95 files changed, 861 insertions, 172 deletions

diff --git a/README b/README
index d31e51443..911a8719a 100644
--- a/README
+++ b/README
@@ -437,6 +437,8 @@ mustaqimM (https://github.com/mustaqimM)
     - added profile for Nylas Mail
 n1trux (https://github.com/n1trux)
         - fix flashpeak-slimjet profile typos
+Nick Fox (https://github.com/njfox)
+        - add a profile alias for code-oss
 NickMolloy (https://github.com/NickMolloy)
         - ARP address length fix
 Niklas Haas (https://github.com/haasn)
@@ -541,6 +543,7 @@ rusty-snake (https://github.com/rusty-snake)
         - updates for ~/.cargo
         - added klavaro profile
         - added mypaint, nano, celluoid profiles
+        - various profile hardening
 Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
         - fixed ktorrent profile
 sarneaud (https://github.com/sarneaud)
diff --git a/README.md b/README.md
index 01c346d88..3eecca941 100644
--- a/README.md
+++ b/README.md
@@ -102,4 +102,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ## Current development version: 0.9.59
 
 ## New profiles:
-crow, nyx, klavaro, mypaint, celluoid, nano, transgui, sysprof, simplescreenrecorder, geekbench, xfce4-mixer, pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring, regextester, hardinfo, gnome-system-log, gnome-nettool, netactview, redshift, devhelp, assogiate, subdownloader, font-manager, exfalso, gconf-editor, dconf-editor, mpdris2, sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
+crow, nyx, klavaro, mypaint, celluoid, nano, transgui, sysprof, simplescreenrecorder, geekbench, xfce4-mixer, pavucontrol, d-feet, seahorse, secret-tool, gnome-keyring, regextester, hardinfo, gnome-system-log, gnome-nettool, netactview, redshift, devhelp, assogiate, subdownloader, font-manager, exfalso, gconf-editor, dconf-editor, mpdris2, sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings, code-oss, pragha
diff --git a/RELNOTES b/RELNOTES
index 633dbc253..d780cc823 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -6,6 +6,7 @@ firejail (0.9.59) baseline; urgency=low
   * new profiles: netactview, redshift, devhelp, assogiate, subdownloader
   * new profiles: font-manager, exfalso, gconf-editor, dconf-editor
   * new profiles: sysprof-cli, seahorse-tool, secret-tool, dconf, gsettings
+  * new profiles: code-oss, pragha
   * memory-deny-write-execute now also blocks memfd_create
 
 firejail (0.9.58,2) baseline; urgency=low
diff --git a/etc/code-oss.profile b/etc/code-oss.profile
new file mode 100644
index 000000000..6d45d5994
--- /dev/null
+++ b/etc/code-oss.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for Visual Studio Code
+# This file is overwritten after every install/update
+# Persistent local customizations
+include code-oss.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include code.profile
diff --git a/etc/code.profile b/etc/code.profile
index 293308187..b7740414c 100644
--- a/etc/code.profile
+++ b/etc/code.profile
@@ -8,6 +8,7 @@ include globals.local
 noblacklist ${HOME}/.vscode
 noblacklist ${HOME}/.vscode-oss
 noblacklist ${HOME}/.config/Code
+noblacklist ${HOME}/.config/Code - OSS
 
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile
index 5f498f58c..abaf5acd5 100644
--- a/etc/dconf-editor.profile
+++ b/etc/dconf-editor.profile
@@ -41,6 +41,6 @@ private-etc alternatives,fonts
 private-lib
 private-tmp
 
-memory-deny-write-execute
+# memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 6b87c0715..7e39f7d3d 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -62,6 +62,7 @@ blacklist ${HOME}/.config/Brackets
 blacklist ${HOME}/.config/BraveSoftware
 blacklist ${HOME}/.config/Clementine
 blacklist ${HOME}/.config/Code
+blacklist ${HOME}/.config/Code - OSS
 blacklist ${HOME}/.config/Code Industry
 blacklist ${HOME}/.config/Cryptocat
 blacklist ${HOME}/.config/Enox
@@ -238,6 +239,7 @@ blacklist ${HOME}/.config/pitivi
 blacklist ${HOME}/.config/pix
 blacklist ${HOME}/.config/pluma
 blacklist ${HOME}/.config/ppsspp
+blacklist ${HOME}/.config/pragha
 blacklist ${HOME}/.config/psi+
 blacklist ${HOME}/.config/qBittorrent
 blacklist ${HOME}/.config/qBittorrentrc
@@ -562,6 +564,7 @@ blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
 blacklist ${HOME}/.tooling
 blacklist ${HOME}/.tor-browser-*
+blacklist ${HOME}/.tor-browser_*
 blacklist ${HOME}/.ts3client
 blacklist ${HOME}/.tuxguitar*
 blacklist ${HOME}/.unknown-horizons
diff --git a/etc/discord-common.profile b/etc/discord-common.profile
index c453d77d0..44b42aefa 100644
--- a/etc/discord-common.profile
+++ b/etc/discord-common.profile
@@ -32,5 +32,4 @@ private-dev
 private-etc alternatives,fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf
 private-tmp
 
-noexec ${HOME}
 noexec /tmp
diff --git a/etc/eog.profile b/etc/eog.profile
index 0ba40901c..32b648bd9 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -45,6 +45,6 @@ private-etc alternatives,fonts
 private-lib eog,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
 
-memory-deny-write-execute
+# memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile
index e43bb2da8..bd1ea6aa9 100644
--- a/etc/evince-previewer.profile
+++ b/etc/evince-previewer.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include evince-previewer.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 
 # Redirect
diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile
index 4036e1ecb..d11d4e1e1 100644
--- a/etc/evince-thumbnailer.profile
+++ b/etc/evince-thumbnailer.profile
@@ -3,7 +3,8 @@
 # Persistent local customizations
 include evince-thumbnailer.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
 
