1144 files changed, 10794 insertions, 7107 deletions

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 000000000..ae7b1089a
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,48 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+Write clear, concise and in textual form.
+
+**Bug and expected behavior**
+- Describe the bug.
+- What did you expect to happen?
+
+**No profile or disabling firejail**
+- What changed calling `firejail --noprofile PROGRAM` in a shell?
+- What changed calling the program *by path*=without firejail (check `whereis PROGRAM`, `firejail --list`, `stat $programpath`)?
+
+**Reproduce**
+Steps to reproduce the behavior:
+1. Run in bash `firejail PROGRAM`
+2. See error `ERROR`
+3. Click on '....'
+4. Scroll down to '....'
+
+**Environment**
+ - Linux distribution and version (ie output of `lsb_release -a`)
+ - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`)
+ - What other programs interact with the affected program for the functionality?
+ - Are these listed in the profile? 
+
+**Additional context**
+Other context about the problem like related errors to understand the problem.
+
+**Checklist**
+ - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it.
+ - [ ] The upstream profile exists (`find / -name 'firejail' 2>/dev/null`/`fd firejail` to locate profiles ie in `/usr/local/etc/firejail/PROGRAM.profile`)
+ - [ ] Programs needed for interaction are listed.
+ - [ ] Error was checked in search engine and on issue list without success.
+
+
+<details><summary> debug output </summary>
+
+```
+OUTPUT OF `firejail --debug PROGRAM`
+```
+
+</details>
diff --git a/.gitignore b/.gitignore
index 9995da44c..8142985b3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@
 *.rpm
 *.gcda
 *.gcno
+*.DS_Store
 .directory
 Makefile
 autom4te.cache/
@@ -19,6 +20,7 @@ firejail-users.5
 firejail.1
 firemon.1
 firecfg.1
+mkdeb.sh
 src/firejail/firejail
 src/firemon/firemon
 src/firecfg/firecfg
@@ -33,6 +35,7 @@ src/fsec-optimize/fsec-optimize
 src/fcopy/fcopy
 src/fldd/fldd
 src/fbuilder/fbuilder
+etc/profstats
 uids.h
 seccomp
 seccomp.debug
@@ -40,6 +43,7 @@ seccomp.32
 seccomp.64
 seccomp.block_secondary
 seccomp.mdwx
+seccomp.mdwx.32
 src/common.mk
 aclocal.m4
 __pycache__
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 81b9cfce4..11f25284d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,9 +9,9 @@ build_ubuntu_package:
     image: ubuntu:rolling
     script:
         - apt-get update -qq
-        - apt-get install -y -qq build-essential lintian pkg-config python3
+        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config python3
         - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
-        - python3 contrib/sort.py etc/*.{profile,inc}
+        - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
 build_debian_package:
     image: debian:stretch
@@ -20,12 +20,12 @@ build_debian_package:
         - apt-get install -y -qq build-essential lintian pkg-config
         - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
 
-#build_redhat_package:
-#    image: centos:latest
-#    script:
-#        - yum update -y
-#        - yum install -y rpm-build gcc make
-#        - ./configure --prefix=/usr && make rpms && yum install -y firejail*.rpm
+build_redhat_package:
+    image: centos:latest
+    script:
+        - dnf update -y
+        - dnf install -y rpm-build gcc make
+        - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm
 
 build_fedora_package:
     image: fedora:latest
@@ -33,7 +33,7 @@ build_fedora_package:
         - dnf update -y
         - dnf install -y rpm-build gcc make
         - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm
-        - python3 contrib/sort.py etc/*.{profile,inc}
+        - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
 build_src_package:
     image: alpine:latest
@@ -48,8 +48,8 @@ build_apparmor:
     image: ubuntu:latest
     script:
         - apt-get update -qq
-        - apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config
-        - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail-apparmor*.deb
+        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config
+        - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail*.deb
 
 cppcheck:
     image: debian:latest
@@ -59,6 +59,15 @@ cppcheck:
     script:
         - cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
 
+clang:
+    image: ubuntu:latest
+    script:
+        - apt-get update -qq
+        - apt-get --purge autoremove -y -qq gcc
+        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq clang pkg-config make
+        - ./configure --prefix=/usr CC=/usr/bin/clang && make && make install-strip
+
+
 debian_ci:
     image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
     variables:
diff --git a/Makefile.in b/Makefile.in
index 0285d8592..8cbba12e9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,9 +1,3 @@
-all: apps man filters
-MYLIBS = src/lib
-APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx
-
 prefix=@prefix@
 exec_prefix=@exec_prefix@
 bindir=@bindir@
@@ -22,14 +16,26 @@ HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
 BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
 HAVE_SUID=@HAVE_SUID@
 
-.PHONY: mylibs $(MYLIBS)
-mylibs: $(MYLIBS)
-$(MYLIBS):
-        $(MAKE) -C $@
+all: all_items man filters
+APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats
+SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/ftee/ftee
+MYDIRS = src/lib
+MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
+ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
+SBOX_APPS += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
+SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
+endif
+ALL_ITEMS = $(APPS) $(SBOX_APPS) $(MYLIBS)
 
-.PHONY: apps $(APPS)
-apps: $(APPS)
-$(APPS): $(MYLIBS)
+.PHONY: all_items $(ALL_ITEMS)
+all_items: $(ALL_ITEMS)
+$(ALL_ITEMS): $(MYDIRS)
+        $(MAKE) -C $(dir $@)
+
+.PHONY: mydirs
+mydirs: mydirs $(MYDIRS)
+$(MYDIRS):
         $(MAKE) -C $@
 
 $(MANPAGES): $(wildcard src/man/*.txt)
@@ -37,20 +43,32 @@ $(MANPAGES): $(wildcard src/man/*.txt)
 
 man: $(MANPAGES)
 
-filters: src/fseccomp
+filters: $(SECCOMP_FILTERS) $(SBOX_APPS)
 ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
+seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
         src/fseccomp/fseccomp default seccomp
         src/fsec-optimize/fsec-optimize seccomp
+
+seccomp.debug: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
         src/fseccomp/fseccomp default seccomp.debug allow-debuggers
         src/fsec-optimize/fsec-optimize seccomp.debug
+
+seccomp.32: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
         src/fseccomp/fseccomp secondary 32 seccomp.32
         src/fsec-optimize/fsec-optimize seccomp.32
+
+seccomp.block_secondary: src/fseccomp/fseccomp
         src/fseccomp/fseccomp secondary block seccomp.block_secondary
+
+seccomp.mdwx: src/fseccomp/fseccomp
         src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
+
+seccomp.mdwx.32: src/fseccomp/fseccomp
+        src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
 endif
 
 clean:
-        for dir in $(APPS) $(MYLIBS); do \
+        for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
                 $(MAKE) -C $$dir clean; \
         done
         rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
@@ -68,139 +86,99 @@ clean:
         cd test/compile; ./compile.sh --clean; cd ../..
 
 distclean: clean
-        for dir in $(APPS) $(MYLIBS); do \
+        for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
                 $(MAKE) -C $$dir distclean; \
         done
-        rm -fr Makefile autom4te.cache config.log config.status config.h dummy.o src/common.mk
+        rm -fr Makefile autom4te.cache config.log config.status config.h src/common.mk mkdeb.sh
 
 realinstall:
         # firejail executable
-        install -m 0755 -d $(DESTDIR)/$(bindir)
-        install -c -m 0755 src/firejail/firejail $(DESTDIR)/$(bindir)/.
+        install -m 0755 -d $(DESTDIR)$(bindir)
+        install -m 0755 src/firejail/firejail $(DESTDIR)$(bindir)
 ifeq ($(HAVE_SUID),yes)
-        chmod u+s $(DESTDIR)/$(bindir)/firejail
+        chmod u+s $(DESTDIR)$(bindir)/firejail
 endif
         # firemon executable
-        install -c -m 0755 src/firemon/firemon $(DESTDIR)/$(bindir)/.
+        install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir)
         # firecfg executable
-        install -c -m 0755 src/firecfg/firecfg $(DESTDIR)/$(bindir)/.
+        install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir)
         # libraries and plugins
-        install -m 0755 -d $(DESTDIR)/$(libdir)/firejail
-        install -c -m 0644 src/libtrace/libtrace.so $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 src/libtracelog/libtracelog.so $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 src/libpostexecseccomp/libpostexecseccomp.so $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/ftee/ftee $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/.
-
-        install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fnetfilter/fnetfilter $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
-ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
-        install -c -m 0755 src/fsec-print/fsec-print $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fsec-optimize/fsec-optimize $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 seccomp.debug $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/.
-endif
+        install -m 0755 -d $(DESTDIR)$(libdir)/firejail
+        install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
+        install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
-        install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 contrib/fj-mkdeb.py $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 contrib/sort.py $(DESTDIR)/$(libdir)/firejail/.
-        install -c -m 0755 contrib/syscalls.sh $(DESTDIR)/$(libdir)/firejail/.
+        install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
+        # vim syntax
+        install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
+        install -m 0755 -d $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
+        install -m 0644 contrib/vim/ftdetect/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/ftdetect
+        install -m 0644 contrib/vim/syntax/firejail.vim $(DESTDIR)$(datarootdir)/vim/vimfiles/syntax
 endif
         # documents
-        install -m 0755 -d $(DESTDIR)/$(DOCDIR)
-        install -c -m 0644 COPYING $(DESTDIR)/$(DOCDIR)/.
-        install -c -m 0644 README $(DESTDIR)/$(DOCDIR)/.
-        install -c -m 0644 RELNOTES $(DESTDIR)/$(DOCDIR)/.
-        install -c -m 0644 etc/templates/* $(DESTDIR)/$(DOCDIR)/.
-        # etc files
-        ./mketc.sh $(sysconfdir) $(BUSYBOX_WORKAROUND)
-        install -m 0755 -d $(DESTDIR)/$(sysconfdir)/firejail
-        for file in .etc/* etc/firejail.config; do \
-                install -c -m 0644 $$file $(DESTDIR)/$(sysconfdir)/firejail; \
-        done
+        install -m 0755 -d $(DESTDIR)$(DOCDIR)
+        install -m 0644 -t $(DESTDIR)$(DOCDIR) COPYING README RELNOTES etc/templates/*
+        # profiles and settings
+        install -m 0755 -d $(DESTDIR)$(sysconfdir)/firejail
+        install -m 0644 -t $(DESTDIR)$(sysconfdir)/firejail etc/profile-a-l/*.profile etc/profile-m-z/*.profile etc/inc/*.inc etc/net/*.net etc/firejail.config
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
-        rm -fr .etc
+ifeq ($(BUSYBOX_WORKAROUND),yes)
+        ./mketc.sh $(DESTDIR)$(sysconfdir)/firejail/disable-common.inc
+endif
 ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
         # install apparmor profile
         sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
-        install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/.
+        install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d
         sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
         # install apparmor profile customization file
-        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-local ]; then install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.; fi;"
+        sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-local ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.; fi;"
 endif
         # man pages
-        install -m 0755 -d $(DESTDIR)/$(mandir)/man1
-        install -m 0755 -d $(DESTDIR)/$(mandir)/man5
+        install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5
         for man in $(MANPAGES); do \
                 rm -f $$man.gz; \
                 gzip -9n $$man; \
                 case "$$man" in \
-                        *.1) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man1/; ;; \
-                        *.5) install -c -m 0644 $$man.gz $(DESTDIR)/$(mandir)/man5/; ;; \
+                        *.1) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man1/; ;; \
+                        *.5) install -m 0644 $$man.gz $(DESTDIR)$(mandir)/man5/; ;; \
                 esac; \
         done
         rm -f $(MANPAGES) $(MANPAGES:%=%.gz)
         # bash completion
-        install -m 0755 -d $(DESTDIR)/$(datarootdir)/bash-completion/completions
-        install -c -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
-        install -c -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
-        install -c -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
+        install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
+        install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
+        install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
+        install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
 
 install: all
         $(MAKE) realinstall
 
 install-strip: all
-        strip src/firejail/firejail
-        strip src/firemon/firemon
-        strip src/firecfg/firecfg
-        strip src/libtrace/libtrace.so
-        strip src/libtracelog/libtracelog.so
-        strip src/libpostexecseccomp/libpostexecseccomp.so
-        strip src/ftee/ftee
-        strip src/faudit/faudit
-        strip src/fnet/fnet
-        strip src/fnetfilter/fnetfilter
-        strip src/fseccomp/fseccomp
-        strip src/fsec-print/fsec-print
-        strip src/fsec-optimize/fsec-optimize
-        strip src/fcopy/fcopy
-        strip src/fldd/fldd
-        strip src/fbuilder/fbuilder
+        strip $(ALL_ITEMS)
         $(MAKE) realinstall
 
 uninstall:
-        rm -f $(DESTDIR)/$(bindir)/firejail
-        rm -f $(DESTDIR)/$(bindir)/firemon
-        rm -f $(DESTDIR)/$(bindir)/firecfg
-        rm -fr $(DESTDIR)/$(libdir)/firejail
-        rm -fr $(DESTDIR)/$(datarootdir)/doc/firejail
+        rm -f $(DESTDIR)$(bindir)/firejail
+        rm -f $(DESTDIR)$(bindir)/firemon
+        rm -f $(DESTDIR)$(bindir)/firecfg
+        rm -fr $(DESTDIR)$(libdir)/firejail
+        rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
         for man in $(MANPAGES); do \
-                rm -f $(DESTDIR)/$(mandir)/man5/$$man*; \
-                rm -f $(DESTDIR)/$(mandir)/man1/$$man*; \
+                rm -f $(DESTDIR)$(mandir)/man5/$$man*; \
+                rm -f $(DESTDIR)$(mandir)/man1/$$man*; \
         done
-        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firejail
-        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon
-        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
-        @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)/$(sysconfdir)/firejail', see #2038."
+        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
+        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon
+        rm -f $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg
+        @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
 
