cool-retro-term
 read-only ${HOME}/.local/share/nvim
 read-only ${HOME}/.local/state/nvim
 read-only ${HOME}/.mailcap
+read-only ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.msmtprc
 read-only ${HOME}/.mutt/muttrc
 read-only ${HOME}/.muttrc
@@ -366,6 +373,10 @@ read-only ${HOME}/_gvimrc
 read-only ${HOME}/_vimrc
 read-only ${HOME}/dotfiles
 
+# System package managers and AUR helpers
+blacklist ${HOME}/.config/cower
+read-only ${HOME}/.config/cower/config
+
 # Make directories commonly found in $PATH read-only
 read-only ${HOME}/.bin
 read-only ${HOME}/.cargo/bin
@@ -391,6 +402,11 @@ read-only ${HOME}/.config/user-dirs.dirs
 read-only ${HOME}/.config/user-dirs.locale
 read-only ${HOME}/.local/share/mime
 
+# Configuration files that do not allow arbitrary command execution but that
+# are intended to be modified manually (in a text editor and/or by a program
+# dedicated to managing them)
+read-only ${HOME}/.config/MangoHud
+
 # Write-protection for thumbnailer dir
 read-only ${HOME}/.local/share/thumbnailers
 
@@ -556,6 +572,7 @@ blacklist ${PATH}/ss
 blacklist ${PATH}/traceroute
 
 # other SUID binaries
+blacklist /opt/microsoft/msedge*/msedge-sandbox
 blacklist /usr/lib/virtualbox
 blacklist /usr/lib64/virtualbox
 
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index ca43e5ed9..4e3590fed 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -61,6 +61,7 @@ blacklist /usr/lib64/ruby
 
 # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
 # Python 2
+blacklist ${HOME}/.local/lib/python2*
 blacklist ${PATH}/python2*
 blacklist /usr/include/python2*
 blacklist /usr/lib/python2*
@@ -70,6 +71,7 @@ blacklist /usr/share/python2*
 # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026)
 
 # Python 3
+blacklist ${HOME}/.local/lib/python3*
 blacklist ${PATH}/python3*
 blacklist /usr/include/python3*
 blacklist /usr/lib/python3*
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 3eb6c03d5..211111aaa 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -51,6 +51,7 @@ blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
 blacklist ${HOME}/.blobby
 blacklist ${HOME}/.bogofilter
+blacklist ${HOME}/.bsfilter
 blacklist ${HOME}/.bundle
 blacklist ${HOME}/.bzf
 blacklist ${HOME}/.cache/0ad
@@ -83,6 +84,7 @@ blacklist ${HOME}/.cache/Tox
 blacklist ${HOME}/.cache/Zeal
 blacklist ${HOME}/.cache/agenda
 blacklist ${HOME}/.cache/akonadi*
+blacklist ${HOME}/.cache/ani-cli
 blacklist ${HOME}/.cache/atril
 blacklist ${HOME}/.cache/attic
 blacklist ${HOME}/.cache/audacity
@@ -318,6 +320,7 @@ blacklist ${HOME}/.config/PacmanLogViewer
 blacklist ${HOME}/.config/PawelStolowski
 blacklist ${HOME}/.config/Philipp Schmieder
 blacklist ${HOME}/.config/Pinta
+blacklist ${HOME}/.config/Postman
 blacklist ${HOME}/.config/QGIS
 blacklist ${HOME}/.config/QMediathekView
 blacklist ${HOME}/.config/QQ
@@ -399,7 +402,6 @@ blacklist ${HOME}/.config/cmus
 blacklist ${HOME}/.config/cointop
 blacklist ${HOME}/.config/com.github.bleakgrey.tootle
 blacklist ${HOME}/.config/corebird
-blacklist ${HOME}/.config/cower
 blacklist ${HOME}/.config/coyim
 blacklist ${HOME}/.config/d-feet
 blacklist ${HOME}/.config/darktable
@@ -410,6 +412,7 @@ blacklist ${HOME}/.config/digikam
 blacklist ${HOME}/.config/digikamrc
 blacklist ${HOME}/.config/discord
 blacklist ${HOME}/.config/discordcanary
+blacklist ${HOME}/.config/discordptb
 blacklist ${HOME}/.config/dkl
 blacklist ${HOME}/.config/dnox
 blacklist ${HOME}/.config/dolphin-emu
@@ -477,6 +480,7 @@ blacklist ${HOME}/.config/inox
 blacklist ${HOME}/.config/iridium
 blacklist ${HOME}/.config/itch
 blacklist ${HOME}/.config/jami
+blacklist ${HOME}/.config/jami.net
 blacklist ${HOME}/.config/jd-gui.cfg
 blacklist ${HOME}/.config/jgit
 blacklist ${HOME}/.config/k3brc
@@ -517,6 +521,7 @@ blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
 blacklist ${HOME}/.config/linphone
+blacklist ${HOME}/.config/lobster
 blacklist ${HOME}/.config/lugaru
 blacklist ${HOME}/.config/lutris
 blacklist ${HOME}/.config/lximage-qt
@@ -952,6 +957,7 @@ blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/kxmlgui5/*
 blacklist ${HOME}/.local/share/liferea
 blacklist ${HOME}/.local/share/linphone
+blacklist ${HOME}/.local/share/lobster
 blacklist ${HOME}/.local/share/local-mail
 blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/love
@@ -1027,6 +1033,7 @@ blacklist ${HOME}/.local/share/wormux
 blacklist ${HOME}/.local/share/xplayer
 blacklist ${HOME}/.local/share/xreader
 blacklist ${HOME}/.local/share/zathura
+blacklist ${HOME}/.local/state/ani-cli
 blacklist ${HOME}/.local/state/audacity
 blacklist ${HOME}/.local/state/pipewire
 blacklist ${HOME}/.lv2
@@ -1177,6 +1184,7 @@ blacklist ${HOME}/Arduino
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud
 blacklist ${HOME}/Nextcloud/Notes
+blacklist ${HOME}/Postman
 blacklist ${HOME}/Seafile/.seafile-data
 blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc
index c9f21b2dc..cae059f89 100644
--- a/etc/inc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@@ -10,16 +10,12 @@ whitelist ${HOME}/.asoundrc
 whitelist ${HOME}/.config/ibus
 whitelist ${HOME}/.config/mimeapps.list
 whitelist ${HOME}/.config/pkcs11
-read-only ${HOME}/.config/pkcs11
 whitelist ${HOME}/.config/user-dirs.dirs
-read-only ${HOME}/.config/user-dirs.dirs
 whitelist ${HOME}/.config/user-dirs.locale
-read-only ${HOME}/.config/user-dirs.locale
 whitelist ${HOME}/.drirc
 whitelist ${HOME}/.icons
 ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
 whitelist ${HOME}/.local/share/applications
-read-only ${HOME}/.local/share/applications
 whitelist ${HOME}/.local/share/icons
 whitelist ${HOME}/.local/share/mime
 whitelist ${HOME}/.mime.types
@@ -68,6 +64,7 @@ whitelist ${HOME}/.config/kdeglobals
 whitelist ${HOME}/.config/kio_httprc
 whitelist ${HOME}/.config/kioslaverc
 whitelist ${HOME}/.config/ksslcablacklist
+whitelist ${HOME}/.config/lxqt
 whitelist ${HOME}/.config/qt5ct
 whitelist ${HOME}/.config/qt6ct
 whitelist ${HOME}/.config/qtcurve
diff --git a/etc/profile-a-l/DiscordPTB.profile b/etc/profile-a-l/DiscordPTB.profile
new file mode 100644
index 000000000..4570f0103
--- /dev/null
+++ b/etc/profile-a-l/DiscordPTB.profile
@@ -0,0 +1,10 @@
+# Firejail profile for DiscordPTB
+# This file is overwritten after every install/update
+# Persistent local customizations
+include DiscordPTB.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include discord-ptb.profile
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index 7a36302f1..9ebbf1cb0 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -28,7 +28,6 @@ include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
-hostname agetpkg
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile
new file mode 100644
index 000000000..f05653719
--- /dev/null
+++ b/etc/profile-a-l/ani-cli.profile
@@ -0,0 +1,39 @@
+# Firejail profile for ani-cli
+# Description: Shell script to watch Anime from the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ani-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ani-cli
+noblacklist ${HOME}/.local/state/ani-cli
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-proc.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/ani-cli
+mkdir ${HOME}/.local/state/ani-cli
+whitelist ${HOME}/.cache/ani-cli
+whitelist ${HOME}/.local/state/ani-cli
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+
+#machine-id
+nodvd
+noprinters
+notv
+
+disable-mnt
+private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohup,patch,sed,sh,sort,tail,tput,tr,uname,wc
+#private-cache
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+# Redirect
+include mpv.profile
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 0655c2e6f..cc9c893de 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -1,5 +1,5 @@
 # Firejail profile for apostrophe
-# Description: Distraction free Markdown editor for GNU/Linux made with GTK+
+# Description: Distraction free Markdown editor for GNU/Linux made with GTK
 # This file is overwritten after every install/update
 # Persistent local customizations
 include apostrophe.local
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index ef875c5b7..487e0c5f8 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -23,7 +23,6 @@ include disable-shell.inc
 