 # Redirect
diff --git a/etc/evince.profile b/etc/evince.profile
index e9b530ece..c10e3b04f 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -20,7 +20,7 @@ include whitelist-var-common.inc
 
 caps.drop all
 machine-id
-# net none breaks AppArmor on Ubuntu systems
+# net none - breaks AppArmor on Ubuntu systems
 netfilter
 no3d
 nodbus
@@ -38,13 +38,12 @@ shell none
 tracelog
 
 private-bin evince,evince-previewer,evince-thumbnailer
+private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
-
+private-etc alternatives,fonts,group,machine-id,passwd
 private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv
-
 private-tmp
 
-#memory-deny-write-execute - breaks application on Archlinux, issue 1803
+# memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803)
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index 44b5d5530..aa7a91928 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -7,28 +7,35 @@ include ffmpeg.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
+ipc-namespace
 machine-id
-net none
+netfilter
+# no3d might break HW accelerated de/encoding - comment when appropriate
 no3d
 nodbus
 nodvd
+nogroups
+nonewprivs
+noroot
 nosound
 notv
 nou2f
 novideo
-nonewprivs
-noroot
-# protocol none - needs to be implemented!
+protocol inet,inet6
 seccomp
 # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
 shell none
@@ -37,6 +44,7 @@ tracelog
 private-bin ffmpeg
 private-cache
 private-dev
+private-etc alternatives,pki,pkcs11,hosts,ssl,ca-certificates,resolv.conf
 private-tmp
 
 # memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/ffmpegthumbnailer.profile b/etc/ffmpegthumbnailer.profile
new file mode 100644
index 000000000..6ab35e9a0
--- /dev/null
+++ b/etc/ffmpegthumbnailer.profile
@@ -0,0 +1,15 @@
+# Firejail profile for ffmpegthumbnailer
+# Description: FFmpeg-based video thumbnailer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ffmpegthumbnailer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin ffmpegthumbnailer
+private-lib libffmpegthumbnailer.so.*
+
+
+# Redirect
+include ffmpeg.profile
diff --git a/etc/ffplay.profile b/etc/ffplay.profile
new file mode 100644
index 000000000..00da400bd
--- /dev/null
+++ b/etc/ffplay.profile
@@ -0,0 +1,14 @@
+# Firejail profile for ffplay
+# Description: FFmpeg-based media player
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ffplay.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin ffplay
+
+
+# Redirect
+include ffmpeg.profile
diff --git a/etc/ffprobe.profile b/etc/ffprobe.profile
new file mode 100644
index 000000000..166cc8b46
--- /dev/null
+++ b/etc/ffprobe.profile
@@ -0,0 +1,14 @@
+# Firejail profile for ffprobe
+# Description: FFmpeg-based media prober
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ffprobe.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin ffprobe
+
+
+# Redirect
+include ffmpeg.profile
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 9bd83b2b7..c23ed53f5 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -40,6 +40,6 @@ private-dev
 # private-etc alternatives,fonts
 # private-tmp
 
-memory-deny-write-execute
+# memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile
index 69920aa5f..3089b7ce8 100644
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@@ -6,7 +6,7 @@ include firefox-common.local
 # already included by caller profile
 #include globals.local
 
-# uncomment the following line to allow access to common programs/addons/plugins
+# Uncomment the following line to allow access to common programs/addons/plugins.
 #include firefox-common-addons.inc
 
 noblacklist ${HOME}/.pki
@@ -27,25 +27,27 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-# machine-id breaks pulse audio; it should work fine in setups where sound is not required
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
 #machine-id
 netfilter
-# Breaks Gnome connector and KDE Connect
-# Also seems to break Ubuntu titlebar menu
+# Breaks Gnome connector and KDE Connect.
+# Also seems to break Ubuntu titlebar menu.
 # Also breaks enigmail apparently?
-# During a stream on Plasma it prevents the mechanism to temporarily bypass the power management, i.e. to keep the screen on
-# Therefore disable if you use that
+# During a stream on Plasma it prevents the mechanism to temporarily bypass the power management, i.e. to keep the screen on.
+# Therefore disable if you use that.
 nodbus
 nodvd
 nogroups
 nonewprivs
+# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
 noroot
 notv
 ?BROWSER_DISABLE_U2F: nou2f
 protocol unix,inet,inet6,netlink
+# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
 seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
-#disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930
+# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
 #tracelog
 
 disable-mnt
@@ -54,6 +56,6 @@ private-dev
 #private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
 private-tmp
 
-# breaks DRM binaries
+# Breaks DRM binaries.
 #noexec ${HOME}
 noexec /tmp
diff --git a/etc/flameshot.profile b/etc/flameshot.profile
index 1c5f90f42..39a23c813 100644
--- a/etc/flameshot.profile
+++ b/etc/flameshot.profile
@@ -1,6 +1,7 @@
 # Firejail profile for flameshot
 # Description: Powerful yet simple-to-use screenshot software
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include flameshot.local
 # Persistent global definitions
diff --git a/etc/gconf-editor.profile b/etc/gconf-editor.profile
index 20cc5c36f..e9756f8af 100644
--- a/etc/gconf-editor.profile
+++ b/etc/gconf-editor.profile
@@ -4,46 +4,9 @@
 # Persistent local customizations
 include gconf-editor.local
 # Persistent global definitions
-include globals.local
+# added by included profile
+#include globals.local
 