-DISTFILES = "src etc m4 platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkdeb-apparmor.sh COPYING README RELNOTES"
+DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES"
 DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
 
 dist:
         mv config.status config.status.old
+        mv mkdeb.sh mkdeb.sh.old
         make distclean
+        mv mkdeb.sh.old mkdeb.sh
         mv config.status.old config.status
         rm -fr $(NAME)-$(VERSION) $(NAME)-$(VERSION).tar.xz
         mkdir -p $(NAME)-$(VERSION)/test
@@ -214,10 +192,10 @@ dist:
 asc:; ./mkasc.sh $(VERSION)
 
 deb: dist
-        ./mkdeb.sh $(NAME) $(VERSION)
+        ./mkdeb.sh
 
 deb-apparmor: dist
-        ./mkdeb-apparmor.sh $(NAME) $(VERSION)
+        ./mkdeb.sh -apparmor
 
 test-compile: dist
         cd test/compile; ./compile.sh $(NAME)-$(VERSION)
@@ -293,7 +271,7 @@ test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sy
 
 ##########################################
 # Individual tests, some of them require root access
-# The tests are very intrussive, by the time you are done
+# The tests are very intrusive, by the time you are done
 # with them you will need to restart your computer.
 ##########################################
 
@@ -318,7 +296,7 @@ test-network:
 test-stress:
         cd test/stress; ./stress.sh | grep TESTING
 
-# Tesets running a root user
+# Tests running a root user
 test-root:
         cd test/root; su -c ./root.sh | grep TESTING
 
diff --git a/README b/README
index 8c254d313..cf6579265 100644
--- a/README
+++ b/README
@@ -37,6 +37,7 @@ Maintainer:
 Committers
 - chiraag-nataraj (https://github.com/chiraag-nataraj)
 - crass (https://github.com/crass)
+- curiosityseeker (https://github.com/curiosityseeker)
 - glitsj16 (https://github.com/glitsj16)
 - Fred-Barclay (https://github.com/Fred-Barclay)
 - Kristóf Marussy (https://github.com/kris7t)
@@ -54,6 +55,9 @@ Committers
 
 Firejail Authors (alphabetical order)
 
+0x7969 (https://github.com/0x7969)
+        - fix wire-desktop.profile
+        - add ferdi.profile
 7twin (https://github.com/7twin_)
         - fix typos
         - fix flameshot raw screenshots
@@ -61,6 +65,7 @@ Firejail Authors (alphabetical order)
         - add pybitmessage profile
 Adrian L. Shaw (https://github.com/adrianlshaw)
         - add profanity profile
+        - add barrirer profile
 Aidan Gauland (https://github.com/aidalgol)
         - added electron and riot-web profiles
 Akhil Hans Maulloo (https://github.com/kouul)
@@ -90,6 +95,9 @@ Alexander Gerasiov (https://github.com/gerasiov)
         - profile updates
 Alexander Stein (https://github.com/ajstein)
         - added profile for qutebrowser
+Amin Vakil (https://github.com/aminvakil)
+        - whois profile fix
+        - added profile for strawberry
 Andreas Hunkeler (https://github.com/Karneades)
         - Add profile for offical Linux Teams application
 Andrey Alekseenko (https://github.com/al42and)
@@ -97,6 +105,8 @@ Andrey Alekseenko (https://github.com/al42and)
         - fixed Skype profile
 andrew160 (https://github.com/andrew160)
         - profile and man pages fixes
+Andrew Branson (https://github.com/abranson)
+        - 32bit ARM syscall table
 announ (https://github.com/announ)
         - mpv and youtube-dl profile fixes
         - git profile fix
@@ -105,13 +115,19 @@ Antonio Russo (https://github.com/aerusso)
         - enumerate root directories in apparmor profile
         - fix join-or-start
         - wusc fixes
+        - okular profile fixes
+        - manpage fixes
 aoand (https://github.com/aoand)
         - seccomp fix: allow numeric syscalls
+Atrate (https://github.com/Atrate)
+        - BetterDiscord support
 Austin Morton (https://github.com/apmorton)
         - deterministic-exit-code option
         - private-cwd options
 Austin S. Hemmelgarn (https://github.com/Ferroin)
         - unbound profile update
+Avi Lumelsky (https://github.com/avilum)
+        - syscall.sh improvements
 avoidr (https://github.com/avoidr)
         - whitelist fix
         - recently-used.xbel fix
@@ -160,8 +176,13 @@ BytesTuner (https://github.com/BytesTuner)
         - provided keepassxc profile
 caoliver (https://github.com/caoliver)
         - network system fixes
+Carlo Abelli (https://github.com/carloabelli)
+        - fixed udiskie profile
+        - Allow mbind syscall for GIMP
 Cat (https://github.com/ecat3)
         - prevent tmux connecting to an existing session
+Christian Pinedo (https://github.com/chrpinedo)
+        - added nicotine profile
 creideiki (https://github.com/creideiki)
         - make the sandbox process reap all children
         - tor browser profile fix
@@ -183,7 +204,8 @@ crass (https://github.com/crass)
         - extract_command_name fixes
         - update appimage size calculation to newest code from libappimage
         - firejail should look for processes with names exactly named
-curiosity-seeker (https://github.com/curiosity-seeker)
+curiosity-seeker (https://github.com/curiosity-seeker - old)
+curiosityseeker (https://github.com/curiosityseeker - new)
         - tightening unbound and dnscrypt-proxy profiles
         - correct and tighten QuiteRss profile
         - dnsmasq profile
@@ -200,6 +222,8 @@ curiosity-seeker (https://github.com/curiosity-seeker)
         - added cantata profile
         - updated keypassxc profile
         - added syscalls.sh, which determine the necessary syscalls for a program
+        - fixed conky profile
+        - thunderbird.profile: harden and enable the rules necessary to make Firefox open links
 da2x (https://github.com/da2x)
         - matched RPM license tag
 Daan Bakker (https://github.com/dbakker)
@@ -214,6 +238,8 @@ Dara Adib (https://github.com/daradib)
         - evince profile fix
 David Thole (https://github.com/TheDarkTrumpet)
         - added profile for teams-for-linux
+Davide Beatrici (https://github.com/davidebeatrici)
+        - steam.profile: correctly blacklist unneeded directories in user's home
 Deelvesh Bunjun (https://github.com/DeelveshBunjun)
         - added xpdf profile
 Denys Havrysh (https://github.com/vutny)
@@ -227,6 +253,9 @@ DiGitHubCap (https://github.com/DiGitHubCap)
         - deluge profile fix
 Disconnect3d (https://github.com/disconnect3d)
         - code cleanup
+dmfreemon (https://github.com/dmfreemon)
+        - add sandbox name or name of private directory to the window title when xpra is used
+        - handle malloc() failures; use gnu_basename() instead of basenaem()
 dshmgh (https://github.com/dshmgh)
         - overlayfs fix for systems with /home mounted on a separate partition
 Duncan Overbruck (https://github.com/Duncaen)
@@ -250,6 +279,7 @@ Felipe Barriga Richards (https://github.com/fbarriga)
 Florian Begusch (https://github.com/florianbegusch)
         - (la)tex profiles
         - fixed transmission-common.profile
+        - fixed standardnotes-desktop.profile
 floxo (https://github.com/floxo)
         - fixed qml disk cache issue
 Franco (nextime) Lanza (https://github.com/nextime)
@@ -357,6 +387,8 @@ haarp (https://github.com/haarp)
         - Allow sound for hexchat
 hamzadis (https://github.com/hamzadis)
         - added --overlay-named=name and --overlay-path=path
+Hans-Christoph Steiner (https://github.com/eighthave)
+        - added xournal profile
 hawkey116477 (https://github.com/hawkeye116477)
         - added Waterfox profile
         - updated Cyberfox profile
@@ -472,12 +504,17 @@ LaurentGH (https://github.com/LaurentGH)
         - allow private-bin parameters to be absolute paths
 Loïc Damien (https://github.com/dzamlo)
         - small fixes
+Liorst4 (https://github.com/Liorst4)
+        - Preserve CFLAGS given to configure in common.mk.in
+        - fix emacs config to load as read-write
 Lockdis (https://github.com/Lockdis)
         - Added crow, nyx, and google-earth-pro profiles
 Lukáš Krejčí (https://github.com/lskrejci)
         - fixed parsing of --keep-var-tmp
 luzpaz (https://github.com/luzpaz)
         - code spelling fixes
+Mace Muilman (https://github.com/mace015)
+        - google-chrome{,beta,unstable} flags
 maces (https://github.com/maces)
         - Franz messenger profile
 Madura A (https://github.com/manushanga)
@@ -502,6 +539,7 @@ Matthew Gyurgyik (https://github.com/pyther)
 matu3ba (https://github.com/matu3ba)
         - evince hardening, dbus removed
         - fix dia profile
+        - several template fixes
 maxice8 (https://github.com/maxice8)
         - fixed missing header
 Melvin Vermeeren (https://github.com/melvinvermeeren)
@@ -564,6 +602,8 @@ Peter Hogg (https://github.com/pigmonkey)
         - bitlbee profile fixes
         - mutt profile fixes
         - fixes for youtube-dl in mpv profile
+Peter Sanford (https://github.com/psanford)
+        - fix QtWebEngine in zoom
 Petter Reinholdtsen (pere@hungry.com)
         - Opera profile patch
 PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
@@ -760,6 +800,7 @@ StelFux (https://github.com/StelFux)
         - Fix youtube video in totem
 the-antz (https://github.com/the-antz)
         - Fix libx265 encoding in ffmpeg profile
+        - Fix Firefox profile
         - Profile tweaks
 thewisenerd (https://github.com/thewisenerd)
         - allow multiple private-home commands
diff --git a/README.md b/README.md
index f90cdb7d4..14ca60e33 100644
--- a/README.md
+++ b/README.md
@@ -75,7 +75,14 @@ GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/
 
 We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com
 
-## Compile and install
+## Installing
+
+Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
+
+The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian buster we recommend to use the [backports](https://packages.debian.org/buster-backports/firejail) package.
+
+You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually:
+
 `````
 $ git clone https://github.com/netblue30/firejail.git
 $ cd firejail
@@ -89,6 +96,8 @@ $ sudo apt-get install git build-essential libapparmor-dev pkg-config
 `````
 For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
 
+Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git).
+
 ## Running the sandbox
 
 To start the sandbox, prefix your command with “firejail”:
@@ -149,6 +158,42 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
 ## Current development version: 0.9.63
 
+### Profile Statistics
+
+A small tool to print profile statistics. Compile as usual and run:
+`````
+$ make
+$ cd etc
+$ ./profstats *.profile
+    profiles                    966
+    include local profile       966   (include profile-name.local)
+    include globals             966   (include globals.local)
+    blacklist ~/.ssh            951   (include disable-common.inc)
+    seccomp                     908
+    capabilities                965
+    noexec                      830   (include disable-exec.inc)
+    memory-deny-write-execute   214
+    apparmor                    488
+    private-bin                 483
+    private-dev                 829
+    private-etc                 366
+    private-tmp                 726
+    whitelist var               638   (include whitelist-var-common.inc)
+    whitelist run/user          282   (include whitelist-runuser-common.inc
+                                        or blacklist ${RUNUSER})
+    whitelist usr/share         275   (include whitelist-usr-share-common.inc
+    net none                    313
+`````
+
+Run ./profstats -h for help.
+
 ### New profiles:
 
-gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams
+gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et,
+multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl,
+muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal,
+gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer,
+penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword,
+four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars,
+hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers,
+seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded, cawbird, freetube, homebank, mattermost-desktop, newsflash, com.gitlab.newsflash, element-desktop, sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx, minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar, vmware, git-cola, otter-browser
diff --git a/RELNOTES b/RELNOTES
index ab0dc481d..07dd9f8a9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,14 +1,50 @@
 firejail (0.9.63) baseline; urgency=low
   * work in progress
+  * security: fixes for CVE-2020-17367 & CVE-2020-17368, reported by Tim Starling
+  * The blocking action of seccomp filters has been changed from
+    killing the process to returning EPERM to the caller. To get the
+    previous behaviour, use --seccomp-error-action=kill or
+    syscall:kill syntax when constructing filters, or override in
+    /etc/firejail/firejail.config file.
+  * Fine-grained D-Bus sandboxing with xdg-dbus-proxy.
+    xdg-dbus-proxy must be installed, if not D-Bus access will be allowed.
+    With this version nodbus is deprecated, in favor of dbus-user none and
+    dbus-system none and will be removed in a future version.
   * DHCP client support
+  * firecfg only fix dektop-files if started with sudo
   * SELinux labeling support
+  * custom 32-bit seccomp filter support
+  * restrict ${RUNUSER} in several profiles
+  * blacklist shells such as bash in several profiles
+  * whitelist globbing
+  * mkdir and mkfile support for /run/user directory
+  * support ignore for include
+  * new condition: HAS_NOSOUND
   * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
   * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
   * new profiles: pdflatex, tex, wpp, wpspdf, wps, et, multimc, mupdf-x11
   * new profiles: gnome-hexgl, com.github.johnfactotum.Foliate, mupdf-gl, mutool
   * new profiles: desktopeditors, impressive, planmaker18, planmaker18free
   * new profiles: presentations18, presentations18free, textmaker18, teams
-  * new profiles: textmaker18free
+  * new profiles: textmaker18free, xournal, gnome-screenshot, ripperX
+  * new profiles: sound-juicer, com.github.dahenson.agenda, gnome-pomodoro
+  * new profiles: gnome-todo, x2goclient, iagno, kmplayer, penguin-command
+  * new profiles: frogatto, gnome-mines, gnome-nibbles, lightsoff, warmux
+  * new profiles: ts3client_runscript.sh, ferdi, abiword, four-in-a-row
+  * new profiles: gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin
+  * new profiles: gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars
+  * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
+  * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
+  * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
+  * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop
+  * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im, strawberry
+  * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
+  * new profiles: gapplication, openarena_ded, element-desktop, cawbird, freetube
+  * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash
+  * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx
+  * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar
+  * new profiles: vmware, git-cola, otter-browser
+ -- netblue30 <netblue30@yahoo.com>  Tue, 21 Apr 2020 08:00:00 -0500
 
 firejail (0.9.62) baseline; urgency=low
   * added file-copy-limit in /etc/firejail/firejail.config
@@ -36,7 +72,7 @@ firejail (0.9.62) baseline; urgency=low
   * new profiles: kalgebramobile, signal-cli, amuled, kfind, profanity
   * new profiles: audio-recorder, cameramonitor, ddgtk, drawio, unf, gmpc
   * new profiles: electron-mail, gist, gist-paste
- -- netblue30 <netblue30@yahoo.com>  Sat, 1 Jun 2019 08:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Sat, 28 Dec 2019 08:00:00 -0500
 
 firejail (0.9.60) baseline; urgency=low
   * security bug reported by Austin Morton:
diff --git a/SECURITY.md b/SECURITY.md
index 46942a936..883f915ed 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -6,9 +6,9 @@
 | ------- | ------------------ | ---- | ---------------------------
 | 0.9.62  | :heavy_check_mark: |      | :white_check_mark: Debian 11 (testing/unstable), 10 **backports**; Ubuntu 20.04
 | 0.9.60  | :x:                |      | :white_check_mark: Ubuntu 19.10
-| 0.9.58  | :x:                |      | :white_check_mark: Ubuntu 19.04; Debian 9 **backports**, 10
+| 0.9.58  | :x:                |      | :white_check_mark: Debian 9 **backports**, 10
 | 0.9.56  | :x:                | 27 Jan 2019 |
-| 0.9.54  | :x:                |      | :white_check_mark: Ubuntu 18.10
+| 0.9.54  | :x:                | 18 Sep 2018 |
 | 0.9.52  | :x:                |      | :white_check_mark: Ubuntu 18.04 LTS
 | 0.9.50  | :x:                | 12 Dec 2017 |
 | 0.9.48  | :x:                | 09 Sep 2017 |
diff --git a/configure b/configure
index 53ea8f19d..12881fcaf 100755
--- a/configure
+++ b/configure
@@ -683,6 +683,7 @@ infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -776,6 +777,7 @@ datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1028,6 +1030,15 @@ do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1165,7 +1176,7 @@ fi
 for ac_var in   exec_prefix prefix bindir sbindir libexecdir datarootdir \
                 datadir sysconfdir sharedstatedir localstatedir includedir \
                 oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-                libdir localedir mandir
+                libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1318,6 +1329,7 @@ Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -4174,7 +4186,9 @@ if test "$prefix" = /usr; then
         test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
 fi
 
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile"
+ac_config_files="$ac_config_files mkdeb.sh"
+
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4883,6 +4897,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 for ac_config_target in $ac_config_targets
 do
   case $ac_config_target in
+    "mkdeb.sh") CONFIG_FILES="$CONFIG_FILES mkdeb.sh" ;;
     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
     "src/common.mk") CONFIG_FILES="$CONFIG_FILES src/common.mk" ;;
     "src/lib/Makefile") CONFIG_FILES="$CONFIG_FILES src/lib/Makefile" ;;
@@ -4902,6 +4917,7 @@ do
     "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;;
     "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;
     "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;
+    "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
@@ -5320,6 +5336,11 @@ which seems to be undefined.  Please make sure it is defined" >&2;}
 
   esac
 
+
+  case $ac_file$ac_mode in
+    "mkdeb.sh":F) chmod +x mkdeb.sh ;;
+
+  esac
 done # for ac_tag
 
 
diff --git a/configure.ac b/configure.ac
index 3c9f901cb..feb0b38a6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -204,9 +204,11 @@ if test "$prefix" = /usr; then
         test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
 fi
 
+AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
 AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
-src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile)
+src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
+src/profstats/Makefile)
 
 echo
 echo "Configuration options:"
diff --git a/contrib/syscalls.sh b/contrib/syscalls.sh
index c9b5a245a..b990ac23c 100755
--- a/contrib/syscalls.sh
+++ b/contrib/syscalls.sh
@@ -8,26 +8,22 @@ SYSCALLS_OUTPUT_FILE="$(pwd)/syscalls.txt"
 
 if [ $# -eq 0 ]
 then
-echo
-echo "   *** No program specified!!! ***"
-echo
-echo -e "Make this file executable and execute it as:\\n"
-echo -e "\\e[96m   syscalls.sh /full/path/to/program\\n"
-echo -e "\\e[39mif you saved this script in a directory in your PATH (e.g., in ${HOME}/bin), otherwise as:\\n"
-echo -e "\\e[96m   ./syscalls.sh /full/path/to/program\\n"
-echo -e "\\e[39mUse the full path to the respective program to avoid executing it sandboxed with Firejail\\n(if a Firejail profile for it already exits and 'sudo firecfg' was executed earlier)\\nin order to determine the necessary system calls."
-echo
-exit 0
-
+  echo
+  echo "   *** No program specified!!! ***"
+  echo
+  echo -e "Make this file executable and execute it as:\\n"
+  echo -e "\\e[96m   syscalls.sh /full/path/to/program\\n"
+  echo -e "\\e[39mif you saved this script in a directory in your PATH (e.g., in ${HOME}/bin), otherwise as:\\n"
+  echo -e "\\e[96m   ./syscalls.sh /full/path/to/program\\n"
+  echo -e "\\e[39mUse the full path to the respective program to avoid executing it sandboxed with Firejail\\n(if a Firejail profile for it already exits and 'sudo firecfg' was executed earlier)\\nin order to determine the necessary system calls."
+  echo
+  exit 0
 else
-
-strace -cfo "$STRACE_OUTPUT_FILE" "$@" && awk '{print $NF}' "$STRACE_OUTPUT_FILE" | sed '/syscall\|-\|total/d' | sort -u | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/' > "$SYSCALLS_OUTPUT_FILE"
-echo
-echo -e "\e[39mThese are the sorted syscalls:\n\e[93m"
-cat "$SYSCALLS_OUTPUT_FILE"
-echo
-echo -e "\e[39mThe sorted syscalls were saved to:\n\n\e[96m$SYSCALLS_OUTPUT_FILE"
-echo
-exit 0
-
+  strace -cfo "$STRACE_OUTPUT_FILE" "$@" && awk '{print $NF}' "$STRACE_OUTPUT_FILE" | sed '/syscall\|-\|total/d' | sort -u | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/' > "$SYSCALLS_OUTPUT_FILE"
+  echo
+  echo -e "\e[39mThese are the sorted syscalls:\n\e[93m"
+  cat "$SYSCALLS_OUTPUT_FILE"
+  echo
+  echo -e "\e[39mThe sorted syscalls were saved to:\n\e[96m$SYSCALLS_OUTPUT_FILE\n\e[39m"
+  exit 0
 fi
diff --git a/contrib/update_deb.sh b/contrib/update_deb.sh
index d417a09ea..1fceca788 100755
--- a/contrib/update_deb.sh
+++ b/contrib/update_deb.sh
@@ -6,11 +6,19 @@
 # Purpose: Fetch, compile, and install firejail from GitHub source. For
 # Debian-based distros only (Ubuntu, Mint, etc).
 set -e
+
 git clone --depth=1 https://github.com/netblue30/firejail.git
 cd firejail
-./configure --prefix=/usr
+./configure --enable-apparmor --prefix=/usr
+
+# Fix https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916920
+sed -i \
+    -e "s/# cgroup .*/cgroup no/" \
+    -e "s/# restricted-network .*/restricted-network yes/" \
+    etc/firejail.config
+
 make deb
 sudo dpkg -i firejail*.deb
-echo "Firejail was updated!"
+echo "Firejail updated."
 cd ..
 rm -rf firejail
diff --git a/dummy.c b/dummy.c
deleted file mode 100644
index fbf3dd775..000000000
--- a/dummy.c
+++ /dev/null
@@ -1,7 +0,0 @@
-// This file is part of Firejail project
-// Copyright (C) 2014-2020 Firejail Authors
-// License GPL v2
-
-int main(void) {
-        return 0;
-}
diff --git a/etc-fixes/0.9.52/atom.profile b/etc-fixes/0.9.52/atom.profile
new file mode 100644
index 000000000..87ffdced9
--- /dev/null
+++ b/etc-fixes/0.9.52/atom.profile
@@ -0,0 +1,31 @@
+# Firejail profile for atom
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/atom.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+# blacklist /run/user/*/bus
+
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.keep sys_admin,sys_chroot
+# net none
+netfilter
+nodvd
+nogroups
+nosound
+notv
+novideo
+shell none
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile
new file mode 100644
index 000000000..9bc35da5a
--- /dev/null
+++ b/etc-fixes/0.9.58/atom.profile
@@ -0,0 +1,36 @@
+
+# Firejail profile for atom
+# Description: A hackable text editor for the 21st Century
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atom.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
+noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/registry
+
+include disable-common.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.keep sys_admin,sys_chroot
+# net none
+netfilter
+nodbus
+nodvd
+nogroups
+nosound
+notv
+nou2f
+novideo
+shell none
+
+private-cache
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc-fixes/0.9.60/atom.profile b/etc-fixes/0.9.60/atom.profile
new file mode 100644
index 000000000..c8929127b
--- /dev/null
+++ b/etc-fixes/0.9.60/atom.profile
@@ -0,0 +1,37 @@
+# Firejail profile for atom
+# Description: A hackable text editor for the 21st Century
+# This file is overwritten after every install/update
+# Persistent local customizations
+include atom.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.atom
+noblacklist ${HOME}/.config/Atom
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/registry
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.pythonrc.py
+
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.keep sys_admin,sys_chroot
+# net none
+netfilter
+nodbus
+nodvd
+nogroups
+nosound
+notv
+nou2f
+novideo
+shell none
+
+private-cache
+private-dev
+private-tmp
diff --git a/etc/Thunar.profile b/etc/Thunar.profile
deleted file mode 100644
index 761440ccc..000000000
--- a/etc/Thunar.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for Thunar
-# Description: File Manager for Xfce
-# This file is overwritten after every install/update
-# Persistent local customizations
-include Thunar.local
-# Persistent global definitions
-include globals.local
-
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.config/Thunar
-noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
-
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# include disable-programs.inc
-
-allusers
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
diff --git a/etc/firejail-default b/etc/apparmor/firejail-default
index 763b838d3..04a38f0ce 100644
--- a/etc/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -19,6 +19,8 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 #include <abstractions/dbus-strict>
 #include <abstractions/dbus-session-strict>
 dbus,
+# Add rule in order to avoid dbus-*=filter breakage (#3432)
+owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,
 
 ##########
 # With ptrace it is possible to inspect and hijack running programs.
@@ -47,6 +49,10 @@ owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
 owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
 owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
 
+# Allow writing to /var/mail and /var/spool/mail (for mail clients)
+# Uncomment to enable
+#owner /var/{mail,spool/mail}/** w,
+
 # Allow writing to removable media
 owner /{,var/}run/media/** w,
 
@@ -65,6 +71,8 @@ owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,
 
 # Needed for electron apps
 /proc/@{PID}/comm w,
+# Needed for nslookup, dig, host
+/proc/@{PID}/task/@{PID}/comm w,
 
 # Used by chromium
 owner /proc/@{PID}/oom_score_adj w,
diff --git a/etc/firejail-local b/etc/apparmor/firejail-local
index f086653f8..f086653f8 100644
--- a/etc/firejail-local
+++ b/etc/apparmor/firejail-local
diff --git a/etc/caja.profile b/etc/caja.profile
deleted file mode 100644
index 7bf901ae3..000000000
--- a/etc/caja.profile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Firejail profile for caja
-# Description: File manager for the MATE desktop
-# This file is overwritten after every install/update
-# Persistent local customizations
-include caja.local
-# Persistent global definitions
-include globals.local
-
-# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
-# is already a caja process running on MATE desktops firejail will have no effect.
-
-noblacklist ${HOME}/.local/share/Trash
-# noblacklist ${HOME}/.config/caja - disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.local/share/caja-python
-
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# include disable-programs.inc
-
-allusers
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# caja needs to be able to start arbitrary applications so we cannot blacklist their files
-# private-bin caja
-# private-dev
-# private-tmp
diff --git a/etc/dolphin.profile b/etc/dolphin.profile
deleted file mode 100644
index 0e5a6e6fe..000000000
--- a/etc/dolphin.profile
+++ /dev/null
@@ -1,39 +0,0 @@
-# Firejail profile for dolphin
-# Description: File manager
-# This file is overwritten after every install/update
-# Persistent local customizations
-include dolphin.local
-# Persistent global definitions
-include globals.local
-
-noblacklist ${HOME}/.local/share/Trash
-# noblacklist ${HOME}/.cache/dolphin - disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.config/dolphinrc
-# noblacklist ${HOME}/.local/share/dolphin
-
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
-# include disable-programs.inc
-
-allusers
-caps.drop all
-# net none
-netfilter
-nodvd
-nogroups
-nonewprivs
-# Comment the next line (or put 'ignore noroot' in your dolphin.local) if you use MPV+Vulkan (see issue #3012)
-noroot
-notv
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-shell none
-
-private-dev
-# private-tmp
-
-join-or-start dolphin
diff --git a/etc/firejail.config b/etc/firejail.config
index 6fb7d829a..731e744dd 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -27,7 +27,7 @@
 # Enable or disable chroot support, default enabled.
 # chroot yes
 