 apparmor
 caps.drop all
-hostname archiver
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
index d8c073c8d..910dd8a91 100644
--- a/etc/profile-a-l/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
@@ -16,5 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp !chroot
 
-read-only ${HOME}/.config/awesome/autorun.sh
 #restrict-namespaces
diff --git a/etc/profile-a-l/blink-common-hardened.inc.profile b/etc/profile-a-l/blink-common-hardened.inc.profile
new file mode 100644
index 000000000..c092a9746
--- /dev/null
+++ b/etc/profile-a-l/blink-common-hardened.inc.profile
@@ -0,0 +1,11 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include blink-common-hardened.inc.local
+
+caps.drop all
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+
+#restrict-namespaces
diff --git a/etc/profile-a-l/blink-common.profile b/etc/profile-a-l/blink-common.profile
new file mode 100644
index 000000000..ff17dc479
--- /dev/null
+++ b/etc/profile-a-l/blink-common.profile
@@ -0,0 +1,40 @@
+# Firejail profile for blink-common
+# Description: Common profile for Blink-based applications
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blink-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+#include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+# If your kernel allows the creation of user namespaces by unprivileged users
+# (for example, if running `unshare -U echo enabled` prints "enabled"), you
+# can add the next line to your blink-common.local.
+#include blink-common-hardened.inc.profile
+
+apparmor
+caps.keep sys_admin,sys_chroot
+netfilter
+nodvd
+nogroups
+noinput
+notv
+
+disable-mnt
+private-cache
+
+dbus-system none
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile
index d24f76262..e65f76a60 100644
--- a/etc/profile-a-l/bluefish.profile
+++ b/etc/profile-a-l/bluefish.profile
@@ -1,5 +1,5 @@
 # Firejail profile for bluefish
-# Description: Advanced Gtk+ text editor for web and software development
+# Description: Advanced GTK text editor for web and software development
 # This file is overwritten after every install/update
 # Persistent local customizations
 include bluefish.local
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 7b0f7bdf0..9f83b8232 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -1,5 +1,5 @@
 # Firejail profile for celluloid
-# Description: Simple GTK+ frontend for mpv
+# Description: Simple GTK frontend for mpv
 # This file is overwritten after every install/update
 # Persistent local customizations
 include celluloid.local
diff --git a/etc/profile-a-l/chafa.profile b/etc/profile-a-l/chafa.profile
index 72f79681d..f21a34f36 100644
--- a/etc/profile-a-l/chafa.profile
+++ b/etc/profile-a-l/chafa.profile
@@ -39,6 +39,7 @@ nosound
 notv
 nou2f
 novideo
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 seccomp.block-secondary
 tracelog
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile
index c3944bd65..0e0416de1 100644
--- a/etc/profile-a-l/chromium-common-hardened.inc.profile
+++ b/etc/profile-a-l/chromium-common-hardened.inc.profile
@@ -1,11 +1,10 @@
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
+# Firejail profile alias for blink-common-hardened.inc
+# This file is overwritten after every install/update
+# Persistent local customizations
 include chromium-common-hardened.inc.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
 
-caps.drop all
-nonewprivs
-noroot
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-
-#restrict-namespaces
+# Redirect
+include blink-common-hardened.inc.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index f1f2f5f68..878e0fe1d 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -17,42 +17,21 @@ noblacklist /usr/lib/chromium/chrome-sandbox
 # to have access to Gnome extensions (extensions.gnome.org) via browser connector
 #include allow-python3.inc
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
-
 mkdir ${HOME}/.local/share/pki
 mkdir ${HOME}/.pki
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.pki
 whitelist /usr/share/mozilla/extensions
 whitelist /usr/share/webext
-include whitelist-common.inc
 include whitelist-run-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
 # If your kernel allows the creation of user namespaces by unprivileged users
 # (for example, if running `unshare -U echo enabled` prints "enabled"), you
 # can add the next line to your chromium-common.local.
 #include chromium-common-hardened.inc.profile
 