-noblacklist ${HOME}/.config/gconf
 
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-whitelist ${HOME}/.config/gconf
-include whitelist-common.inc
-
-apparmor
-caps.drop all
-machine-id
-net none
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-disable-mnt
-private-bin gconf-editor
-private-cache
-private-dev
-private-etc alternatives,fonts
-private-lib
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
+# Redirect
+include gconf.profile
diff --git a/etc/gconf-merge-schema.profile b/etc/gconf-merge-schema.profile
new file mode 100644
index 000000000..411b7b815
--- /dev/null
+++ b/etc/gconf-merge-schema.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gconf-merge-schema
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconf-merge-schema.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+
+# Redirect
+include gconf.profile
diff --git a/etc/gconf-merge-tree.profile b/etc/gconf-merge-tree.profile
new file mode 100644
index 000000000..66a4226ca
--- /dev/null
+++ b/etc/gconf-merge-tree.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gconf-merge-tree
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconf-merge-tree.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+
+# Redirect
+include gconf.profile
diff --git a/etc/gconf.profile b/etc/gconf.profile
new file mode 100644
index 000000000..94af21833
--- /dev/null
+++ b/etc/gconf.profile
@@ -0,0 +1,57 @@
+# Firejail profile for gconf
+# Description: An obsolete configuration database system
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconf.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/gconf
+
+# Allow python2 (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+#noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+#noblacklist /usr/lib/python3*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/gconf
+whitelist ${HOME}/.config/gconf
+include whitelist-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
+private-cache
+private-dev
+private-etc alternatives,fonts,gconf
+private-lib libpython*,python2*
+private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gconfpkg.profile b/etc/gconfpkg.profile
new file mode 100644
index 000000000..1793ce072
--- /dev/null
+++ b/etc/gconfpkg.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gconfpkg
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconfpkg.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+
+# Redirect
+include gconf.profile
diff --git a/etc/gconftool-2.profile b/etc/gconftool-2.profile
new file mode 100644
index 000000000..59a2242a7
--- /dev/null
+++ b/etc/gconftool-2.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gconftool-2
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconftool-2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+
+# Redirect
+include gconf.profile
diff --git a/etc/geekbench.profile b/etc/geekbench.profile
index c6e45b7d0..425fb7bb5 100644
--- a/etc/geekbench.profile
+++ b/etc/geekbench.profile
@@ -13,7 +13,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-inclue whitelist-var-common.inc
+include whitelist-var-common.inc
 
 apparmor
 caps.drop all
@@ -40,7 +40,7 @@ disable-mnt
 private-bin bash,geekbenc*,sh
 private-cache
 private-dev
-private-etc alternatives,groups,passwd,lsb-release
+private-etc alternatives,group,passwd,lsb-release
 private-lib libstdc++.so.*
 private-opt none
 private-tmp
@@ -49,5 +49,4 @@ private-tmp
 noexec ${HOME}
 noexec /tmp
 
-# never write anything
 read-only ${HOME}
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 79c878833..eb124a4e8 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -44,6 +44,6 @@ private-dev
 #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
 private-tmp
 
-memory-deny-write-execute
+# memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index 83ece0fce..32a7ca918 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -6,7 +6,6 @@ include gnome-clocks.local
 # Persistent global definitions
 include globals.local
 
-
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -14,8 +13,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 no3d
@@ -32,9 +33,10 @@ shell none
 tracelog
 
 disable-mnt
-# private-bin gnome-clocks
+private-bin gnome-clocks,gsound-play
+private-cache
 private-dev
-# private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies
+private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies,machine-id,hosts,pkcs11,localtime,gtk-3.0,dconf
 private-tmp
 
 noexec ${HOME}
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index c43475615..4c66e3772 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -38,7 +38,7 @@ tracelog
 private-bin gpicview
 private-cache
 private-dev
-private-etc alternatives,fonts,groups,passwd
+private-etc alternatives,fonts,group,passwd
 private-lib
 private-tmp
 
diff --git a/etc/gsettings-data-convert.profile b/etc/gsettings-data-convert.profile
new file mode 100644
index 000000000..21a232440
--- /dev/null
+++ b/etc/gsettings-data-convert.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gsettings-data-convert
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gsettings-data-convert.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+
+# Redirect
+include gconf.profile
diff --git a/etc/gsettings-schema-convert.profile b/etc/gsettings-schema-convert.profile
new file mode 100644
index 000000000..2dbf4fb44
--- /dev/null
+++ b/etc/gsettings-schema-convert.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gsettings-schema-convert
+# Description: An obsolete configuration database system (CLI utility)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gsettings-schema-convert.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+
+# Redirect
+include gconf.profile
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
index d565373f4..f0546beda 100644
--- a/etc/keepassxc.profile
+++ b/etc/keepassxc.profile
@@ -48,7 +48,7 @@ private-tmp
 # 2.2.4 crashes on database open
 # memory-deny-write-execute
 noexec ${HOME}
-# noexec /tmp
+noexec /tmp
 
 # Mutex is stored in /tmp by default, which is broken by private-tmp
 join-or-start keepassxc
diff --git a/etc/patch.profile b/etc/patch.profile
index 26542e229..c0937bfc5 100644
--- a/etc/patch.profile
+++ b/etc/patch.profile
@@ -36,7 +36,7 @@ shell none
 
 private-bin patch,red
 private-dev
-private-lib
+private-lib libfakeroot
 
 memory-deny-write-execute
 noexec ${HOME}
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile
index 159846a28..6bda9e7d3 100644
--- a/etc/pavucontrol.profile
+++ b/etc/pavucontrol.profile
@@ -15,9 +15,6 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-mkfile ${HOME}/.config/pavucontrol.ini
-whitelist ${HOME}/.config/pavucontrol.ini
-include whitelist-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/hardinfo.profile b/etc/pragha.profile
index 6be3044b4..a595caee9 100644
--- a/etc/hardinfo.profile
+++ b/etc/pragha.profile
@@ -1,38 +1,39 @@
-# Firejail profile for hardinfo
-# Description: A system information and benchmark tool
+# Firejail profile for pragha
+# Description: A lightweight GTK music player
 # This file is overwritten after every install/update
 # Persistent local customizations
-include hardinfo.local
+include pragha.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.config/pragha
+noblacklist ${MUSIC}
+
 include disable-common.inc
 include disable-devel.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-apparmor
+include whitelist-var-common.inc
+
 caps.drop all
-machine-id
-ipc-namespace
 netfilter
-nodbus
-nodvd
+no3d
 nogroups
 nonewprivs
 noroot
-nosound
+notv
 nou2f
+novideo
 protocol unix,inet,inet6
 seccomp
 shell none
 