-# Enable or disable dbus handling by --nodbus flag, default enabled.
+# Enable or disable dbus handling, default enabled.
 # dbus yes
 
 # Disable /mnt, /media, /run/mount and /run/media access. By default access
@@ -70,6 +70,13 @@
 # Enable or disable sandbox name change, default enabled.
 # name-change yes
 
+# Change default netfilter configuration. When using --netfilter option without
+# a file argument, the default filter is hardcoded (see man 1 firejail). This
+# configuration entry allows the user to change the default by specifying
+# a file containing the filter configuration. The filter file format is the
+# format of  iptables-save  and iptable-restore commands. Example:
+# netfilter-default /etc/iptables.iptables.rules
+
 # Enable or disable networking features, default enabled.
 # network yes
 
@@ -79,12 +86,12 @@
 # Remove /usr/local directories from private-bin list, default disabled.
 # private-bin-no-local no
 
-# Enable or disable private-home feature, default enabled
-# private-home yes
-
 # Enable or disable private-cache feature, default enabled
 # private-cache yes
 
+# Enable or disable private-home feature, default enabled
+# private-home yes
+
 # Enable or disable private-lib feature, default enabled
 # private-lib yes
 
@@ -97,16 +104,12 @@
 # --netfilter only to root user. Regular users are only allowed --net=none.
 # restricted-network no
 
-# Change default netfilter configuration. When using --netfilter option without
-# a file argument, the default filter is hardcoded (see man 1 firejail). This
-# configuration entry allows the user to change the default by specifying
-# a file containing the filter configuration. The filter file format is the
-# format of  iptables-save  and iptable-restore commands. Example:
-# netfilter-default /etc/iptables.iptables.rules
-
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
 
+# Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
+# seccomp-error-action EPERM
+
 # Enable or disable user namespace support, default enabled.
 # userns yes
 
@@ -116,6 +119,10 @@
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
 
+# Xephyr command extra parameters. None by default; these are examples.
+# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
+# xephyr-extra-params -grayscale
+
 # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
 # a full list of resolutions available on your specific setup.
 # xephyr-screen 640x480
@@ -126,17 +133,13 @@
 # Firejail window title in Xephyr, default enabled.
 # xephyr-window-title yes
 
-# Xephyr command extra parameters. None by default; these are examples.
-# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
-# xephyr-extra-params -grayscale
-
-# Xpra server command extra parameters. None by default; this is an example.
-# xpra-extra-params --dpi 96
-
 # Enable this option if you have a version of Xpra that supports --attach switch
 # for start command, default disabled.
 # xpra-attach no
 
+# Xpra server command extra parameters. None by default; this is an example.
+# xpra-extra-params --dpi 96
+
 # Screen size for --x11=xvfb, default 800x600x24.  The third dimension is
 # color depth; use 24 unless you know exactly what you're doing.
 # xvfb-screen 640x480x24
diff --git a/etc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 63174eda6..7cd087b14 100644
--- a/etc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -12,10 +12,16 @@ noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.java
 
 # Python
+noblacklist ${HOME}/.pylint.d
 noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
 
 # Rust
+noblacklist ${HOME}/.cargo/advisory-db
 noblacklist ${HOME}/.cargo/config
+noblacklist ${HOME}/.cargo/git
 noblacklist ${HOME}/.cargo/registry
+noblacklist ${HOME}/.cargo/.crates.toml
+noblacklist ${HOME}/.cargo/.crates2.json
+noblacklist ${HOME}/.cargo/.package-cache
diff --git a/etc/allow-gjs.inc b/etc/inc/allow-gjs.inc
index f552ede9d..f4f9926cd 100644
--- a/etc/allow-gjs.inc
+++ b/etc/inc/allow-gjs.inc
@@ -8,3 +8,4 @@ noblacklist /usr/lib/gjs
 noblacklist /usr/lib64/gjs
 noblacklist /usr/lib/libgjs*
 noblacklist /usr/lib64/libgjs*
+noblacklist /usr/lib64/libmozjs-*
diff --git a/etc/allow-java.inc b/etc/inc/allow-java.inc
index 24d18fb77..24d18fb77 100644
--- a/etc/allow-java.inc
+++ b/etc/inc/allow-java.inc
diff --git a/etc/allow-lua.inc b/etc/inc/allow-lua.inc
index fbdee22ee..9df8e8d32 100644
--- a/etc/allow-lua.inc
+++ b/etc/inc/allow-lua.inc
@@ -3,6 +3,8 @@
 include allow-lua.local
 
 noblacklist ${PATH}/lua*
-noblacklist /usr/include/lua*
+noblacklist /usr/include
+noblacklist /usr/lib/liblua*
 noblacklist /usr/lib/lua
 noblacklist /usr/share/lua
+noblacklist /usr/share/lua*
diff --git a/etc/allow-perl.inc b/etc/inc/allow-perl.inc
index f44e1e3cc..f44e1e3cc 100644
--- a/etc/allow-perl.inc
+++ b/etc/inc/allow-perl.inc
diff --git a/etc/allow-php.inc b/etc/inc/allow-php.inc
index a0950dc26..a0950dc26 100644
--- a/etc/allow-php.inc
+++ b/etc/inc/allow-php.inc
diff --git a/etc/allow-python2.inc b/etc/inc/allow-python2.inc
index b0525e2e1..b0525e2e1 100644
--- a/etc/allow-python2.inc
+++ b/etc/inc/allow-python2.inc
diff --git a/etc/allow-python3.inc b/etc/inc/allow-python3.inc
index d968886b0..d968886b0 100644
--- a/etc/allow-python3.inc
+++ b/etc/inc/allow-python3.inc
diff --git a/etc/allow-ruby.inc b/etc/inc/allow-ruby.inc
index a8c701219..a8c701219 100644
--- a/etc/allow-ruby.inc
+++ b/etc/inc/allow-ruby.inc
diff --git a/etc/disable-common.inc b/etc/inc/disable-common.inc
index bf29cd137..c7516ab42 100644
--- a/etc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -64,8 +64,9 @@ blacklist /etc/xdg/autostart
 read-only ${HOME}/.Xauthority
 
 # Session manager
-?HAS_X11: blacklist ${HOME}/.ICEauthority
-?HAS_X11: blacklist /tmp/.ICE-unix
+# see #3358
+#?HAS_X11: blacklist ${HOME}/.ICEauthority
+#?HAS_X11: blacklist /tmp/.ICE-unix
 
 # KDE config
 blacklist ${HOME}/.config/khotkeysrc
@@ -136,21 +137,27 @@ read-only ${HOME}/.local/share/kssl
 blacklist ${RUNUSER}/*.slave-socket
 blacklist ${RUNUSER}/kdeinit5__*
 blacklist ${RUNUSER}/kdesud_*
-?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
-?HAS_NODBUS: blacklist /tmp/ksocket-*
+# see #3358
+#?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
+#?HAS_NODBUS: blacklist /tmp/ksocket-*
 
 # gnome
 # contains extensions, last used times of applications, and notifications
 blacklist ${HOME}/.local/share/gnome-shell
 # no direct modification of dconf database
 read-only ${HOME}/.config/dconf
+blacklist ${RUNUSER}/gnome-session-leader-fifo
+blacklist ${RUNUSER}/gnome-shell
+blacklist ${RUNUSER}/gsconnect
 
 # systemd
 blacklist ${HOME}/.config/systemd
 blacklist ${HOME}/.local/share/systemd
 blacklist /var/lib/systemd
-# blacklist /var/run/systemd
+blacklist ${PATH}/systemd-run
+blacklist ${RUNUSER}/systemd
 # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
+#blacklist /var/run/systemd
 
 # openrc
 blacklist /etc/runlevels/
@@ -166,6 +173,21 @@ blacklist ${HOME}/VirtualBox VMs
 blacklist ${HOME}/.config/gnome-boxes
 blacklist ${HOME}/.local/share/gnome-boxes
 
+# libvirt
+blacklist ${HOME}/.cache/libvirt
+blacklist ${HOME}/.config/libvirt
+blacklist ${RUNUSER}/libvirt
+blacklist /var/cache/libvirt
+blacklist /var/lib/libvirt
+blacklist /var/log/libvirt
+
+# OCI-Containers / Podman
+blacklist ${RUNUSER}/containers
+blacklist ${RUNUSER}/crun
+blacklist ${RUNUSER}/libpod
+blacklist ${RUNUSER}/runc
+blacklist ${RUNUSER}/toolbox
+
 # VeraCrypt
 blacklist ${HOME}/.VeraCrypt
 blacklist ${PATH}/veracrypt
@@ -300,13 +322,17 @@ read-only ${HOME}/bin
 read-only ${HOME}/.bin
 read-only ${HOME}/.local/bin
 read-only ${HOME}/.cargo/bin
-read-only ${HOME}/.cargo/env
 
 # Write-protection for desktop entries
 read-only ${HOME}/.config/menus
 read-only ${HOME}/.gnome/apps
 read-only ${HOME}/.local/share/applications
 
+read-only ${HOME}/.config/mimeapps.list
+read-only ${HOME}/.config/user-dirs.dirs
+read-only ${HOME}/.config/user-dirs.locale
+read-only ${HOME}/.local/share/mime
+
 # Write-protection for thumbnailer dir
 read-only ${HOME}/.local/share/thumbnailers
 
@@ -376,6 +402,7 @@ blacklist /usr/sbin
 
 # system management
 blacklist ${PATH}/at
+blacklist ${PATH}/busybox
 blacklist ${PATH}/chage
 blacklist ${PATH}/chfn
 blacklist ${PATH}/chsh
@@ -443,14 +470,30 @@ blacklist /vmlinuz*
 blacklist /.snapshots
 
 # flatpak
+blacklist ${HOME}/.cache/flatpak
 blacklist ${HOME}/.config/flatpak
-blacklist ${HOME}/.local/share/flatpak
+blacklist ${HOME}/.local/share/flatpak/app
+blacklist ${HOME}/.local/share/flatpak/appstream
+blacklist ${HOME}/.local/share/flatpak/db
+read-only ${HOME}/.local/share/flatpak/exports
+blacklist ${HOME}/.local/share/flatpak/oci
+blacklist ${HOME}/.local/share/flatpak/overrides
+blacklist ${HOME}/.local/share/flatpak/repo
+blacklist ${HOME}/.local/share/flatpak/runtime
 blacklist ${HOME}/.var
+blacklist ${RUNUSER}/app
+blacklist ${RUNUSER}/doc
+blacklist ${RUNUSER}/.dbus-proxy
+blacklist ${RUNUSER}/.flatpak
+blacklist ${RUNUSER}/.flatpak-helper
 blacklist /usr/share/flatpak
 blacklist /var/lib/flatpak
 # most of the time bwrap is SUID binary
 blacklist ${PATH}/bwrap
 
+# snap
+blacklist ${RUNUSER}/snapd-session-agent.socket
+
 # mail directories used by mutt
 blacklist ${HOME}/.Mail
 blacklist ${HOME}/.mail
@@ -462,3 +505,22 @@ blacklist ${HOME}/sent
 
 # kernel configuration
 blacklist /proc/config.gz
+
+# prevent DNS malware attempting to communicate with the server
+# using regular DNS tools
+blacklist ${PATH}/dig
+blacklist ${PATH}/kdig
+blacklist ${PATH}/nslookup
+blacklist ${PATH}/host
+blacklist ${PATH}/dlint
+blacklist ${PATH}/dnswalk
+blacklist ${PATH}/dns2tcp
+blacklist ${PATH}/iodine
+blacklist ${PATH}/knsupdate
+blacklist ${PATH}/resolvectl
+
+# rest of ${RUNUSER}
+blacklist ${RUNUSER}/*.lock
+blacklist ${RUNUSER}/inaccessible
+blacklist ${RUNUSER}/update-notifier.pid
+blacklist ${RUNUSER}/pk-debconf-socket
diff --git a/etc/disable-devel.inc b/etc/inc/disable-devel.inc
index 59df9fb0f..e1ba13380 100644
--- a/etc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -26,7 +26,6 @@ blacklist ${PATH}/*-gcc*
 blacklist ${PATH}/*-g++*
 blacklist ${PATH}/*-gcc*
 blacklist ${PATH}/*-g++*
-blacklist /usr/include
 # seems to create problems on Gentoo
 #blacklist /usr/lib/gcc
 
diff --git a/etc/disable-exec.inc b/etc/inc/disable-exec.inc
index ee3391730..ee3391730 100644
--- a/etc/disable-exec.inc
+++ b/etc/inc/disable-exec.inc
diff --git a/etc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index ae539e1bc..59e9c7de3 100644
--- a/etc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -13,8 +13,12 @@ blacklist /usr/lib64/libgjs*
 # Lua
 blacklist ${PATH}/lua*
 blacklist /usr/include/lua*
+blacklist /usr/lib/liblua*
 blacklist /usr/lib/lua
-blacklist /usr/share/lua
+blacklist /usr/share/lua*
+
+# mozjs
+blacklist /usr/lib64/libmozjs-*
 