-apparmor
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-noinput
-notv
 ?BROWSER_DISABLE_U2F: nou2f
 
-disable-mnt
-private-cache
 ?BROWSER_DISABLE_U2F: private-dev
 #private-tmp - issues when using multiple browser sessions
 
@@ -61,7 +40,9 @@ blacklist ${PATH}/wget
 blacklist ${PATH}/wget2
 
 #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
-dbus-system none
 
 # The file dialog needs to work without d-bus.
 ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
+
+# Redirect
+include blink-common.profile
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index e0f1bca94..7fefc68b1 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -1,5 +1,5 @@
 # Firejail profile for claws-mail
-# Description: Fast, lightweight and user-friendly GTK based email client
+# Description: Fast, lightweight and user-friendly GTK-based email client
 # This file is overwritten after every install/update
 # Persistent local customizations
 include claws-mail.local
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile
index 504bce0b1..321d59783 100644
--- a/etc/profile-a-l/clipit.profile
+++ b/etc/profile-a-l/clipit.profile
@@ -1,5 +1,5 @@
 # Firejail profile for clipit
-# Description: Lightweight GTK+ clipboard manager
+# Description: Lightweight GTK clipboard manager
 # This file is overwritten after every install/update
 # Persistent local customizations
 include clipit.local
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 8b7d2317c..180282869 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -1,5 +1,5 @@
 # Firejail profile for com.github.bleakgrey.tootle
-# Description: Gtk Mastodon client
+# Description: GTK Mastodon client
 # This file is overwritten after every install/update
 # Persistent local customizations
 include com.github.bleakgrey.tootle.local
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile
index 1774669f1..09f80d7bb 100644
--- a/etc/profile-a-l/corebird.profile
+++ b/etc/profile-a-l/corebird.profile
@@ -1,5 +1,5 @@
 # Firejail profile for corebird
-# Description: Native Gtk+ Twitter client for the Linux desktop
+# Description: Native GTK Twitter client for the Linux desktop
 # This file is overwritten after every install/update
 # Persistent local customizations
 include corebird.local
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index e896f3537..9b05b4416 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -45,5 +45,4 @@ private-dev
 private-tmp
 
 memory-deny-write-execute
-read-only ${HOME}/.config/cower/config
 restrict-namespaces
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
index 4eb89503a..71afecd7a 100644
--- a/etc/profile-a-l/deadbeef.profile
+++ b/etc/profile-a-l/deadbeef.profile
@@ -1,5 +1,5 @@
 # Firejail profile for deadbeef
-# Description: A GTK+ audio player for GNU/Linux
+# Description: A GTK audio player for GNU/Linux
 # This file is overwritten after every install/update
 # Persistent local customizations
 include deadbeef.local
diff --git a/etc/profile-a-l/dino-im.profile b/etc/profile-a-l/dino-im.profile
index ae0549d3e..3f4e3a381 100644
--- a/etc/profile-a-l/dino-im.profile
+++ b/etc/profile-a-l/dino-im.profile
@@ -1,5 +1,5 @@
 # Firejail profile for dino-im
-# Description: Modern XMPP Chat Client using GTK+/Vala, Ubuntu specific bin name
+# Description: Modern XMPP Chat Client using GTK/Vala, Ubuntu specific bin name
 # This file is overwritten after every install/update
 # Persistent local customizations
 include dino-im.local
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index 1f7134ff2..fe2b59a1e 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -1,5 +1,5 @@
 # Firejail profile for dino
-# Description: Modern XMPP Chat Client using GTK+/Vala
+# Description: Modern XMPP Chat Client using GTK/Vala
 # This file is overwritten after every install/update
 # Persistent local customizations
 include dino.local
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile
new file mode 100644
index 000000000..c39c0d843
--- /dev/null
+++ b/etc/profile-a-l/discord-ptb.profile
@@ -0,0 +1,17 @@
+# Firejail profile for discord-ptb   
+# This file is overwritten after every install/update
+# Persistent local customizations
+include discord-ptb.local   
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/discordptb   
+
+mkdir ${HOME}/.config/discordptb   
+whitelist ${HOME}/.config/discordptb   
+
+private-bin discord-ptb,DiscordPTB   
+private-opt discord-ptb,DiscordPTB   
+
+# Redirect
+include discord-common.profile
diff --git a/etc/profile-a-l/electron-common.profile b/etc/profile-a-l/electron-common.profile
index 73b6d1067..bb48d6332 100644
--- a/etc/profile-a-l/electron-common.profile
+++ b/etc/profile-a-l/electron-common.profile
@@ -7,40 +7,21 @@ include electron-common.local
 noblacklist ${HOME}/.config/Electron
 noblacklist ${HOME}/.config/electron*-flag*.conf
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-whitelist ${DOWNLOADS}
 whitelist ${HOME}/.config/Electron
 whitelist ${HOME}/.config/electron*-flag*.conf
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
 # If your kernel allows the creation of user namespaces by unprivileged users
 # (for example, if running `unshare -U echo enabled` prints "enabled"), you
 # can add the next line to your electron-common.local.
 #include electron-common-hardened.inc.profile
 
-apparmor
-caps.keep sys_admin,sys_chroot
-netfilter
-nodvd
-nogroups
-noinput
-notv
 nou2f
 novideo
 
-disable-mnt
-private-cache
 private-dev
 private-tmp
 
 dbus-user none
-dbus-system none
+
+# Redirect
+include blink-common.profile
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 9f4fabd68..766fe523b 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -24,7 +24,6 @@ whitelist ${HOME}/.config/electron-mail
 # there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 machine-id
 nosound
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index 48a826f2e..7b4994a85 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -18,6 +18,7 @@ whitelist /opt/Element
 private-opt Element
 
 dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
 
 # Redirect
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index bf5b67255..8eee662ad 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -8,6 +8,7 @@ include email-common.local
 #include globals.local
 
 noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.bsfilter
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.signature
@@ -20,6 +21,9 @@ noblacklist /var/spool/mail
 
 noblacklist ${DOCUMENTS}
 
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -30,15 +34,18 @@ include disable-xdg.inc
 mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.config/mimeapps.list
 mkfile ${HOME}/.signature
+whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.bsfilter
 whitelist ${HOME}/.config/mimeapps.list
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.signature
 whitelist ${DOCUMENTS}
 whitelist ${DOWNLOADS}
 # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
 whitelist ${HOME}/Mail
 whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/bogofilter
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /var/lib/clamav 
@@ -71,7 +78,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc @tls-ca,@x11,clamav,gnupg,hosts.conf,mailname,timezone
+private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone
 private-tmp
 # encrypting and signing email
 writable-run-user
@@ -86,6 +93,5 @@ dbus-user.talk org.gnome.seahorse.*
 dbus-user.talk org.mozilla.*
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.signature
 restrict-namespaces
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index 1118c3bf0..e1d107dc7 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -10,18 +10,21 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
+machine-id
 net none
 no3d
 nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -29,6 +32,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 tracelog
 