-disable-mnt
-private-cache
 private-dev
+private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id
 private-tmp
 
-# memory-deny-write-execute - Breaks on Arch
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/qt-faststart.profile b/etc/qt-faststart.profile
new file mode 100644
index 000000000..51bc1b298
--- /dev/null
+++ b/etc/qt-faststart.profile
@@ -0,0 +1,14 @@
+# Firejail profile for qt-faststart
+# Description: FFmpeg-based media utility
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qt-faststart.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin qt-faststart
+
+
+# Redirect
+include ffmpeg.profile
diff --git a/etc/sol.profile b/etc/sol.profile
index e5a356f68..c194eed05 100644
--- a/etc/sol.profile
+++ b/etc/sol.profile
@@ -39,6 +39,6 @@ private-cache
 private-dev
 private-tmp
 
-memory-deny-write-execute
+# memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile
index 350f10632..b43047401 100644
--- a/etc/spectre-meltdown-checker.profile
+++ b/etc/spectre-meltdown-checker.profile
@@ -44,7 +44,7 @@ shell none
 
 disable-mnt
 private
-private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils
+private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils
 private-cache
 private-tmp
 
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 6bdd437cd..8122079e1 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -18,10 +18,11 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-net none
-no3d
-nodbus
+ipc-namespace
+netfilter
+# nodbus - breaks proxy creation
 nodvd
 nogroups
 nonewprivs
@@ -30,15 +31,16 @@ nosound
 notv
 nou2f
 novideo
-protocol unix
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
 private-bin sqlitebrowser
 private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
 private-tmp
 
-# memory-deny-write-execute - breaks on Arch
+memory-deny-write-execute
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile
index 2b01eca88..a61038157 100644
--- a/etc/start-tor-browser.desktop.profile
+++ b/etc/start-tor-browser.desktop.profile
@@ -1,66 +1,75 @@
 # Firejail profile alias for torbrowser-launcher
 # This file is overwritten after every install/update
-
-
-noblacklist ${HOME}/.tor-browser-ar:
-mkdir ${HOME}/.tor-browser-ar:
-whitelist ${HOME}/.tor-browser-ar:
-
-noblacklist ${HOME}/.tor-browser-en:
-mkdir ${HOME}/.tor-browser-en:
-whitelist ${HOME}/.tor-browser-en:
-
-noblacklist ${HOME}/.tor-browser-en-us:
-mkdir ${HOME}/.tor-browser-en-us:
-whitelist ${HOME}/.tor-browser-en-us:
-
-noblacklist ${HOME}/.tor-browser-es:
-mkdir ${HOME}/.tor-browser-es:
-whitelist ${HOME}/.tor-browser-es:
-
-noblacklist ${HOME}/.tor-browser-es-es:
-mkdir ${HOME}/.tor-browser-es-es:
-whitelist ${HOME}/.tor-browser-es-es:
-
-noblacklist ${HOME}/.tor-browser-fa:
-mkdir ${HOME}/.tor-browser-fa:
-whitelist ${HOME}/.tor-browser-fa:
-
-noblacklist ${HOME}/.tor-browser-fr:
-mkdir ${HOME}/.tor-browser-fr:
-whitelist ${HOME}/.tor-browser-fr:
-
-noblacklist ${HOME}/.tor-browser-it:
-mkdir ${HOME}/.tor-browser-it:
-whitelist ${HOME}/.tor-browser-it:
-
-noblacklist ${HOME}/.tor-browser-ja:
-mkdir ${HOME}/.tor-browser-ja:
-whitelist ${HOME}/.tor-browser-ja:
-
-noblacklist ${HOME}/.tor-browser-ko:
-mkdir ${HOME}/.tor-browser-ko:
-whitelist ${HOME}/.tor-browser-ko:
-
-noblacklist ${HOME}/.tor-browser-pl:
-mkdir ${HOME}/.tor-browser-pl:
-whitelist ${HOME}/.tor-browser-pl:
-
-noblacklist ${HOME}/.tor-browser-pt-br:
-mkdir ${HOME}/.tor-browser-pt-br:
-whitelist ${HOME}/.tor-browser-pt-br:
-
-noblacklist ${HOME}/.tor-browser-ru:
-mkdir ${HOME}/.tor-browser-ru:
-whitelist ${HOME}/.tor-browser-ru:
-
-noblacklist ${HOME}/.tor-browser-vi:
-mkdir ${HOME}/.tor-browser-vi:
-whitelist ${HOME}/.tor-browser-vi:
-
-noblacklist ${HOME}/.tor-browser-zh-cn:
-mkdir ${HOME}/.tor-browser-zh-cn:
-whitelist ${HOME}/.tor-browser-zh-cn:
+# Persistent local customizations
+include start-tor-browser.desktop.local
+
+
+noblacklist ${HOME}/.tor-browser-*
+noblacklist ${HOME}/.tor-browser_*
+
+whitelist ${HOME}/.tor-browser-ar
+whitelist ${HOME}/.tor-browser-ca
+whitelist ${HOME}/.tor-browser-cs
+whitelist ${HOME}/.tor-browser-da
+whitelist ${HOME}/.tor-browser-de
+whitelist ${HOME}/.tor-browser-el
+whitelist ${HOME}/.tor-browser-en
+whitelist ${HOME}/.tor-browser-en-us
+whitelist ${HOME}/.tor-browser-es
+whitelist ${HOME}/.tor-browser-es-es
+whitelist ${HOME}/.tor-browser-fa
+whitelist ${HOME}/.tor-browser-fr
+whitelist ${HOME}/.tor-browser-ga-ie
+whitelist ${HOME}/.tor-browser-he
+whitelist ${HOME}/.tor-browser-hu
+whitelist ${HOME}/.tor-browser-id
+whitelist ${HOME}/.tor-browser-is
+whitelist ${HOME}/.tor-browser-it
+whitelist ${HOME}/.tor-browser-ja
+whitelist ${HOME}/.tor-browser-ka
+whitelist ${HOME}/.tor-browser-ko
+whitelist ${HOME}/.tor-browser-nb
+whitelist ${HOME}/.tor-browser-nl
+whitelist ${HOME}/.tor-browser-pl
+whitelist ${HOME}/.tor-browser-pt-br
+whitelist ${HOME}/.tor-browser-ru
+whitelist ${HOME}/.tor-browser-sv-se
+whitelist ${HOME}/.tor-browser-tr
+whitelist ${HOME}/.tor-browser-vi
+whitelist ${HOME}/.tor-browser-zh-cn
+whitelist ${HOME}/.tor-browser-zh-tw
+
+whitelist ${HOME}/.tor-browser_ar
+whitelist ${HOME}/.tor-browser_ca
+whitelist ${HOME}/.tor-browser_cs
+whitelist ${HOME}/.tor-browser_da
+whitelist ${HOME}/.tor-browser_de
+whitelist ${HOME}/.tor-browser_el
+whitelist ${HOME}/.tor-browser_en
+whitelist ${HOME}/.tor-browser_en_US
+whitelist ${HOME}/.tor-browser_es
+whitelist ${HOME}/.tor-browser_es-ES
+whitelist ${HOME}/.tor-browser_fa
+whitelist ${HOME}/.tor-browser_fr
+whitelist ${HOME}/.tor-browser_ga-IE
+whitelist ${HOME}/.tor-browser_he
+whitelist ${HOME}/.tor-browser_hu
+whitelist ${HOME}/.tor-browser_id
+whitelist ${HOME}/.tor-browser_is
+whitelist ${HOME}/.tor-browser_it
+whitelist ${HOME}/.tor-browser_ja
+whitelist ${HOME}/.tor-browser_ka
+whitelist ${HOME}/.tor-browser_ko
+whitelist ${HOME}/.tor-browser_nb
+whitelist ${HOME}/.tor-browser_nl
+whitelist ${HOME}/.tor-browser_pl
+whitelist ${HOME}/.tor-browser_pt-BR
+whitelist ${HOME}/.tor-browser_ru
+whitelist ${HOME}/.tor-browser_sv-SE
+whitelist ${HOME}/.tor-browser_tr
+whitelist ${HOME}/.tor-browser_vi
+whitelist ${HOME}/.tor-browser_zh-CN
+whitelist ${HOME}/.tor-browser_zh-TW
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/strings.profile b/etc/strings.profile
index 9f6518645..ca7bd0922 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -25,7 +25,7 @@ private-bin strings
 private-cache
 private-dev
 private-etc alternatives
-private-lib
+private-lib libfakeroot
 