 # Node.js
 blacklist ${PATH}/node
diff --git a/etc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc
index 316378cb8..316378cb8 100644
--- a/etc/disable-passwdmgr.inc
+++ b/etc/inc/disable-passwdmgr.inc
diff --git a/etc/disable-programs.inc b/etc/inc/disable-programs.inc
index db257c1b6..e5dd9cb59 100644
--- a/etc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -8,6 +8,9 @@ blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
 blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
+blacklist ${HOME}/TeamSpeak3-Client-linux_x86
+blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
+blacklist ${HOME}/hyperrogue.ini
 blacklist ${HOME}/mps
 blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
@@ -51,8 +54,13 @@ blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
 blacklist ${HOME}/.bogofilter
 blacklist ${HOME}/.bzf
-blacklist ${HOME}/.cargo/registry
+blacklist ${HOME}/.cargo/advisory-db
 blacklist ${HOME}/.cargo/config
+blacklist ${HOME}/.cargo/git
+blacklist ${HOME}/.cargo/registry
+blacklist ${HOME}/.cargo/.crates.toml
+blacklist ${HOME}/.cargo/.crates2.json
+blacklist ${HOME}/.cargo/.package-cache
 blacklist ${HOME}/.claws-mail
 blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clonk
@@ -72,9 +80,15 @@ blacklist ${HOME}/.config/Code - OSS
 blacklist ${HOME}/.config/Code Industry
 blacklist ${HOME}/.config/Cryptocat
 blacklist ${HOME}/.config/Debauchee/Barrier.conf
+blacklist ${HOME}/.config/Dharkael
+blacklist ${HOME}/.config/Element
+blacklist ${HOME}/.config/Element (Riot)
 blacklist ${HOME}/.config/Enox
+blacklist ${HOME}/.config/Ferdi
+blacklist ${HOME}/.config/Flavio Tordini
 blacklist ${HOME}/.config/Franz
 blacklist ${HOME}/.config/FreeCAD
+blacklist ${HOME}/.config/FreeTube
 blacklist ${HOME}/.config/Fritzing
 blacklist ${HOME}/.config/GIMP
 blacklist ${HOME}/.config/GitHub Desktop
@@ -84,9 +98,12 @@ blacklist ${HOME}/.config/Google Play Music Desktop Player
 blacklist ${HOME}/.config/Gpredict
 blacklist ${HOME}/.config/INRIA
 blacklist ${HOME}/.config/InSilmaril
+blacklist ${HOME}/.config/Jitsi Meet
 blacklist ${HOME}/.config/Kid3
 blacklist ${HOME}/.config/Kingsoft
 blacklist ${HOME}/.config/Luminance
+blacklist ${HOME}/.config/LyX
+blacklist ${HOME}/.config/Mattermost
 blacklist ${HOME}/.config/Meltytech
 blacklist ${HOME}/.config/Mendeley Ltd.
 blacklist ${HOME}/.config/Min
@@ -97,6 +114,7 @@ blacklist ${HOME}/.config/MuseScore
 blacklist ${HOME}/.config/MusicBrainz
 blacklist ${HOME}/.config/Nathan Osman
 blacklist ${HOME}/.config/Nylas Mail
+blacklist ${HOME}/.config/PacmanLogViewer
 blacklist ${HOME}/.config/PBE
 blacklist ${HOME}/.config/Philipp Schmieder
 blacklist ${HOME}/.config/QGIS
@@ -113,11 +131,16 @@ blacklist ${HOME}/.config/Slack
 blacklist ${HOME}/.config/Standard Notes
 blacklist ${HOME}/.config/SubDownloader
 blacklist ${HOME}/.config/Thunar
+blacklist ${HOME}/.config/Unknown Organization
 blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Wire
 blacklist ${HOME}/.config/Zeal
+blacklist ${HOME}/.config/ZeGrapher Project
+blacklist ${HOME}/.config/abiword
+blacklist ${HOME}/.config/agenda
 blacklist ${HOME}/.config/akonadi*
 blacklist ${HOME}/.config/akregatorrc
+blacklist ${HOME}/.config/alacritty
 blacklist ${HOME}/.config/ardour4
 blacklist ${HOME}/.config/ardour5
 blacklist ${HOME}/.config/aria2
@@ -129,6 +152,7 @@ blacklist ${HOME}/.config/atril
 blacklist ${HOME}/.config/audacious
 blacklist ${HOME}/.config/autokey
 blacklist ${HOME}/.config/aweather
+blacklist ${HOME}/.config/backintime
 blacklist ${HOME}/.config/baloofilerc
 blacklist ${HOME}/.config/baloorc
 blacklist ${HOME}/.config/blender
@@ -142,8 +166,15 @@ blacklist ${HOME}/.config/caja
 blacklist ${HOME}/.config/calibre
 blacklist ${HOME}/.config/cantata
 blacklist ${HOME}/.config/catfish
+blacklist ${HOME}/.config/cawbird
 blacklist ${HOME}/.config/celluloid
 blacklist ${HOME}/.config/cherrytree
+blacklist ${HOME}/.config/chrome-beta-flags.conf
+blacklist ${HOME}/.config/chrome-beta-flags.config
+blacklist ${HOME}/.config/chrome-flags.conf
+blacklist ${HOME}/.config/chrome-flags.config
+blacklist ${HOME}/.config/chrome-unstable-flags.conf
+blacklist ${HOME}/.config/chrome-unstable-flags.config
 blacklist ${HOME}/.config/chromium
 blacklist ${HOME}/.config/chromium-dev
 blacklist ${HOME}/.config/chromium-flags.conf
@@ -188,13 +219,20 @@ blacklist ${HOME}/.config/geeqie
 blacklist ${HOME}/.config/ghb
 blacklist ${HOME}/.config/ghostwriter
 blacklist ${HOME}/.config/git
+blacklist ${HOME}/.config/git-cola
+blacklist ${HOME}/.config/glade.conf
 blacklist ${HOME}/.config/globaltime
 blacklist ${HOME}/.config/gmpc
 blacklist ${HOME}/.config/gnome-builder
+blacklist ${HOME}/.config/gnome-chess
+blacklist ${HOME}/.config/gnome-control-center
+blacklist ${HOME}/.config/gnome-initial-setup-done
 blacklist ${HOME}/.config/gnome-latex
 blacklist ${HOME}/.config/gnome-mplayer
 blacklist ${HOME}/.config/gnome-mpv
 blacklist ${HOME}/.config/gnome-pie
+blacklist ${HOME}/.config/gnome-session
+blacklist ${HOME}/.config/gnote
 blacklist ${HOME}/.config/godot
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
@@ -204,6 +242,7 @@ blacklist ${HOME}/.config/gthumb
 blacklist ${HOME}/.config/gummi
 blacklist ${HOME}/.config/gwenviewrc
 blacklist ${HOME}/.config/hexchat
+blacklist ${HOME}/.config/homebank
 blacklist ${HOME}/.config/i2p
 blacklist ${HOME}/.config/inkscape
 blacklist ${HOME}/.config/inox
@@ -228,8 +267,10 @@ blacklist ${HOME}/.config/klavaro
 blacklist ${HOME}/.config/klipperrc
 blacklist ${HOME}/.config/kmail2rc
 blacklist ${HOME}/.config/kmailsearchindexingrc
+blacklist ${HOME}/.config/kmplayerrc
 blacklist ${HOME}/.config/knotesrc
 blacklist ${HOME}/.config/konversationrc
+blacklist ${HOME}/.config/konversation.notifyrc
 blacklist ${HOME}/.config/kritarc
 blacklist ${HOME}/.config/ktorrentrc
 blacklist ${HOME}/.config/ktouch2rc
@@ -246,6 +287,7 @@ blacklist ${HOME}/.config/mate/eom
 blacklist ${HOME}/.config/mate/mate-dictionary
 blacklist ${HOME}/.config/meld
 blacklist ${HOME}/.config/meteo-qt
+blacklist ${HOME}/.config/menulibre.cfg
 blacklist ${HOME}/.config/mfusion
 blacklist ${HOME}/.config/Microsoft
 blacklist ${HOME}/.config/midori
@@ -255,15 +297,18 @@ blacklist ${HOME}/.config/mpd
 blacklist ${HOME}/.config/mps-youtube
 blacklist ${HOME}/.config/mpv
 blacklist ${HOME}/.config/mupen64plus
+blacklist ${HOME}/.config/mutter
 blacklist ${HOME}/.config/mypaint
 blacklist ${HOME}/.config/nano
 blacklist ${HOME}/.config/nautilus
 blacklist ${HOME}/.config/nemo
 blacklist ${HOME}/.config/netsurf
 blacklist ${HOME}/.config/newsbeuter
+blacklist ${HOME}/.config/newsflash
 blacklist ${HOME}/.config/nheko
 blacklist ${HOME}/.config/NitroShare
 blacklist ${HOME}/.config/nomacs
+blacklist ${HOME}/.config/nuclear
 blacklist ${HOME}/.config/obs-studio
 blacklist ${HOME}/.config/okularpartrc
 blacklist ${HOME}/.config/okularrc
@@ -274,6 +319,7 @@ blacklist ${HOME}/.config/opera-beta
 blacklist ${HOME}/.config/orage
 blacklist ${HOME}/.config/org.gabmus.gfeeds.json
 blacklist ${HOME}/.config/org.kde.gwenviewrc
+blacklist ${HOME}/.config/otter
 blacklist ${HOME}/.config/pavucontrol-qt
 blacklist ${HOME}/.config/pavucontrol.ini
 blacklist ${HOME}/.config/pcmanfm
@@ -305,13 +351,16 @@ blacklist ${HOME}/.config/slimjet
 blacklist ${HOME}/.config/smplayer
 blacklist ${HOME}/.config/smtube
 blacklist ${HOME}/.config/snox
+blacklist ${HOME}/.config/sound-juicer
 blacklist ${HOME}/.config/specialmailcollectionsrc
 blacklist ${HOME}/.config/spotify
 blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
+blacklist ${HOME}/.config/strawberry
 blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/teams
+blacklist ${HOME}/.config/teams-for-linux
 blacklist ${HOME}/.config/telepathy-account-widgets
 blacklist ${HOME}/.config/torbrowser
 blacklist ${HOME}/.config/totem
@@ -327,6 +376,7 @@ blacklist ${HOME}/.config/vivaldi
 blacklist ${HOME}/.config/vivaldi-snapshot
 blacklist ${HOME}/.config/vlc
 blacklist ${HOME}/.config/wesnoth
+blacklist ${HOME}/.config/wormux
 blacklist ${HOME}/.config/Whalebird
 blacklist ${HOME}/.config/wireshark
 blacklist ${HOME}/.config/xchat
@@ -346,11 +396,13 @@ blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
 blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/youtube-dl
+blacklist ${HOME}/.config/youtube-viewer
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.config/Zulip
 blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.crawl
+blacklist ${HOME}/.cups
 blacklist ${HOME}/.curlrc
 blacklist ${HOME}/.dashcore
 blacklist ${HOME}/.devilspie
@@ -375,6 +427,7 @@ blacklist ${HOME}/.fossamail
 blacklist ${HOME}/.freeciv
 blacklist ${HOME}/.freecol
 blacklist ${HOME}/.freemind
+blacklist ${HOME}/.frogatto
 blacklist ${HOME}/.frozen-bubble
 blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.gist
@@ -388,6 +441,7 @@ blacklist ${HOME}/.gradle
 blacklist ${HOME}/.gramps
 blacklist ${HOME}/.guayadeque
 blacklist ${HOME}/.hashcat
+blacklist ${HOME}/.hex-a-hop
 blacklist ${HOME}/.hedgewars
 blacklist ${HOME}/.hugin
 blacklist ${HOME}/.i2p
@@ -401,6 +455,7 @@ blacklist ${HOME}/.jak
 blacklist ${HOME}/.java
 blacklist ${HOME}/.jd
 blacklist ${HOME}/.jitsi
+blacklist ${HOME}/.jumpnbump
 blacklist ${HOME}/.kde/share/apps/digikam
 blacklist ${HOME}/.kde/share/apps/gwenview
 blacklist ${HOME}/.kde/share/apps/kaffeine
@@ -424,6 +479,7 @@ blacklist ${HOME}/.kde/share/config/kfindrc
 blacklist ${HOME}/.kde/share/config/kgetrc
 blacklist ${HOME}/.kde/share/config/khtmlrc
 blacklist ${HOME}/.kde/share/config/klipperrc
+blacklist ${HOME}/.kde/share/config/kmplayerrc
 blacklist ${HOME}/.kde/share/config/konq_history
 blacklist ${HOME}/.kde/share/config/konqsidebartngrc
 blacklist ${HOME}/.kde/share/config/konquerorrc
@@ -479,6 +535,7 @@ blacklist ${HOME}/.local/share/3909/PapersPlease
 blacklist ${HOME}/.local/share/Anki2
 blacklist ${HOME}/.local/share/Empathy
 blacklist ${HOME}/.local/share/Enpass
+blacklist ${HOME}/.local/share/Flavio Tordini
 blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/Kingsoft
 blacklist ${HOME}/.local/share/Mendeley Ltd.
@@ -488,6 +545,7 @@ blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
+blacklist ${HOME}/.local/share/Shortwave
 blacklist ${HOME}/.local/share/Steam
 blacklist ${HOME}/.local/share/SuperHexagon
 blacklist ${HOME}/.local/share/TelegramDesktop
@@ -496,12 +554,15 @@ blacklist ${HOME}/.local/share/TpLogger
 blacklist ${HOME}/.local/share/Zeal
 blacklist ${HOME}/.local/share/akonadi*
 blacklist ${HOME}/.local/share/akregator
+blacklist ${HOME}/.local/share/agenda
 blacklist ${HOME}/.local/share/apps/korganizer
 blacklist ${HOME}/.local/share/aspyr-media
 blacklist ${HOME}/.local/share/autokey
+blacklist ${HOME}/.local/share/backintime
 blacklist ${HOME}/.local/share/baloo