 # private-bin engrampa
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 4f39bec55..78e2751b3 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -29,6 +29,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
@@ -45,6 +46,10 @@ private-dev
 private-etc @x11
 # private-tmp
 
+dbus-user filter
+dbus-user.own org.gnome.ArchiveManager1
+dbus-user.own org.gnome.FileRoller
+dbus-user.talk ca.desrt.dconf
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
index a5fd05bc7..78f1327c5 100644
--- a/etc/profile-a-l/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -15,7 +15,6 @@ include disable-programs.inc
 
 apparmor
 caps.drop all
-hostname file
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 0e1d30958..42d59157c 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -14,6 +14,9 @@ include globals.local
 # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
 # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
 
+# (Ignore entry from disable-common.inc)
+ignore read-only ${HOME}/.mozilla/firefox/profiles.ini
+
 noblacklist ${HOME}/.cache/mozilla
 noblacklist ${HOME}/.mozilla
 noblacklist ${RUNUSER}/*firefox*
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index c8414ad1b..7cef2dbbb 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -1,5 +1,5 @@
 # Firejail profile for gajim
-# Description: GTK+-based Jabber client
+# Description: GTK-based Jabber client
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gajim.local
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 96ded592d..44d62cc86 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-#hostname galculator - breaks Arch Linux
 #ipc-namespace
 net none
 nodvd
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
index 9c8200dc4..9643820e7 100644
--- a/etc/profile-a-l/gallery-dl.profile
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -15,4 +15,4 @@ private-bin gallery-dl
 private-etc gallery-dl.conf
 
 # Redirect
-include youtube-dl.profile
+include yt-dlp.profile
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile
index 4eb94edf4..4066a1ebf 100644
--- a/etc/profile-a-l/gdu.profile
+++ b/etc/profile-a-l/gdu.profile
@@ -26,7 +26,7 @@ nosound
 notv
 nou2f
 novideo
-# block the socket syscall to simulate an be empty protocol line, see #639
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 seccomp.block-secondary
 x11 none
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index a19a20ba7..ba0837780 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -91,5 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5
 dbus-user.talk org.mozilla.*
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 3a929774a..e8d4c013f 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -25,7 +25,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-hostname geekbench
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index 95adc6840..f81a49e4f 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -1,5 +1,5 @@
 # Firejail profile for geeqie
-# Description: Image viewer using GTK+
+# Description: Image viewer using GTK
 # This file is overwritten after every install/update
 # Persistent local customizations
 include geeqie.local
diff --git a/etc/profile-a-l/gtk-lbry-viewer.profile b/etc/profile-a-l/gtk-lbry-viewer.profile
index e1fb53b16..6d143bbe0 100644
--- a/etc/profile-a-l/gtk-lbry-viewer.profile
+++ b/etc/profile-a-l/gtk-lbry-viewer.profile
@@ -1,12 +1,14 @@
 # Firejail profile for gtk-lbry-viewer
-# Description: Gtk front-end to lbry-viewer
+# Description: GTK front-end to lbry-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-lbry-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk-lbry-viewer
+
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include lbry-viewer.profile
diff --git a/etc/profile-a-l/gtk-pipe-viewer.profile b/etc/profile-a-l/gtk-pipe-viewer.profile
index 9c212ff6e..059961742 100644
--- a/etc/profile-a-l/gtk-pipe-viewer.profile
+++ b/etc/profile-a-l/gtk-pipe-viewer.profile
@@ -1,12 +1,14 @@
 # Firejail profile for gtk-pipe-viewer
-# Description: Gtk front-end to pipe-viewer
+# Description: GTK front-end to pipe-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-pipe-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk-pipe-viewer
+
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include pipe-viewer.profile
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile
index 978b3d896..5f1933258 100644
--- a/etc/profile-a-l/gtk-straw-viewer.profile
+++ b/etc/profile-a-l/gtk-straw-viewer.profile
@@ -1,12 +1,14 @@
 # Firejail profile for gtk-straw-viewer
-# Description: Gtk front-end to straw-viewer
+# Description: GTK front-end to straw-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-straw-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk-straw-viewer
+
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include straw-viewer.profile
diff --git a/etc/profile-a-l/gtk-youtube-viewer.profile b/etc/profile-a-l/gtk-youtube-viewer.profile
index c814f0fef..2bbd8910e 100644
--- a/etc/profile-a-l/gtk-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk-youtube-viewer.profile
@@ -1,12 +1,14 @@
 # Firejail profile for gtk-youtube-viewer
-# Description: Gtk front-end to youtube-viewer
+# Description: GTK front-end to youtube-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-youtube-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk-youtube-viewer
+
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk-youtube-viewers-common.profile b/etc/profile-a-l/gtk-youtube-viewers-common.profile
new file mode 100644
index 000000000..049448a23
--- /dev/null
+++ b/etc/profile-a-l/gtk-youtube-viewers-common.profile
@@ -0,0 +1,22 @@
+# Firejail profile for gtk-youtube-viewer clones
+# Description: common profile for Trizen's gtk Youtube viewers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-youtube-viewers-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+ignore quiet
+
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
+private-bin firefox,xterm
+
+dbus-user filter
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
diff --git a/etc/profile-a-l/gtk2-youtube-viewer.profile b/etc/profile-a-l/gtk2-youtube-viewer.profile
index 787c7bd90..8ff09f4d2 100644
--- a/etc/profile-a-l/gtk2-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk2-youtube-viewer.profile
@@ -1,17 +1,14 @@
 # Firejail profile for gtk2-youtube-viewer
-# Description: Gtk front-end to youtube-viewer
+# Description: GTK front-end to youtube-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk2-youtube-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk2-youtube-viewer
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}
-
-include whitelist-runuser-common.inc
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk3-youtube-viewer.profile b/etc/profile-a-l/gtk3-youtube-viewer.profile
index 988882622..fdcb438de 100644
--- a/etc/profile-a-l/gtk3-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk3-youtube-viewer.profile
@@ -1,17 +1,14 @@
 # Firejail profile for gtk3-youtube-viewer
-# Description: Gtk front-end to youtube-viewer
+# Description: GTK front-end to youtube-viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk3-youtube-viewer.local
 # added by included profile
 #include globals.local
 