 memory-deny-write-execute
 noexec ${HOME}
diff --git a/etc/sysprof-cli.profile b/etc/sysprof-cli.profile
index 28d279d77..62672b22b 100644
--- a/etc/sysprof-cli.profile
+++ b/etc/sysprof-cli.profile
@@ -13,6 +13,8 @@ nodbus
 private-bin sysprof-cli
 private-lib
 
+memory-deny-write-execute
+
 
 # Redirect
 include sysprof.profile
diff --git a/etc/sysprof.profile b/etc/sysprof.profile
index a3135d001..eedf4c4b4 100644
--- a/etc/sysprof.profile
+++ b/etc/sysprof.profile
@@ -42,6 +42,6 @@ private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
 
-memory-deny-write-execute
+# memory-deny-write-execute - Breaks GUI on Arch
 noexec ${HOME}
 noexec /tmp
diff --git a/etc/tar.profile b/etc/tar.profile
index b13f0c9b7..e1cfe9c80 100644
--- a/etc/tar.profile
+++ b/etc/tar.profile
@@ -27,7 +27,7 @@ tracelog
 private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
 private-dev
 private-etc alternatives,passwd,group,localtime
-private-lib
+private-lib libfakeroot
 
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
diff --git a/etc/tor-browser-ca.profile b/etc/tor-browser-ca.profile
new file mode 100644
index 000000000..db70a7109
--- /dev/null
+++ b/etc/tor-browser-ca.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-ca
+
+mkdir ${HOME}/.tor-browser-ca
+whitelist ${HOME}/.tor-browser-ca
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-cs.profile b/etc/tor-browser-cs.profile
new file mode 100644
index 000000000..77b271b68
--- /dev/null
+++ b/etc/tor-browser-cs.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-cs
+
+mkdir ${HOME}/.tor-browser-cs
+whitelist ${HOME}/.tor-browser-cs
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-da.profile b/etc/tor-browser-da.profile
new file mode 100644
index 000000000..3b9fff9a4
--- /dev/null
+++ b/etc/tor-browser-da.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-da
+
+mkdir ${HOME}/.tor-browser-da
+whitelist ${HOME}/.tor-browser-da
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-de.profile b/etc/tor-browser-de.profile
new file mode 100644
index 000000000..3b4f7f94f
--- /dev/null
+++ b/etc/tor-browser-de.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-de
+
+mkdir ${HOME}/.tor-browser-de
+whitelist ${HOME}/.tor-browser-de
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-el.profile b/etc/tor-browser-el.profile
new file mode 100644
index 000000000..b978b6042
--- /dev/null
+++ b/etc/tor-browser-el.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-el
+
+mkdir ${HOME}/.tor-browser-el
+whitelist ${HOME}/.tor-browser-el
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-ga-ie.profile b/etc/tor-browser-ga-ie.profile
new file mode 100644
index 000000000..994897a87
--- /dev/null
+++ b/etc/tor-browser-ga-ie.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-ga-ie
+
+mkdir ${HOME}/.tor-browser-ga-ie
+whitelist ${HOME}/.tor-browser-ga-ie
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-he.profile b/etc/tor-browser-he.profile
new file mode 100644
index 000000000..6367b4c0a
--- /dev/null
+++ b/etc/tor-browser-he.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-he
+
+mkdir ${HOME}/.tor-browser-he
+whitelist ${HOME}/.tor-browser-he
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-hu.profile b/etc/tor-browser-hu.profile
new file mode 100644
index 000000000..68e79833e
--- /dev/null
+++ b/etc/tor-browser-hu.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-hu
+
+mkdir ${HOME}/.tor-browser-hu
+whitelist ${HOME}/.tor-browser-hu
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-id.profile b/etc/tor-browser-id.profile
new file mode 100644
index 000000000..85b455ba2
--- /dev/null
+++ b/etc/tor-browser-id.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-id
+
+mkdir ${HOME}/.tor-browser-id
+whitelist ${HOME}/.tor-browser-id
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-is.profile b/etc/tor-browser-is.profile
new file mode 100644
index 000000000..48e88db71
--- /dev/null
+++ b/etc/tor-browser-is.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-is
+
+mkdir ${HOME}/.tor-browser-is
+whitelist ${HOME}/.tor-browser-is
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-ka.profile b/etc/tor-browser-ka.profile
new file mode 100644
index 000000000..173b85e5c
--- /dev/null
+++ b/etc/tor-browser-ka.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-ka
+
+mkdir ${HOME}/.tor-browser-ka
+whitelist ${HOME}/.tor-browser-ka
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-nb.profile b/etc/tor-browser-nb.profile
new file mode 100644
index 000000000..d1352dd80
--- /dev/null
+++ b/etc/tor-browser-nb.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-nb
+
+mkdir ${HOME}/.tor-browser-nb
+whitelist ${HOME}/.tor-browser-nb
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-nl.profile b/etc/tor-browser-nl.profile
new file mode 100644
index 000000000..d4443cca2
--- /dev/null
+++ b/etc/tor-browser-nl.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-nl
+
+mkdir ${HOME}/.tor-browser-nl
+whitelist ${HOME}/.tor-browser-nl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-sv-se.profile b/etc/tor-browser-sv-se.profile
new file mode 100644
index 000000000..c8544262f
--- /dev/null
+++ b/etc/tor-browser-sv-se.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-sv-se
+
+mkdir ${HOME}/.tor-browser-sv-se
+whitelist ${HOME}/.tor-browser-sv-se