 blacklist ${HOME}/.local/share/barrier
 blacklist ${HOME}/.local/share/bibletime
+blacklist ${HOME}/.local/share/bijiben
 blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/cantata
 blacklist ${HOME}/.local/share/cdprojektred
@@ -519,8 +580,10 @@ blacklist ${HOME}/.local/share/dolphin
 blacklist ${HOME}/.local/share/emailidentities
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
+blacklist ${HOME}/.local/share/FasterThanLight
 blacklist ${HOME}/.local/share/feedreader
 blacklist ${HOME}/.local/share/feral-interactive
+blacklist ${HOME}/.local/share/five-or-more
 blacklist ${HOME}/.local/share/freecol
 blacklist ${HOME}/.local/share/gajim
 blacklist ${HOME}/.local/share/geary
@@ -528,18 +591,26 @@ blacklist ${HOME}/.local/share/geeqie
 blacklist ${HOME}/.local/share/ghostwriter
 blacklist ${HOME}/.local/share/gitg
 blacklist ${HOME}/.local/share/gnome-2048
-blacklist ${HOME}/.local/share/gnome-chess
+blacklist ${HOME}/.local/share/gnome-boxes
 blacklist ${HOME}/.local/share/gnome-builder
+blacklist ${HOME}/.local/share/gnome-chess
+blacklist ${HOME}/.local/share/gnome-klotski
 blacklist ${HOME}/.local/share/gnome-latex
+blacklist ${HOME}/.local/share/gnome-mines
 blacklist ${HOME}/.local/share/gnome-music
+blacklist ${HOME}/.local/share/gnome-nibbles
 blacklist ${HOME}/.local/share/gnome-photos
+blacklist ${HOME}/.local/share/gnome-pomodoro
 blacklist ${HOME}/.local/share/gnome-recipes
 blacklist ${HOME}/.local/share/gnome-ring
+blacklist ${HOME}/.local/share/gnome-sudoku
 blacklist ${HOME}/.local/share/gnome-twitch
+blacklist ${HOME}/.local/share/gnote
 blacklist ${HOME}/.local/share/godot
 blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
 blacklist ${HOME}/.local/share/i2p
+blacklist ${HOME}/.local/share/IntoTheBreach
 blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kalgebra
 blacklist ${HOME}/.local/share/kate
@@ -549,15 +620,18 @@ blacklist ${HOME}/.local/share/kiwix
 blacklist ${HOME}/.local/share/kiwix-desktop
 blacklist ${HOME}/.local/share/klavaro
 blacklist ${HOME}/.local/share/kmail2
+blacklist ${HOME}/.local/share/kmplayer
 blacklist ${HOME}/.local/share/knotes
 blacklist ${HOME}/.local/share/krita
 blacklist ${HOME}/.local/share/ktorrent
 blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktouch
 blacklist ${HOME}/.local/share/kwrite
+blacklist ${HOME}/.local/share/kxmlgui5/*
 blacklist ${HOME}/.local/share/liferea
 blacklist ${HOME}/.local/share/local-mail
 blacklist ${HOME}/.local/share/lollypop
+blacklist ${HOME}/.local/share/love
 blacklist ${HOME}/.local/share/lugaru
 blacklist ${HOME}/.local/share/mana
 blacklist ${HOME}/.local/share/maps-places.json
@@ -571,6 +645,7 @@ blacklist ${HOME}/.local/share/nautilus
 blacklist ${HOME}/.local/share/nautilus-python
 blacklist ${HOME}/.local/share/nemo
 blacklist ${HOME}/.local/share/nemo-python
+blacklist ${HOME}/.local/share/news-flash
 blacklist ${HOME}/.local/share/nomacs
 blacklist ${HOME}/.local/share/notes
 blacklist ${HOME}/.local/share/ocenaudio
@@ -578,10 +653,12 @@ blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/onlyoffice
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
+blacklist ${HOME}/.local/share/Paradox Interactive
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/profanity
 blacklist ${HOME}/.local/share/psi+
+blacklist ${HOME}/.local/share/quadrapassel
 blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
 blacklist ${HOME}/.local/share/remmina
@@ -591,8 +668,10 @@ blacklist ${HOME}/.local/share/scribus
 blacklist ${HOME}/.local/share/signal-cli
 blacklist ${HOME}/.local/share/spotify
 blacklist ${HOME}/.local/share/steam
+blacklist ${HOME}/.local/share/strawberry
 blacklist ${HOME}/.local/share/supertux2
 blacklist ${HOME}/.local/share/supertuxkart
+blacklist ${HOME}/.local/share/swell-foop
 blacklist ${HOME}/.local/share/telepathy
 blacklist ${HOME}/.local/share/terasology
 blacklist ${HOME}/.local/share/torbrowser
@@ -603,16 +682,23 @@ blacklist ${HOME}/.local/share/vpltd
 blacklist ${HOME}/.local/share/vulkan
 blacklist ${HOME}/.local/share/warsow-2.1
 blacklist ${HOME}/.local/share/wesnoth
+blacklist ${HOME}/.local/share/wormux
 blacklist ${HOME}/.local/share/xplayer
 blacklist ${HOME}/.local/share/xreader
 blacklist ${HOME}/.local/share/zathura
 blacklist ${HOME}/.lv2
+blacklist ${HOME}/.lyx
+blacklist ${HOME}/.magicor
 blacklist ${HOME}/.masterpdfeditor
+blacklist ${HOME}/.mbwarband
 blacklist ${HOME}/.mcabber
 blacklist ${HOME}/.mcabberrc
 blacklist ${HOME}/.mediathek3
 blacklist ${HOME}/.megaglest
+blacklist ${HOME}/.minecraft
 blacklist ${HOME}/.minetest
+blacklist ${HOME}/.mirrormagic
+blacklist ${HOME}/.moc
 blacklist ${HOME}/.moonchild productions/basilisk
 blacklist ${HOME}/.moonchild productions/pale moon
 blacklist ${HOME}/.mozilla
@@ -627,6 +713,7 @@ blacklist ${HOME}/.netactview
 blacklist ${HOME}/.neverball
 blacklist ${HOME}/.newsbeuter
 blacklist ${HOME}/.newsboat
+blacklist ${HOME}/.nicotine
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.openarena
@@ -638,9 +725,13 @@ blacklist ${HOME}/.openttd
 blacklist ${HOME}/.opera
 blacklist ${HOME}/.opera-beta
 blacklist ${HOME}/.ostrichriders
+blacklist ${HOME}/.paradoxinteractive
+blacklist ${HOME}/.parallelrealities/blobwars
+blacklist ${HOME}/.penguin-command
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
 blacklist ${HOME}/.purple
+blacklist ${HOME}/.pylint.d
 blacklist ${HOME}/.qemu-launcher
 blacklist ${HOME}/.qgis2
 blacklist ${HOME}/.qmmp
@@ -650,6 +741,7 @@ blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
 blacklist ${HOME}/.repoconfig
 blacklist ${HOME}/.retroshare
+blacklist ${HOME}/.ripperXrc
 blacklist ${HOME}/.scorched3d
 blacklist ${HOME}/.scribus
 blacklist ${HOME}/.scribusrc
@@ -662,13 +754,14 @@ blacklist ${HOME}/.steampid
 blacklist ${HOME}/.stellarium
 blacklist ${HOME}/.subversion
 blacklist ${HOME}/.surf
+blacklist ${HOME}/.swb.ini
 blacklist ${HOME}/.sword
 blacklist ${HOME}/.sylpheed-2.0
 blacklist ${HOME}/.synfig
-blacklist ${HOME}/.config/teams-for-linux
 blacklist ${HOME}/.tb
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.teeworlds
+blacklist ${HOME}/.texlive2018
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
 blacklist ${HOME}/.tooling
@@ -683,6 +776,7 @@ blacklist ${HOME}/.viking
 blacklist ${HOME}/.viking-maps
 blacklist ${HOME}/.vim
 blacklist ${HOME}/.vimrc
+blacklist ${HOME}/.vmware
 blacklist ${HOME}/.vscode
 blacklist ${HOME}/.vscode-oss
 blacklist ${HOME}/.vst
@@ -697,6 +791,8 @@ blacklist ${HOME}/.widelands
 blacklist ${HOME}/.wine
 blacklist ${HOME}/.wine64
 blacklist ${HOME}/.wireshark
+blacklist ${HOME}/.wordwarvi
+blacklist ${HOME}/.wormux
 blacklist ${HOME}/.xiphos
 blacklist ${HOME}/.xmind
 blacklist ${HOME}/.xmms
@@ -721,12 +817,18 @@ blacklist ${HOME}/.cache/BraveSoftware
 blacklist ${HOME}/.cache/Clementine
 blacklist ${HOME}/.cache/Enox
 blacklist ${HOME}/.cache/Enpass
+blacklist ${HOME}/.cache/Ferdi
+blacklist ${HOME}/.cache/Flavio Tordini
 blacklist ${HOME}/.cache/Franz
 blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/MusicBrainz
+blacklist ${HOME}/.cache/NewsFlashGTK
+blacklist ${HOME}/.cache/Otter
 blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/Shortwave
 blacklist ${HOME}/.cache/Tox
 blacklist ${HOME}/.cache/Zeal
+blacklist ${HOME}/.cache/agenda
 blacklist ${HOME}/.cache/akonadi*
 blacklist ${HOME}/.cache/atril
 blacklist ${HOME}/.cache/attic
@@ -741,6 +843,7 @@ blacklist ${HOME}/.cache/chromium-dev
 blacklist ${HOME}/.cache/cliqz
 blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
 blacklist ${HOME}/.cache/darktable
+blacklist ${HOME}/.cache/deja-dup
 blacklist ${HOME}/.cache/discover
 blacklist ${HOME}/.cache/dnox
 blacklist ${HOME}/.cache/dolphin
@@ -757,8 +860,12 @@ blacklist ${HOME}/.cache/gegl-0.4
 blacklist ${HOME}/.cache/geeqie
 blacklist ${HOME}/.cache/gfeeds
 blacklist ${HOME}/.cache/gimp
+blacklist ${HOME}/.cache/gnome-boxes
 blacklist ${HOME}/.cache/gnome-builder
+blacklist ${HOME}/.cache/gnome-control-center
 blacklist ${HOME}/.cache/gnome-recipes
+blacklist ${HOME}/.cache/gnome-screenshot
+blacklist ${HOME}/.cache/gnome-software
 blacklist ${HOME}/.cache/gnome-twitch
 blacklist ${HOME}/.cache/godot
 blacklist ${HOME}/.cache/google-chrome
@@ -773,6 +880,7 @@ blacklist ${HOME}/.cache/inox
 blacklist ${HOME}/.cache/iridium
 blacklist ${HOME}/.cache/kcmshell5
 blacklist ${HOME}/.cache/kdenlive
+blacklist ${HOME}/.cache/keepassxc
 blacklist ${HOME}/.cache/kfind
 blacklist ${HOME}/.cache/kinfocenter
 blacklist ${HOME}/.cache/kmail2
@@ -809,6 +917,7 @@ blacklist ${HOME}/.cache/org.gnome.Books
 blacklist ${HOME}/.cache/org.gnome.Maps
 blacklist ${HOME}/.cache/pdfmod
 blacklist ${HOME}/.cache/peek
+blacklist ${HOME}/.cache/pip
 blacklist ${HOME}/.cache/plasmashell
 blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
 blacklist ${HOME}/.cache/qBittorrent
@@ -819,6 +928,7 @@ blacklist ${HOME}/.cache/simple-scan
 blacklist ${HOME}/.cache/slimjet
 blacklist ${HOME}/.cache/snox
 blacklist ${HOME}/.cache/spotify
+blacklist ${HOME}/.cache/strawberry
 blacklist ${HOME}/.cache/supertuxkart
 blacklist ${HOME}/.cache/systemsettings
 blacklist ${HOME}/.cache/telepathy
@@ -828,6 +938,7 @@ blacklist ${HOME}/.cache/transmission
 blacklist ${HOME}/.cache/vivaldi
 blacklist ${HOME}/.cache/vivaldi-snapshot
 blacklist ${HOME}/.cache/vlc
+blacklist ${HOME}/.cache/vmware
 blacklist ${HOME}/.cache/warsow-2.1
 blacklist ${HOME}/.cache/waterfox
 blacklist ${HOME}/.cache/wesnoth
diff --git a/etc/inc/disable-shell.inc b/etc/inc/disable-shell.inc
new file mode 100644
index 000000000..fda528eb6
--- /dev/null
+++ b/etc/inc/disable-shell.inc
@@ -0,0 +1,13 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-shell.local
+
+blacklist ${PATH}/bash
+blacklist ${PATH}/csh
+blacklist ${PATH}/dash
+blacklist ${PATH}/fish
+blacklist ${PATH}/ksh
+blacklist ${PATH}/sh
+blacklist ${PATH}/tclsh
+blacklist ${PATH}/tcsh
+blacklist ${PATH}/zsh
diff --git a/etc/disable-xdg.inc b/etc/inc/disable-xdg.inc
index 22acf272d..22acf272d 100644
--- a/etc/disable-xdg.inc
+++ b/etc/inc/disable-xdg.inc
diff --git a/etc/feh-network.inc b/etc/inc/feh-network.inc
index e94e7205c..e94e7205c 100644
--- a/etc/feh-network.inc
+++ b/etc/inc/feh-network.inc
diff --git a/etc/firefox-common-addons.inc b/etc/inc/firefox-common-addons.inc
index 1dca67e06..11acb7b42 100644
--- a/etc/firefox-common-addons.inc
+++ b/etc/inc/firefox-common-addons.inc
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.kde4/share/config/kgetrc
 noblacklist ${HOME}/.kde4/share/config/okularpartrc
 noblacklist ${HOME}/.kde4/share/config/okularrc
 noblacklist ${HOME}/.local/share/kget
+noblacklist ${HOME}/.local/share/kxmlgui5/okular
 noblacklist ${HOME}/.local/share/okular
 noblacklist ${HOME}/.local/share/qpdfview
 