-ignore quiet
+private-bin gtk3-youtube-viewer
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}
-
-include whitelist-runuser-common.inc
+include gtk-youtube-viewers-common.profile
 
 # Redirect
 include youtube-viewer.profile
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
index 467bee3a0..0e4125791 100644
--- a/etc/profile-a-l/guvcview.profile
+++ b/etc/profile-a-l/guvcview.profile
@@ -1,5 +1,5 @@
 # Firejail profile for guvcview
-# Description: GTK+ base UVC Viewer
+# Description: GTK-based UVC Viewer
 # This file is overwritten after every install/update
 # Persistent local customizations
 include guvcview.local
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile
index 488665154..e0ef23cce 100644
--- a/etc/profile-a-l/handbrake.profile
+++ b/etc/profile-a-l/handbrake.profile
@@ -1,5 +1,5 @@
 # Firejail profile for handbrake
-# Description: Versatile DVD ripper and video transcoder (GTK+ GUI)
+# Description: Versatile DVD ripper and video transcoder (GTK GUI)
 # This file is overwritten after every install/update
 # Persistent local customizations
 include handbrake.local
diff --git a/etc/profile-a-l/jami.profile b/etc/profile-a-l/jami.profile
new file mode 100644
index 000000000..deff54bcd
--- /dev/null
+++ b/etc/profile-a-l/jami.profile
@@ -0,0 +1,18 @@
+# Firejail profile for jami
+# Description: An encrypted peer-to-peer messenger
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jami.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+noblacklist ${HOME}/.config/jami.net
+
+mkdir ${HOME}/.config/jami.net
+mkdir ${HOME}/Videos/Jami
+whitelist ${HOME}/.config/jami.net
+whitelist ${HOME}/Videos/Jami
+
+# Redirect
+include jami-gnome.profile
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index f7959ca81..4e8c8e449 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -93,6 +93,7 @@ private-etc
 private-tmp
 
 dbus-user filter
+dbus-user.own org.freedesktop.secrets
 dbus-user.own org.keepassxc.KeePassXC.*
 dbus-user.talk com.canonical.Unity
 dbus-user.talk org.freedesktop.ScreenSaver
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 5183a9327..5cf30ed40 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -77,5 +77,4 @@ dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces
diff --git a/etc/profile-a-l/lbry-viewer.profile b/etc/profile-a-l/lbry-viewer.profile
index f6a02ac83..aad1330e0 100644
--- a/etc/profile-a-l/lbry-viewer.profile
+++ b/etc/profile-a-l/lbry-viewer.profile
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/lbry-viewer
 whitelist ${HOME}/.cache/lbry-viewer
 whitelist ${HOME}/.config/lbry-viewer
 
-private-bin gtk-lbry-viewer,lbry-viewer
+private-bin lbry-viewer
 
 # Redirect
 include youtube-viewers-common.profile
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile
index 27b27a20b..ef0029c73 100644
--- a/etc/profile-a-l/leafpad.profile
+++ b/etc/profile-a-l/leafpad.profile
@@ -1,5 +1,5 @@
 # Firejail profile for leafpad
-# Description: GTK+ based simple text editor
+# Description: GTK-based simple text editor
 # This file is overwritten after every install/update
 # Persistent local customizations
 include leafpad.local
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile
index 9157d910b..6ca8b8103 100644
--- a/etc/profile-a-l/linuxqq.profile
+++ b/etc/profile-a-l/linuxqq.profile
@@ -37,7 +37,5 @@ dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.mozilla.*
 ignore dbus-user none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
-
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile
new file mode 100644
index 000000000..2b0fc5275
--- /dev/null
+++ b/etc/profile-a-l/lobster.profile
@@ -0,0 +1,39 @@
+# Firejail profile for lobster
+# Description: Shell script to watch Movies/Webseries/Shows from the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lobster.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/lobster
+noblacklist ${HOME}/.local/share/lobster
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-proc.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/lobster
+mkdir ${HOME}/.local/share/lobster
+whitelist ${HOME}/.config/lobster
+whitelist ${HOME}/.local/share/lobster
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+
+#machine-id
+nodvd
+noprinters
+notv
+
+disable-mnt
+private-bin curl,cut,fzf,grep,head,lobster,mv,patch,rm,sed,sh,tail,tput,tr,uname
+#private-cache
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+# Redirect
+include mpv.profile
diff --git a/etc/profile-m-z/Postman.profile b/etc/profile-m-z/Postman.profile
new file mode 100644
index 000000000..d08acf60b
--- /dev/null
+++ b/etc/profile-m-z/Postman.profile
@@ -0,0 +1,10 @@
+# Firejail profile for Postman
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Postman.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include postman.profile
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index e9d245a6d..266d00395 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -19,7 +19,6 @@ blacklist ${RUNUSER}/wayland-*
 
 # Enable severely restricted access to ${HOME}/.gnupg
 noblacklist ${HOME}/.gnupg
-read-only ${HOME}/.gnupg/gpg.conf
 read-only ${HOME}/.gnupg/trustdb.gpg
 read-only ${HOME}/.gnupg/pubring.kbx
 blacklist ${HOME}/.gnupg/random_seed
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index 2fb527ad5..e7daedea5 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -1,5 +1,5 @@
 # Firejail profile for marker
-# Description: Marker is a markdown editor for Linux made with Gtk+-3.0
+# Description: Marker is a markdown editor for Linux made with GTK
 # This file is overwritten after every install/update
 # Persistent local customizations
 include marker.local
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index d3b3c6d48..7b83d61e1 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -21,7 +21,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-hostname mdr
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
index 63844ad70..6843c11c7 100644
--- a/etc/profile-m-z/microsoft-edge-beta.profile
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Microsoft Edge Beta
-# Description: Web browser from Microsoft,beta channel
+# Description: Web browser from Microsoft, beta channel
 # This file is overwritten after every install/update
 # Persistent local customizations
 include microsoft-edge-beta.local
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.cache/microsoft-edge-beta
 noblacklist ${HOME}/.config/microsoft-edge-beta
+noblacklist /opt/microsoft/msedge-beta/msedge-sandbox
 