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-tr.profile b/etc/tor-browser-tr.profile
new file mode 100644
index 000000000..2343fa8de
--- /dev/null
+++ b/etc/tor-browser-tr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-tr
+
+mkdir ${HOME}/.tor-browser-tr
+whitelist ${HOME}/.tor-browser-tr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser-zh-tw.profile b/etc/tor-browser-zh-tw.profile
new file mode 100644
index 000000000..6fe09c6c1
--- /dev/null
+++ b/etc/tor-browser-zh-tw.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser-zh-tw
+
+mkdir ${HOME}/.tor-browser-zh-tw
+whitelist ${HOME}/.tor-browser-zh-tw
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ar.profile b/etc/tor-browser_ar.profile
new file mode 100644
index 000000000..1e1f5ce35
--- /dev/null
+++ b/etc/tor-browser_ar.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ar
+
+mkdir ${HOME}/.tor-browser_ar
+whitelist ${HOME}/.tor-browser_ar
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ca.profile b/etc/tor-browser_ca.profile
new file mode 100644
index 000000000..e114b6051
--- /dev/null
+++ b/etc/tor-browser_ca.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ca
+
+mkdir ${HOME}/.tor-browser_ca
+whitelist ${HOME}/.tor-browser_ca
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_cs.profile b/etc/tor-browser_cs.profile
new file mode 100644
index 000000000..498068bc6
--- /dev/null
+++ b/etc/tor-browser_cs.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_cs
+
+mkdir ${HOME}/.tor-browser_cs
+whitelist ${HOME}/.tor-browser_cs
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_da.profile b/etc/tor-browser_da.profile
new file mode 100644
index 000000000..5c25c03c8
--- /dev/null
+++ b/etc/tor-browser_da.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_da
+
+mkdir ${HOME}/.tor-browser_da
+whitelist ${HOME}/.tor-browser_da
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_de.profile b/etc/tor-browser_de.profile
new file mode 100644
index 000000000..d530e7dbe
--- /dev/null
+++ b/etc/tor-browser_de.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_de
+
+mkdir ${HOME}/.tor-browser_de
+whitelist ${HOME}/.tor-browser_de
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_el.profile b/etc/tor-browser_el.profile
new file mode 100644
index 000000000..67d5ab440
--- /dev/null
+++ b/etc/tor-browser_el.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_el
+
+mkdir ${HOME}/.tor-browser_el
+whitelist ${HOME}/.tor-browser_el
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_en-US.profile b/etc/tor-browser_en-US.profile
new file mode 100644
index 000000000..b298ab2b8
--- /dev/null
+++ b/etc/tor-browser_en-US.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_en-US
+
+mkdir ${HOME}/.tor-browser_en-US
+whitelist ${HOME}/.tor-browser_en-US
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_en.profile b/etc/tor-browser_en.profile
new file mode 100644
index 000000000..6bb0616b1
--- /dev/null
+++ b/etc/tor-browser_en.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_en
+
+mkdir ${HOME}/.tor-browser_en
+whitelist ${HOME}/.tor-browser_en
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_es-ES.profile b/etc/tor-browser_es-ES.profile
new file mode 100644
index 000000000..78f57ffe5
--- /dev/null
+++ b/etc/tor-browser_es-ES.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_es-ES
+
+mkdir ${HOME}/.tor-browser_es-ES
+whitelist ${HOME}/.tor-browser_es-ES
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_es.profile b/etc/tor-browser_es.profile
new file mode 100644
index 000000000..ea34a07c9
--- /dev/null
+++ b/etc/tor-browser_es.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_es
+
+mkdir ${HOME}/.tor-browser_es
+whitelist ${HOME}/.tor-browser_es
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_fa.profile b/etc/tor-browser_fa.profile
new file mode 100644
index 000000000..fbc416ce5
--- /dev/null
+++ b/etc/tor-browser_fa.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_fa
+
+mkdir ${HOME}/.tor-browser_fa
+whitelist ${HOME}/.tor-browser_fa
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_fr.profile b/etc/tor-browser_fr.profile
new file mode 100644
index 000000000..caea6db5b
--- /dev/null
+++ b/etc/tor-browser_fr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_fr
+
+mkdir ${HOME}/.tor-browser_fr
+whitelist ${HOME}/.tor-browser_fr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ga-IE.profile b/etc/tor-browser_ga-IE.profile
new file mode 100644
index 000000000..6342daebf
--- /dev/null
+++ b/etc/tor-browser_ga-IE.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ga-IE
+
+mkdir ${HOME}/.tor-browser_ga-IE
+whitelist ${HOME}/.tor-browser_ga-IE
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_he.profile b/etc/tor-browser_he.profile
new file mode 100644
index 000000000..cc4150620
--- /dev/null
+++ b/etc/tor-browser_he.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_he
+
+mkdir ${HOME}/.tor-browser_he
+whitelist ${HOME}/.tor-browser_he
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_hu.profile b/etc/tor-browser_hu.profile
new file mode 100644
index 000000000..952a0b68a
--- /dev/null
+++ b/etc/tor-browser_hu.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_hu
+
+mkdir ${HOME}/.tor-browser_hu
+whitelist ${HOME}/.tor-browser_hu