@@ -41,6 +42,7 @@ whitelist ${HOME}/.kde4/share/config/okularrc
 whitelist ${HOME}/.keysnail.js
 whitelist ${HOME}/.lastpass
 whitelist ${HOME}/.local/share/kget
+whitelist ${HOME}/.local/share/kxmlgui5/okular
 whitelist ${HOME}/.local/share/okular
 whitelist ${HOME}/.local/share/qpdfview
 whitelist ${HOME}/.local/share/tridactyl
@@ -57,7 +59,8 @@ whitelist ${HOME}/dwhelper
 # GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc)
 noblacklist ${HOME}/.local/share/gnome-shell
 whitelist ${HOME}/.local/share/gnome-shell
-ignore nodbus
+ignore dbus-user none
+ignore dbus-system none
 include allow-python3.inc
 
 # KeePassXC Browser Integration
diff --git a/etc/softmaker-common.inc b/etc/inc/softmaker-common.inc
index 48249877c..a8ec5848c 100644
--- a/etc/softmaker-common.inc
+++ b/etc/inc/softmaker-common.inc
@@ -28,7 +28,6 @@ apparmor
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,3 +45,6 @@ private-cache
 private-dev
 private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/whitelist-common.inc b/etc/inc/whitelist-common.inc
index 9c1b7b92c..0798c7d3e 100644
--- a/etc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@@ -11,6 +11,8 @@ whitelist ${HOME}/.config/pkcs11
 read-only ${HOME}/.config/pkcs11
 whitelist ${HOME}/.config/user-dirs.dirs
 read-only ${HOME}/.config/user-dirs.dirs
+whitelist ${HOME}/.config/user-dirs.locale
+read-only ${HOME}/.config/user-dirs.locale
 whitelist ${HOME}/.drirc
 whitelist ${HOME}/.icons
 ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
@@ -38,6 +40,7 @@ whitelist ${HOME}/.pangorc
 # gtk
 whitelist ${HOME}/.config/gtk-2.0
 whitelist ${HOME}/.config/gtk-3.0
+whitelist ${HOME}/.config/gtk-4.0
 whitelist ${HOME}/.config/gtkrc
 whitelist ${HOME}/.config/gtkrc-2.0
 whitelist ${HOME}/.gnome2
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
new file mode 100644
index 000000000..f2a510e9d
--- /dev/null
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -0,0 +1,12 @@
+# Local customizations come here
+include whitelist-runuser-common.local
+
+# common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
+
+whitelist ${RUNUSER}/bus
+whitelist ${RUNUSER}/dconf
+whitelist ${RUNUSER}/gdm/Xauthority
+whitelist ${RUNUSER}/ICEauthority
+whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
+whitelist ${RUNUSER}/pulse/native
+whitelist ${RUNUSER}/wayland-0
diff --git a/etc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index a9d4cadb8..ceeb14dcc 100644
--- a/etc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -22,6 +22,7 @@ whitelist /usr/share/glib-2.0
 whitelist /usr/share/glvnd
 whitelist /usr/share/gtk-2.0
 whitelist /usr/share/gtk-3.0
+whitelist /usr/share/gtk-engines
 whitelist /usr/share/gtksourceview-3.0
 whitelist /usr/share/gtksourceview-4
 whitelist /usr/share/hunspell
@@ -40,6 +41,8 @@ whitelist /usr/share/misc
 whitelist /usr/share/Modules
 whitelist /usr/share/myspell
 whitelist /usr/share/p11-kit
+whitelist /usr/share/perl
+whitelist /usr/share/perl5
 whitelist /usr/share/pixmaps
 whitelist /usr/share/pki
 whitelist /usr/share/plasma
@@ -47,8 +50,10 @@ whitelist /usr/share/publicsuffix
 whitelist /usr/share/qt
 whitelist /usr/share/qt4
 whitelist /usr/share/qt5
+whitelist /usr/share/qt5ct
 whitelist /usr/share/sounds
 whitelist /usr/share/tcl8.6
+whitelist /usr/share/tcltk
 whitelist /usr/share/terminfo
 whitelist /usr/share/texlive
 whitelist /usr/share/texmf
diff --git a/etc/whitelist-var-common.inc b/etc/inc/whitelist-var-common.inc
index e2210057b..e2210057b 100644
--- a/etc/whitelist-var-common.inc
+++ b/etc/inc/whitelist-var-common.inc
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile
deleted file mode 100644
index d04ada227..000000000
--- a/etc/keepassxc.profile
+++ /dev/null
@@ -1,56 +0,0 @@
-# Firejail profile for keepassxc
-# Description: Cross Platform Password Manager
-# This file is overwritten after every install/update
-# Persistent local customizations
-include keepassxc.local
-# Persistent global definitions
-include globals.local
-
-noblacklist ${HOME}/*.kdb
-noblacklist ${HOME}/*.kdbx
-noblacklist ${HOME}/.config/keepassxc
-noblacklist ${HOME}/.keepassxc
-# 2.2.4 needs this path when compiled with "Native messaging browser extension"
-noblacklist ${HOME}/.mozilla
-noblacklist ${DOCUMENTS}
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-whitelist /usr/share/keepassxc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-caps.drop all
-machine-id
-net none
-no3d
-nodvd
-# Breaks 'Lock database when session is locked or lid is closed' (#2899).
-# Also breaks (Plasma) tray icon,
-# you can safely uncomment it or add to keepassxc.local if you don't need these features.
-#nodbus
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,netlink
-seccomp
-shell none
-tracelog
-
-private-bin keepassxc,keepassxc-cli,keepassxc-proxy
-private-dev
-private-etc alternatives,fonts,ld.so.cache,machine-id
-private-tmp
-
-# Mutex is stored in /tmp by default, which is broken by private-tmp
-join-or-start keepassxc
diff --git a/etc/nautilus.profile b/etc/nautilus.profile
deleted file mode 100644
index e003488de..000000000
--- a/etc/nautilus.profile
+++ /dev/null
@@ -1,44 +0,0 @@
-# Firejail profile for nautilus
-# Description: File manager and graphical shell for GNOME
-# This file is overwritten after every install/update
-# Persistent local customizations
-include nautilus.local
-# Persistent global definitions
-include globals.local
-
-# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there
-# is already a nautilus process running on gnome desktops firejail will have no effect.
-
-noblacklist ${HOME}/.config/nautilus
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.local/share/nautilus
-noblacklist ${HOME}/.local/share/nautilus-python
-
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# include disable-programs.inc
-
-allusers
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
-
-# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
-# private-bin nautilus
-# private-dev
-# private-tmp
diff --git a/etc/nemo.profile b/etc/nemo.profile
deleted file mode 100644
index 6a62a3a0c..000000000
--- a/etc/nemo.profile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Firejail profile for nemo
-# Description: File manager and graphical shell for Cinnamon
-# This file is overwritten after every install/update
-# Persistent local customizations
-include nemo.local
-# Persistent global definitions
-include globals.local
-
-noblacklist ${HOME}/.config/nemo
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.local/share/nemo
-noblacklist ${HOME}/.local/share/nemo-python
-
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-
-allusers
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
diff --git a/etc/nolocal.net b/etc/net/nolocal.net
index 8955f740d..0eb9f9784 100644
--- a/etc/nolocal.net
+++ b/etc/net/nolocal.net
@@ -32,5 +32,5 @@
 -A OUTPUT -d 172.16.0.0/12 -j DROP
 
 # drop multicast traffic
--A OUTPUT -d 244.0.0.0/4 -j DROP
+-A OUTPUT -d 224.0.0.0/4 -j DROP
 COMMIT
diff --git a/etc/tcpserver.net b/etc/net/tcpserver.net
index 9c39ee5fb..9c39ee5fb 100644
--- a/etc/tcpserver.net
+++ b/etc/net/tcpserver.net
diff --git a/etc/webserver.net b/etc/net/webserver.net
index 83db76825..83db76825 100644
--- a/etc/webserver.net
+++ b/etc/net/webserver.net
diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile
deleted file mode 100644
index 7f2a0d673..000000000
--- a/etc/pcmanfm.profile
+++ /dev/null
@@ -1,33 +0,0 @@
-# Firejail profile for pcmanfm
-# Description: Extremely fast and lightweight file manager
-# This file is overwritten after every install/update
-# Persistent local customizations
-include pcmanfm.local
-# Persistent global definitions
-include globals.local
-
-noblacklist ${HOME}/.local/share/Trash
-# noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below
-# noblacklist ${HOME}/.config/pcmanfm
-
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# include disable-programs.inc
-
-allusers
-caps.drop all
-# net none - see issue #1467, computer:/// location broken
-no3d
-# nodbus
-nodvd
-nonewprivs
-noroot
-nosound
-notv
-novideo
-protocol unix
-seccomp
-shell none
-tracelog
diff --git a/etc/0ad.profile b/etc/profile-a-l/0ad.profile
index 8b5820d5e..6869ea631 100644
--- a/etc/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -24,13 +24,13 @@ whitelist ${HOME}/.cache/0ad
 whitelist ${HOME}/.config/0ad
 whitelist ${HOME}/.local/share/0ad
 whitelist /usr/share/0ad
+whitelist /usr/share/games
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,6 +45,9 @@ tracelog
 