 mkdir ${HOME}/.cache/microsoft-edge-beta
 mkdir ${HOME}/.config/microsoft-edge-beta
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge-beta
 whitelist ${HOME}/.config/microsoft-edge-beta
 
 whitelist /opt/microsoft/msedge-beta
+# private-opt might break the file-copy-limit, see #5307
+#private-opt microsoft
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile
index b01fd7c25..b9cdaf98b 100644
--- a/etc/profile-m-z/microsoft-edge-dev.profile
+++ b/etc/profile-m-z/microsoft-edge-dev.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Microsoft Edge Dev
-# Description: Web browser from Microsoft,dev channel
+# Description: Web browser from Microsoft, dev channel
 # This file is overwritten after every install/update
 # Persistent local customizations
 include microsoft-edge-dev.local
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.cache/microsoft-edge-dev
 noblacklist ${HOME}/.config/microsoft-edge-dev
+noblacklist /opt/microsoft/msedge-dev/msedge-sandbox
 
 mkdir ${HOME}/.cache/microsoft-edge-dev
 mkdir ${HOME}/.config/microsoft-edge-dev
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge-dev
 whitelist ${HOME}/.config/microsoft-edge-dev
 
 whitelist /opt/microsoft/msedge-dev
+# private-opt might break file-copy-limit, see #5307
+#private-opt microsoft
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/microsoft-edge-stable.profile b/etc/profile-m-z/microsoft-edge-stable.profile
new file mode 100644
index 000000000..c5b2b4301
--- /dev/null
+++ b/etc/profile-m-z/microsoft-edge-stable.profile
@@ -0,0 +1,11 @@
+# Firejail profile for Microsoft Edge Stable
+# Description: Web browser from Microsoft, stable channel
+# This file is overwritten after every install/update
+# Persistent local customizations
+include microsoft-edge-stable.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include microsoft-edge.profile
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile
index 4cd8c85a5..ededb9cbd 100644
--- a/etc/profile-m-z/microsoft-edge.profile
+++ b/etc/profile-m-z/microsoft-edge.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Microsoft Edge
-# Description: Web browser from Microsoft,stable channel
+# Description: Web browser from Microsoft, stable channel
 # This file is overwritten after every install/update
 # Persistent local customizations
 include microsoft-edge.local
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.cache/microsoft-edge
 noblacklist ${HOME}/.config/microsoft-edge
+noblacklist /opt/microsoft/msedge/msedge-sandbox
 
 mkdir ${HOME}/.cache/microsoft-edge
 mkdir ${HOME}/.config/microsoft-edge
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge
 whitelist ${HOME}/.config/microsoft-edge
 
 whitelist /opt/microsoft/msedge
+# private-opt might break default file-copy-limit, see #5307
+#private-opt microsoft
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile
new file mode 100644
index 000000000..74d630e24
--- /dev/null
+++ b/etc/profile-m-z/mov-cli.profile
@@ -0,0 +1,29 @@
+# Firejail profile for mov-cli
+# Description: Python script for watching movies and TV shows via the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include mov-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include disable-proc.inc
+include disable-xdg.inc
+
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+
+#machine-id
+nodvd
+noprinters
+notv
+
+disable-mnt
+private-bin ffmpeg,fzf,mov-cli
+#private-cache
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+# Redirect
+include mpv.profile
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index ed344ba3f..682b0173d 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -1,5 +1,5 @@
 # Firejail profile for mp3splt-gtk
-# Description: Gtk utility for mp3/ogg splitting without decoding
+# Description: GTK utility for mp3/ogg splitting without decoding
 # This file is overwritten after every install/update
 # Persistent local customizations
 include mp3splt-gtk.local
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index c9706999a..85f414562 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,13 +11,13 @@ include globals.local
 # edit ~/.config/mpv/foobar.conf:
 #    screenshot-directory=~/Pictures
 
-# Mpv has a powerful lua-API, some off these lua-scripts interact
-# with external resources which are blocked by firejail. In such cases
-# you need to allow these resources by
-#  - adding additional binaries to private-bin
+# mpv has a powerful Lua API and some of the Lua scripts interact with
+# external resources which are blocked by firejail. In such cases you need to
+# allow these resources by:
+#  - noblacklisting additional paths
 #  - whitelisting additional paths
-#  - noblacklisting paths
-#  - weaking the dbus-policy
+#  - adding additional binaries to private-bin
+#  - changing/weakening the D-Bus policy
 #  - ...
 #
 # Often these scripts require a shell:
@@ -75,10 +75,12 @@ nonewprivs
 noroot
 nou2f
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !set_mempolicy
 seccomp.block-secondary
 tracelog
 
+# mpv links to libluajit, so no need to reference "lua*" in private-bin:
+# https://github.com/netblue30/firejail/pull/5711#discussion_r1125622615
 private-bin env,mpv,python*,waf,youtube-dl,yt-dlp
 # private-cache causes slow OSD, see #2838
 #private-cache
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
index 2da867dec..9b566a42b 100644
--- a/etc/profile-m-z/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
@@ -16,6 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp !chroot
 
-read-only ${HOME}/.config/openbox/autostart
-read-only ${HOME}/.config/openbox/environment
 #restrict-namespaces
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index 2dc49a28d..d78478687 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -36,7 +36,7 @@ nonewprivs
 noroot
 notv
 nou2f
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 # shell none
 tracelog
diff --git a/etc/profile-m-z/pipe-viewer.profile b/etc/profile-m-z/pipe-viewer.profile
index 3de064311..77393274e 100644
--- a/etc/profile-m-z/pipe-viewer.profile
+++ b/etc/profile-m-z/pipe-viewer.profile
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/pipe-viewer
 whitelist ${HOME}/.cache/pipe-viewer
 whitelist ${HOME}/.config/pipe-viewer
 