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_id.profile b/etc/tor-browser_id.profile
new file mode 100644
index 000000000..a006b27c0
--- /dev/null
+++ b/etc/tor-browser_id.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_id
+
+mkdir ${HOME}/.tor-browser_id
+whitelist ${HOME}/.tor-browser_id
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_is.profile b/etc/tor-browser_is.profile
new file mode 100644
index 000000000..038e0fabb
--- /dev/null
+++ b/etc/tor-browser_is.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_is
+
+mkdir ${HOME}/.tor-browser_is
+whitelist ${HOME}/.tor-browser_is
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_it.profile b/etc/tor-browser_it.profile
new file mode 100644
index 000000000..3d2566994
--- /dev/null
+++ b/etc/tor-browser_it.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_it
+
+mkdir ${HOME}/.tor-browser_it
+whitelist ${HOME}/.tor-browser_it
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ja.profile b/etc/tor-browser_ja.profile
new file mode 100644
index 000000000..08c942bcd
--- /dev/null
+++ b/etc/tor-browser_ja.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ja
+
+mkdir ${HOME}/.tor-browser_ja
+whitelist ${HOME}/.tor-browser_ja
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ka.profile b/etc/tor-browser_ka.profile
new file mode 100644
index 000000000..97664be4d
--- /dev/null
+++ b/etc/tor-browser_ka.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ka
+
+mkdir ${HOME}/.tor-browser_ka
+whitelist ${HOME}/.tor-browser_ka
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ko.profile b/etc/tor-browser_ko.profile
new file mode 100644
index 000000000..98cf1e3e1
--- /dev/null
+++ b/etc/tor-browser_ko.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ko
+
+mkdir ${HOME}/.tor-browser_ko
+whitelist ${HOME}/.tor-browser_ko
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_nb.profile b/etc/tor-browser_nb.profile
new file mode 100644
index 000000000..6df840573
--- /dev/null
+++ b/etc/tor-browser_nb.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_nb
+
+mkdir ${HOME}/.tor-browser_nb
+whitelist ${HOME}/.tor-browser_nb
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_nl.profile b/etc/tor-browser_nl.profile
new file mode 100644
index 000000000..3f545f888
--- /dev/null
+++ b/etc/tor-browser_nl.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_nl
+
+mkdir ${HOME}/.tor-browser_nl
+whitelist ${HOME}/.tor-browser_nl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_pl.profile b/etc/tor-browser_pl.profile
new file mode 100644
index 000000000..4e04dc027
--- /dev/null
+++ b/etc/tor-browser_pl.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_pl
+
+mkdir ${HOME}/.tor-browser_pl
+whitelist ${HOME}/.tor-browser_pl
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_pt-BR.profile b/etc/tor-browser_pt-BR.profile
new file mode 100644
index 000000000..7f864886c
--- /dev/null
+++ b/etc/tor-browser_pt-BR.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_pt-BR
+
+mkdir ${HOME}/.tor-browser_pt-BR
+whitelist ${HOME}/.tor-browser_pt-BR
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_ru.profile b/etc/tor-browser_ru.profile
new file mode 100644
index 000000000..2fae6fbe7
--- /dev/null
+++ b/etc/tor-browser_ru.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_ru
+
+mkdir ${HOME}/.tor-browser_ru
+whitelist ${HOME}/.tor-browser_ru
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_sv-SE.profile b/etc/tor-browser_sv-SE.profile
new file mode 100644
index 000000000..2157f8d2b
--- /dev/null
+++ b/etc/tor-browser_sv-SE.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_sv-SE
+
+mkdir ${HOME}/.tor-browser_sv-SE
+whitelist ${HOME}/.tor-browser_sv-SE
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_tr.profile b/etc/tor-browser_tr.profile
new file mode 100644
index 000000000..20ac246ca
--- /dev/null
+++ b/etc/tor-browser_tr.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_tr
+
+mkdir ${HOME}/.tor-browser_tr
+whitelist ${HOME}/.tor-browser_tr
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_vi.profile b/etc/tor-browser_vi.profile
new file mode 100644
index 000000000..4faa06ff6
--- /dev/null
+++ b/etc/tor-browser_vi.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_vi
+
+mkdir ${HOME}/.tor-browser_vi
+whitelist ${HOME}/.tor-browser_vi
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_zh-CN.profile b/etc/tor-browser_zh-CN.profile
new file mode 100644
index 000000000..e4d8215e6
--- /dev/null
+++ b/etc/tor-browser_zh-CN.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_zh-CN
+
+mkdir ${HOME}/.tor-browser_zh-CN
+whitelist ${HOME}/.tor-browser_zh-CN
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/tor-browser_zh-TW.profile b/etc/tor-browser_zh-TW.profile
new file mode 100644
index 000000000..8a28015a6
--- /dev/null
+++ b/etc/tor-browser_zh-TW.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for torbrowser-launcher
+# This file is overwritten after every install/update
+
+noblacklist ${HOME}/.tor-browser_zh-TW
+
+mkdir ${HOME}/.tor-browser_zh-TW
+whitelist ${HOME}/.tor-browser_zh-TW
+
+# Redirect
+include torbrowser-launcher.profile
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index e974e4304..3953de614 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -35,7 +35,7 @@ shell none
 # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop"
 
 disable-mnt
-private-bin wire-desktop
+private-bin wire-desktop,bash,sh,env,electron
 private-dev
 private-etc alternatives,fonts,machine-id,resolv.conf,ca-certificates,ssl,pki,crypto-policies
 private-tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 321c2d548..dd056553e 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -38,10 +38,10 @@ aria2c
 ark
 arm
 artha
-# atom
-# atom-beta
 assogiate
 asunder
+# atom
+# atom-beta
 atool
 atril
 atril-previewer
@@ -98,6 +98,7 @@ clipit
 cliqz
 cmus
 code
+code-oss
 conkeror
 conky
 corebird
@@ -156,6 +157,9 @@ fbreader
 feedreader
 feh
 ffmpeg
+ffmpegthumbnailer
+ffplay
+ffprobe
 file-roller
 filezilla
 firefox
@@ -177,8 +181,8 @@ freshclam
 frozen-bubble
 gajim
 gajim-history-manager
-gcalccmd
 galculator
+gcalccmd
 gcloud
 gconf-editor
 geany
@@ -197,8 +201,8 @@ gitter
 gjs
 globaltime
 gnome-2048
-gnome-builder
 gnome-books
+gnome-builder
 gnome-calculator
 gnome-chess
 gnome-clocks
@@ -235,7 +239,6 @@ gucharmap
 gwenview
 handbrake
 handbrake-gtk
-hardinfo
 hashcat
 hedgewars
 hexchat
@@ -386,6 +389,7 @@ playonlinux
 pluma
 polari
 ppsspp
+pragha
 psi-plus
 pybitmessage
 # pycharm-community - FB note: may enable later
@@ -395,6 +399,7 @@ qemu-launcher
 qlipper
 qmmp
 qpdfview
+qt-faststart
 qtox
 quassel
 quiterss
@@ -426,8 +431,8 @@ shellcheck
 shotcut
 signal-desktop
 silentarmy
-simplescreenrecorder
 simple-scan
+simplescreenrecorder
 simutrans
 skanlite
 skype
@@ -436,8 +441,8 @@ slack
 smplayer
 smtube
 snox
-sol
 soffice
+sol
 soundconverter
 spotify
 sqlitebrowser
@@ -467,28 +472,49 @@ thunderbird-beta
 thunderbird-wayland
 tilp
 tor-browser-ar
+tor-browser-ca
+tor-browser-cs
+tor-browser-da
+tor-browser-de
+tor-browser-el
 tor-browser-en
 tor-browser-en-us
 tor-browser-es
 tor-browser-es-es
 tor-browser-fa
 tor-browser-fr
+tor-browser-ga-ie
+tor-browser-he
+tor-browser-hu
+tor-browser-id
+tor-browser-is
 tor-browser-it
 tor-browser-ja
+tor-browser-ka
 tor-browser-ko
-torbrowser-launcher
+tor-browser-nb
+tor-browser-nl
 tor-browser-pl
 tor-browser-pt-br
 tor-browser-ru
+tor-browser-sv-se
+tor-browser-tr
 tor-browser-vi
 tor-browser-zh-cn
+tor-browser-zh-tw
+torbrowser-launcher
 totem
 tracker
 transgui
 transmission-cli
+transmission-create
 transmission-daemon
+transmission-edit
 transmission-gtk
 transmission-qt
+transmission-remote
+transmission-remote-cli
+transmission-remote-gtk
 transmission-show
 truecraft
 tuxguitar
@@ -527,8 +553,8 @@ xchat
 xed
 xfburn
 xfce4-dict
-xfce4-notes
 xfce4-mixer
+xfce4-notes
 xiphos
 xmms
 xmr-stak
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e186002af..461cba26a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1522,6 +1522,9 @@ int main(int argc, char **argv) {
                         if (!ppath)
                                 errExit("strdup");
 
+                        // checking for strange chars in the file name, no globbing
+                        invalid_filename(ppath, 0);
+
                         if (*ppath == ':' || access(ppath, R_OK) || is_dir(ppath)) {
                                 int has_colon = (*ppath == ':');
                                 char *ptr = ppath;
diff --git a/src/lib/common.c b/src/lib/common.c
index 3d701e62f..1678a4092 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -254,7 +254,7 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
                 if (strncmp(arg, "--", 2) != 0)
                         break;
 
-                if (strcmp(arg, "--x11=xorg") == 0)
+                if (strcmp(arg, "--x11=xorg") == 0 || strcmp(arg, "--x11=none") == 0)
                         return 0;
 
                 // check x11 xpra or xephyr