-private-bin gtk-pipe-viewer,pipe-viewer
+private-bin pipe-viewer
 
 # Redirect
 include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 34199a08d..481bade92 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -38,7 +38,7 @@ nosound
 notv
 nou2f
 novideo
-# block the socket syscall to simulate an be empty protocol line, see #639
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 tracelog
 x11 none
diff --git a/etc/profile-m-z/porn-cli.profile b/etc/profile-m-z/porn-cli.profile
new file mode 100644
index 000000000..f33ff439c
--- /dev/null
+++ b/etc/profile-m-z/porn-cli.profile
@@ -0,0 +1,14 @@
+# Firejail profile for porn-cli
+# Description: Python script for watching porn via the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include porn-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin porn-cli
+
+# Redirect
+include mov-cli.profile
diff --git a/etc/profile-m-z/postman.profile b/etc/profile-m-z/postman.profile
new file mode 100644
index 000000000..c8f00584d
--- /dev/null
+++ b/etc/profile-m-z/postman.profile
@@ -0,0 +1,28 @@
+# Firejail profile for postman
+# Description: API testing platform
+# This file is overwritten after every install/update
+# Persistent local customizations
+include postman.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Postman
+noblacklist ${HOME}/Postman
+
+mkdir ${HOME}/.config/Postman
+mkdir ${HOME}/Postman
+whitelist ${HOME}/.config/Postman
+whitelist ${HOME}/Postman
+include whitelist-run-common.inc
+
+protocol unix,inet,inet6,netlink
+
+private-bin electron,electron[0-9],electron[0-9][0-9],locale,node,Postman,postman,sh
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
+# private-opt breaks file-copy-limit, use a whitelist instead of draining RAM
+# https://github.com/netblue30/firejail/discussions/5307
+#private-opt postman
+whitelist /opt/postman
+
+# Redirect
+include electron-common.profile
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile
index 126f5cec8..b61089d36 100644
--- a/etc/profile-m-z/pycharm-professional.profile
+++ b/etc/profile-m-z/pycharm-professional.profile
@@ -1,7 +1,7 @@
 # Firejail profilen alias for pycharm-professional
 # This file is overwritten after every install/update
 # Persistent local customizations
-include pyucharm-professional.local
+include pycharm-professional.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
diff --git a/etc/profile-m-z/qpdf.profile b/etc/profile-m-z/qpdf.profile
index 0c1e09e92..edec7cf0a 100644
--- a/etc/profile-m-z/qpdf.profile
+++ b/etc/profile-m-z/qpdf.profile
@@ -31,7 +31,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-hostname qpdf
 ipc-namespace
 machine-id
 net none
@@ -46,7 +45,7 @@ nosound
 notv
 nou2f
 novideo
-# block the socket syscall to simulate an be empty protocol line, see #639
+# block socket syscall to simulate empty protocol option (see #639)
 seccomp socket
 tracelog
 x11 none
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index 0d35dbbad..9062c8c18 100644
--- a/etc/profile-m-z/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -62,6 +62,9 @@ private-etc @tls-ca
 private-tmp
 
 dbus-user filter
+# qutebrowser-qt6 uses a newer chrome version which uses the name 'chromium'
+# see https://github.com/qutebrowser/qutebrowser/issues/7431
+dbus-user.own org.mpris.MediaPlayer2.chromium.*
 dbus-user.own org.mpris.MediaPlayer2.qutebrowser.*
 dbus-user.talk org.freedesktop.Notifications
 # Add the next line to your qutebrowser.local to allow screen sharing under wayland.
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
index 208f57710..1fb0c0626 100644
--- a/etc/profile-m-z/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -1,5 +1,5 @@
 # Firejail profile for remmina
-# Description: GTK+ Remote Desktop Client
+# Description: GTK Remote Desktop Client
 # This file is overwritten after every install/update
 # Persistent local customizations
 include remmina.local
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index a26b41524..3e1899ef3 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -14,7 +14,6 @@ noblacklist ${HOME}/.config/Signal
 # These lines are needed to allow Firefox to open links
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 mkdir ${HOME}/.config/Signal
 whitelist ${HOME}/.config/Signal
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index f130176c1..7ce6748d1 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
 private-cache
 private-dev
-private-etc @tls-ca,SoftMaker
+private-etc @tls-ca,fstab,SoftMaker
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/standard-notes.profile b/etc/profile-m-z/standard-notes.profile
new file mode 100644
index 000000000..db96cc80f
--- /dev/null
+++ b/etc/profile-m-z/standard-notes.profile
@@ -0,0 +1,10 @@
+# Firejail profile for standard-notes
+# This file is overwritten after every install/update
+# Persistent local customizations
+include standard-notes.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include standardnotes-desktop.profile
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 95dc35741..3fe0963a9 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -18,6 +18,10 @@ mkdir ${HOME}/Standard Notes Backups
 mkdir ${HOME}/.config/Standard Notes
 whitelist ${HOME}/Standard Notes Backups
 whitelist ${HOME}/.config/Standard Notes
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index a5b4d5d87..63d629a32 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -181,5 +181,4 @@ private-tmp
 #dbus-user none
 #dbus-system none
 
-read-only ${HOME}/.config/MangoHud
 #restrict-namespaces
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
index 513abc21b..48f83fabc 100644
--- a/etc/profile-m-z/straw-viewer.profile
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/straw-viewer
 whitelist ${HOME}/.cache/straw-viewer
 whitelist ${HOME}/.config/straw-viewer
 
-private-bin gtk-straw-viewer,straw-viewer
+private-bin straw-viewer
 
 # Redirect
 include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 6abef85f0..5fb35aa04 100644
--- a/etc/profile-m-z/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
@@ -1,5 +1,5 @@
 # Firejail profile for sylpheed
-# Description: Light weight e-mail client with GTK+
+# Description: Lightweight e-mail client made with GTK
 # This file is overwritten after every install/update
 # Persistent local customizations
 include sylpheed.local
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile
index 54568b7d3..5babfb8d2 100644
--- a/etc/profile-m-z/tesseract.profile
+++ b/etc/profile-m-z/tesseract.profile
@@ -31,7 +31,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-hostname tesseract
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 1ac80bc9a..5df207e25 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -24,7 +24,6 @@ writable-run-user
 # These lines are needed to allow Firefox to load your profile when clicking a link in an email
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 noblacklist ${HOME}/.cache/thunderbird
 noblacklist ${HOME}/.gnupg
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 378c8a1b7..ba68ccb53 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -60,5 +60,4 @@ dbus-user filter
 dbus-user.talk org.freedesktop.secrets
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 restrict-namespaces
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index 4af8b9292..55e4a4392 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -1,5 +1,5 @@
 # Firejail profile for tutanota-desktop
-# Description: Encrypted email client
+# Description: Official desktop client for the Tutanota E2E encrypted email provider
 # This file is overwritten after every install/update
 # Persistent local customizations
 include tutanota-desktop.local
@@ -9,8 +9,13 @@ include globals.local
 noblacklist ${HOME}/.config/tuta_integration
 noblacklist ${HOME}/.config/tutanota-desktop
 
+ignore dbus-user none
+ignore disable-mnt
 ignore noexec /tmp
 
+# sh is needed to allow Firefox to open links
+include allow-bin-sh.inc
+
 include disable-shell.inc
 
 mkdir ${HOME}/.config/tuta_integration
@@ -18,14 +23,25 @@ mkdir ${HOME}/.config/tutanota-desktop
 whitelist ${HOME}/.config/tuta_integration
 whitelist ${HOME}/.config/tutanota-desktop
 
-# These lines are needed to allow Firefox to open links
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
+
+machine-id
+nosound
 
 ?HAS_APPIMAGE: ignore private-dev
 private-etc @tls-ca
 private-opt tutanota-desktop
 
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
+
 # Redirect
 include electron-common.profile
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index aac99aed5..cdfd72a5b 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-hostname unf
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-m-z/url-eater.profile b/etc/profile-m-z/url-eater.profile
new file mode 100644
index 000000000..a894ff0f6
--- /dev/null
+++ b/etc/profile-m-z/url-eater.profile
@@ -0,0 +1,58 @@
+# Firejail profile for url-eater
+# Description: Clean unnecessary parameters from URLs copied to clipboard
+# This file is overwritten after every install/update
+# Persistent local customizations
+include url-eater.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-bin url-eater
+private-cache
+private-dev
+private-etc url-eater.kdl
+private-lib
+#private-tmp # breaks on Arch
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
index a6d2a65e9..9a9915669 100644
--- a/etc/profile-m-z/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -19,7 +19,6 @@ include disable-shell.inc
 include whitelist-usr-share-common.inc
 
 caps.drop all
-hostname uudeview
 ipc-namespace
 machine-id
 net none
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 8958564ef..8265e1ff8 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-hostname whois
 ipc-namespace
 machine-id
 netfilter
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 8376b4989..9e81d745d 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -5,63 +5,17 @@ quiet
 # Persistent local customizations
 include youtube-dl.local
 # Persistent global definitions
-include globals.local
-
-# breaks when installed under ${HOME} via `pip install --user` (see #2833)
-ignore noexec ${HOME}
+# added by included profile
+#include globals.local
 
 noblacklist ${HOME}/.cache/youtube-dl
 noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.netrc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
-include allow-python3.inc
-
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
-
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-seccomp.block-secondary
-tracelog
-
-private-bin env,ffmpeg,python*,youtube-dl
-private-cache
-private-dev
-private-etc @tls-ca,mime.types,youtube-dl.conf
-private-tmp
 
-dbus-user none
-dbus-system none
+private-bin youtube-dl
+private-etc youtube-dl.conf
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
-restrict-namespaces
+# Redirect
+include yt-dlp.profile
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index 825599fcc..4a0e26540 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -15,7 +15,7 @@ mkdir ${HOME}/.config/youtube-viewer
 whitelist ${HOME}/.cache/youtube-viewer
 whitelist ${HOME}/.config/youtube-viewer
 
-private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer
+private-bin youtube-viewer
 
 # Redirect
 include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index 9ef90eb92..c9d2ea53b 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -8,6 +8,7 @@ include youtube-viewers-common.local
 #include globals.local
 
 noblacklist ${HOME}/.cache/youtube-dl
+noblacklist ${HOME}/.config/mpv
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -19,13 +20,6 @@ include allow-perl.inc
 include allow-python2.inc
 include allow-python3.inc
 
-# The lines below are needed to find the default Firefox profile name, to allow
-# opening links in an existing instance of Firefox (note that it still fails if
-# there isn't a Firefox instance running with the default profile; see #5352)
-noblacklist ${HOME}/.mozilla
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
-
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -35,7 +29,9 @@ include disable-xdg.inc
 
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+whitelist ${HOME}/.config/mpv
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -56,16 +52,12 @@ seccomp
 tracelog
 
 disable-mnt
-private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,xterm,youtube-dl,yt-dlp
+private-bin bash,ffmpeg,ffprobe,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,youtube-dl,yt-dlp
 private-cache
 private-dev
 private-etc @tls-ca,@x11,host.conf,mime.types
 private-tmp
 
-dbus-user filter
-# allow D-Bus communication with firefox for opening links
-dbus-user.talk org.mozilla.*
-
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
index 49d4b3b56..97f9e620a 100644
--- a/etc/profile-m-z/yt-dlp.profile
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -5,17 +5,73 @@ quiet
 # Persistent local customizations
 include yt-dlp.local
 # Persistent global definitions
-# added by included profile
-#include globals.local
+include globals.local
+
+# If you installed via pip under ${HOME}
+# add 'ignore noexec ${HOME}' in yt-dlp.local.
+# AppArmor needs to allow it too,
+# add 'ignore apparmor' in yt-dlp.local
+# OR in /etc/apparmor.d/local/firejail-default add:
+# 'owner @HOME/.local/bin/** ix,'
+# 'owner @HOME/.local/lib/python*/** ix,'
+# then run the command
+# 'sudo apparmor_parser -r /etc/apparmor.d/firejail-default'
 
 noblacklist ${HOME}/.cache/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp
 noblacklist ${HOME}/.config/yt-dlp.conf
 noblacklist ${HOME}/yt-dlp.conf
 noblacklist ${HOME}/yt-dlp.conf.txt
+noblacklist ${HOME}/.netrc
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+tracelog
+
+private-bin env,ffmpeg,ffprobe,python*,yt-dlp
+private-cache
+private-dev
+private-etc @tls-ca,mime.types,yt-dlp.conf
+private-tmp
+
+dbus-user none
+dbus-system none
 
-private-bin ffprobe,yt-dlp
-private-etc yt-dlp.conf
+memory-deny-write-execute
 
-# Redirect
-include youtube-dl.profile
+restrict-namespaces
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index caf9eab63..09a1d37a3 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -23,7 +23,6 @@ include disable-xdg.inc
 # This also requires dbus-user filtering (see below).
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
-read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 mkdir ${HOME}/.cache/Zeal
 mkdir ${HOME}/.config/Zeal
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index fd328f36c..b88566f54 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -221,6 +221,8 @@ include globals.local
 #dbus-user.talk org.freedesktop.Notifications
 #dbus-system none
 
+# Note: read-only entries should usually go in disable-common.inc (especially
+# entries for configuration files that allow arbitrary command execution).
 ##deterministic-shutdown
 ##env VAR=VALUE
 ##join-or-start NAME