 disable-mnt
 private-bin 0ad,pyrogenesis,sh,which
+private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/2048-qt.profile b/etc/profile-a-l/2048-qt.profile
index 2347039a6..12268706a 100644
--- a/etc/2048-qt.profile
+++ b/etc/profile-a-l/2048-qt.profile
@@ -23,8 +23,9 @@ whitelist ${HOME}/.config/xiaoyong
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/7z.profile b/etc/profile-a-l/7z.profile
index b60bb9ee9..02a2e7ea0 100644
--- a/etc/7z.profile
+++ b/etc/profile-a-l/7z.profile
@@ -23,7 +23,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 #nogroups
 nonewprivs
@@ -42,4 +41,7 @@ x11 none
 private-cache
 private-dev
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/7za.profile b/etc/profile-a-l/7za.profile
index 9cd04cad1..9cd04cad1 100644
--- a/etc/7za.profile
+++ b/etc/profile-a-l/7za.profile
diff --git a/etc/7zr.profile b/etc/profile-a-l/7zr.profile
index bd3842900..bd3842900 100644
--- a/etc/7zr.profile
+++ b/etc/profile-a-l/7zr.profile
diff --git a/etc/Builder.profile b/etc/profile-a-l/Builder.profile
index 54b437441..54b437441 100644
--- a/etc/Builder.profile
+++ b/etc/profile-a-l/Builder.profile
diff --git a/etc/Cheese.profile b/etc/profile-a-l/Cheese.profile
index 5bb5064f0..5bb5064f0 100644
--- a/etc/Cheese.profile
+++ b/etc/profile-a-l/Cheese.profile
diff --git a/etc/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile
index e9cc07bd7..e9cc07bd7 100644
--- a/etc/Cryptocat.profile
+++ b/etc/profile-a-l/Cryptocat.profile
diff --git a/etc/Cyberfox.profile b/etc/profile-a-l/Cyberfox.profile
index 26a4348c9..26a4348c9 100644
--- a/etc/Cyberfox.profile
+++ b/etc/profile-a-l/Cyberfox.profile
diff --git a/etc/Discord.profile b/etc/profile-a-l/Discord.profile
index 3f274b21c..3f274b21c 100644
--- a/etc/Discord.profile
+++ b/etc/profile-a-l/Discord.profile
diff --git a/etc/DiscordCanary.profile b/etc/profile-a-l/DiscordCanary.profile
index d24e73ed8..d24e73ed8 100644
--- a/etc/DiscordCanary.profile
+++ b/etc/profile-a-l/DiscordCanary.profile
diff --git a/etc/Documents.profile b/etc/profile-a-l/Documents.profile
index 171ab4357..171ab4357 100644
--- a/etc/Documents.profile
+++ b/etc/profile-a-l/Documents.profile
diff --git a/etc/FossaMail.profile b/etc/profile-a-l/FossaMail.profile
index 9e1f61421..9e1f61421 100644
--- a/etc/FossaMail.profile
+++ b/etc/profile-a-l/FossaMail.profile
diff --git a/etc/Fritzing.profile b/etc/profile-a-l/Fritzing.profile
index d318da885..d318da885 100644
--- a/etc/Fritzing.profile
+++ b/etc/profile-a-l/Fritzing.profile
diff --git a/etc/Gitter.profile b/etc/profile-a-l/Gitter.profile
index a8bcb6a54..a8bcb6a54 100644
--- a/etc/Gitter.profile
+++ b/etc/profile-a-l/Gitter.profile
diff --git a/etc/JDownloader.profile b/etc/profile-a-l/JDownloader.profile
index 1435f3422..45ec71e63 100644
--- a/etc/JDownloader.profile
+++ b/etc/profile-a-l/JDownloader.profile
@@ -28,7 +28,6 @@ caps.drop all
 ipc-namespace
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,3 +44,5 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/Logs.profile b/etc/profile-a-l/Logs.profile
index 431439f17..431439f17 100644
--- a/etc/Logs.profile
+++ b/etc/profile-a-l/Logs.profile
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
new file mode 100644
index 000000000..1fdc9e9fe
--- /dev/null
+++ b/etc/profile-a-l/abiword.profile
@@ -0,0 +1,49 @@
+# Firejail profile for abiword
+# Description: flexible cross-platform word processor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include abiword.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/abiword
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+
+whitelist /usr/share/abiword-3.0
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin abiword
+private-cache
+private-dev
+private-etc fonts,gtk-3.0,passwd
+private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/abrowser.profile b/etc/profile-a-l/abrowser.profile
index 2e6e8f1af..2e6e8f1af 100644
--- a/etc/abrowser.profile
+++ b/etc/profile-a-l/abrowser.profile
diff --git a/etc/acat.profile b/etc/profile-a-l/acat.profile
index 522d8db4e..522d8db4e 100644
--- a/etc/acat.profile
+++ b/etc/profile-a-l/acat.profile
diff --git a/etc/adiff.profile b/etc/profile-a-l/adiff.profile
index a80886d56..a80886d56 100644
--- a/etc/adiff.profile
+++ b/etc/profile-a-l/adiff.profile
diff --git a/etc/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index ffc613f1e..4ab1967a6 100644
--- a/etc/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -47,7 +47,7 @@ notv
 nou2f
 novideo
 # protocol unix,inet,inet6,netlink
-# seccomp !io_getevents,!io_setup,!io_submit,!ioprio_set
+# seccomp !io_destroy,!io_getevents,!io_setup,!io_submit,!ioprio_set
 tracelog
 
 private-dev
diff --git a/etc/akregator.profile b/etc/profile-a-l/akregator.profile
index 34933f283..6a4d775e7 100644
--- a/etc/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.config/akregatorrc
 noblacklist ${HOME}/.local/share/akregator
+noblacklist ${HOME}/.local/share/kxmlgui5/akregator
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,12 +16,15 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkfile ${HOME}/.config/akregatorrc
 mkdir ${HOME}/.local/share/akregator
+mkdir ${HOME}/.local/share/kxmlgui5/akregator
 whitelist ${HOME}/.config/akregatorrc
 whitelist ${HOME}/.local/share/akregator
 whitelist ${HOME}/.local/share/kssl
+whitelist ${HOME}/.local/share/kxmlgui5/akregator
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/als.profile b/etc/profile-a-l/als.profile
index 5eae228b6..5eae228b6 100644
--- a/etc/als.profile
+++ b/etc/profile-a-l/als.profile
diff --git a/etc/amarok.profile b/etc/profile-a-l/amarok.profile
index 0b974e9ac..0b974e9ac 100644
--- a/etc/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
diff --git a/etc/amule.profile b/etc/profile-a-l/amule.profile
index feb4a5e7e..feb4a5e7e 100644
--- a/etc/amule.profile
+++ b/etc/profile-a-l/amule.profile
diff --git a/etc/amuled.profile b/etc/profile-a-l/amuled.profile
index 58b796875..58b796875 100644
--- a/etc/amuled.profile
+++ b/etc/profile-a-l/amuled.profile
diff --git a/etc/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 2e4e564dd..2e4e564dd 100644
--- a/etc/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
diff --git a/etc/anki.profile b/etc/profile-a-l/anki.profile
index a0a79ef48..61e5f2eea 100644
--- a/etc/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/Anki2
@@ -32,7 +33,6 @@ caps.drop all
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -53,3 +53,6 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/anydesk.profile b/etc/profile-a-l/anydesk.profile
index 35b18bab4..c847a04dc 100644
--- a/etc/anydesk.profile
+++ b/etc/profile-a-l/anydesk.profile
@@ -9,9 +9,10 @@ noblacklist ${HOME}/.anydesk
 
 include disable-common.inc
 include disable-devel.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-include disable-interpreters.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.anydesk
 whitelist ${HOME}/.anydesk
diff --git a/etc/aosp.profile b/etc/profile-a-l/aosp.profile
index a5b1ba9f1..a5b1ba9f1 100644
--- a/etc/aosp.profile
+++ b/etc/profile-a-l/aosp.profile
diff --git a/etc/apack.profile b/etc/profile-a-l/apack.profile
index 9fef911af..9fef911af 100644
--- a/etc/apack.profile
+++ b/etc/profile-a-l/apack.profile
diff --git a/etc/apktool.profile b/etc/profile-a-l/apktool.profile
index aeeb845ea..39c5da9ab 100644
--- a/etc/apktool.profile
+++ b/etc/profile-a-l/apktool.profile
@@ -18,7 +18,6 @@ include whitelist-var-common.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -34,3 +33,6 @@ shell none
 private-bin apktool,basename,bash,dirname,expr,java,sh
 private-cache
 private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
new file mode 100644
index 000000000..9c0b92598
--- /dev/null
+++ b/etc/profile-a-l/apostrophe.profile
@@ -0,0 +1,58 @@
+# Firejail profile for apostrophe
+# Description: Distraction free Markdown editor for GNU/Linux made with GTK+
+# This file is overwritten after every install/update
+# Persistent local customizations
+include apostrophe.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/apostrophe
+whitelist /usr/share/pandoc-*
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin apostrophe,pandoc,python3*
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.gitlab.somas.Apostrophe
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/ar.profile b/etc/profile-a-l/ar.profile
index e28370450..183587ff8 100644
--- a/etc/ar.profile
+++ b/etc/profile-a-l/ar.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 apparmor
 caps.drop all
@@ -23,7 +24,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,4 +42,7 @@ private-bin ar
 private-cache
 private-dev
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/arch-audit.profile b/etc/profile-a-l/arch-audit.profile
index 0a87ec297..934b89404 100644
--- a/etc/arch-audit.profile
+++ b/etc/profile-a-l/arch-audit.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/arch-audit
@@ -26,7 +27,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,4 +46,7 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile
index 19c37f90e..19c37f90e 100644
--- a/etc/archaudit-report.profile
+++ b/etc/profile-a-l/archaudit-report.profile
diff --git a/etc/ardour4.profile b/etc/profile-a-l/ardour4.profile
index 4ad8dd456..4ad8dd456 100644
--- a/etc/ardour4.profile
+++ b/etc/profile-a-l/ardour4.profile
diff --git a/etc/ardour5.profile b/etc/profile-a-l/ardour5.profile
index 5ebeafa76..a27cb4f6e 100644
--- a/etc/ardour5.profile
+++ b/etc/profile-a-l/ardour5.profile
@@ -23,7 +23,6 @@ include disable-xdg.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +39,5 @@ private-dev
 #private-etc alternatives,ardour4,ardour5,asound.conf,fonts,machine-id,pulse,X11
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/arduino.profile b/etc/profile-a-l/arduino.profile
index fd1ca9a09..fd1ca9a09 100644
--- a/etc/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
diff --git a/etc/arepack.profile b/etc/profile-a-l/arepack.profile
index 012f2f049..012f2f049 100644
--- a/etc/arepack.profile
+++ b/etc/profile-a-l/arepack.profile
diff --git a/etc/aria2c.profile b/etc/profile-a-l/aria2c.profile
index a52a26d6f..d2dcaace1 100644
--- a/etc/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -27,7 +27,6 @@ caps.drop all
 ipc-namespace
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +49,7 @@ private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machi
 private-lib libreadline.so.*
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/ark.profile b/etc/profile-a-l/ark.profile
index 2fe546b55..4b81b2717 100644
--- a/etc/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -7,6 +7,7 @@ include ark.local
 include globals.local
 
 noblacklist ${HOME}/.config/arkrc
+noblacklist ${HOME}/.local/share/kxmlgui5/ark
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,7 +24,6 @@ apparmor
 caps.drop all
 # net none
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +42,5 @@ private-bin 7z,ark,bash,lrzip,lsar,lz4,lzop,p7zip,rar,sh,tclsh,unar,unrar,unzip,
 private-dev
 private-tmp
 
+# dbus-user none
+# dbus-system none
diff --git a/etc/arm.profile b/etc/profile-a-l/arm.profile
index 51dad94d1..51dad94d1 100644
--- a/etc/arm.profile
+++ b/etc/profile-a-l/arm.profile
diff --git a/etc/artha.profile b/etc/profile-a-l/artha.profile
index aaaede7ee..adb33fae1 100644
--- a/etc/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 # whitelisting in ${HOME} makes settings immutable, see #3112
@@ -38,7 +39,6 @@ caps.drop all
 ipc-namespace
 # net none - breaks on Ubuntu
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -60,4 +60,7 @@ private-etc alternatives,fonts,machine-id
 private-lib libnotify.so.*
 private-tmp
 
+# dbus-user none
+# dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/assogiate.profile b/etc/profile-a-l/assogiate.profile
index 542b3da8d..2686839ef 100644
--- a/etc/assogiate.profile
+++ b/etc/profile-a-l/assogiate.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist ${PICTURES}
@@ -26,7 +27,6 @@ caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +47,7 @@ private-dev
 private-lib gnome-vfs-2.0,libacl.so.*,libattr.so.*,libfam.so.*
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/asunder.profile b/etc/profile-a-l/asunder.profile
index 1f3acd735..33dd4103f 100644
--- a/etc/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@@ -20,23 +20,29 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
 netfilter
-nodbus
+no3d
 # nogroups
 nonewprivs
 noroot
 nou2f
+notv
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
 
+private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 # mdwe is disabled due to breaking hardware accelerated decoding
 # memory-deny-write-execute
diff --git a/etc/atom-beta.profile b/etc/profile-a-l/atom-beta.profile
index c0ee2c492..c0ee2c492 100644
--- a/etc/atom-beta.profile
+++ b/etc/profile-a-l/atom-beta.profile
diff --git a/etc/atom.profile b/etc/profile-a-l/atom.profile
index b9cb49d08..cf0a5a42b 100644
--- a/etc/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -17,22 +17,20 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-caps.drop all
+caps.keep sys_admin,sys_chroot
 # net none
 netfilter
-nodbus
 nodvd
 nogroups
-nonewprivs
-noroot
 nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6,netlink
-seccomp
 shell none
 
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/atool.profile b/etc/profile-a-l/atool.profile
index 0250451fc..e501e956c 100644
--- a/etc/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -25,10 +25,8 @@ hostname atool
 ipc-namespace
 machine-id
 net none
-netfilter
 no3d
 nodvd
-nodbus
 nogroups
 nonewprivs
 noroot
@@ -49,4 +47,7 @@ private-dev
 private-etc alternatives,group,login.defs,passwd
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/atril-previewer.profile b/etc/profile-a-l/atril-previewer.profile
index 7f4697357..7f4697357 100644
--- a/etc/atril-previewer.profile
+++ b/etc/profile-a-l/atril-previewer.profile
diff --git a/etc/atril-thumbnailer.profile b/etc/profile-a-l/atril-thumbnailer.profile
index 8f6129ea6..8f6129ea6 100644
--- a/etc/atril-thumbnailer.profile
+++ b/etc/profile-a-l/atril-thumbnailer.profile
diff --git a/etc/atril.profile b/etc/profile-a-l/atril.profile
index adca38cb5..adca38cb5 100644
--- a/etc/atril.profile
+++ b/etc/profile-a-l/atril.profile
diff --git a/etc/audacious.profile b/etc/profile-a-l/audacious.profile
index 4d0c93047..2e1f6f32a 100644
--- a/etc/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-#nodbus - dbus needed for MPRIS
 nogroups
 nonewprivs
 noroot
@@ -40,4 +39,6 @@ private-cache
 private-dev
 private-tmp
 
-memory-deny-write-execute
+# dbus needed for MPRIS
+# dbus-user none
+# dbus-system none
diff --git a/etc/audacity.profile b/etc/profile-a-l/audacity.profile
index 200d3a387..a11e59553 100644
--- a/etc/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
@@ -24,7 +25,6 @@ apparmor
 caps.drop all
 net none
 no3d
-# nodbus - problems on Fedora 27
 nodvd
 nogroups
 nonewprivs
@@ -41,4 +41,6 @@ private-bin audacity
 private-dev
 private-tmp
 
-memory-deny-write-execute
+# problems on Fedora 27
+# dbus-user none
+# dbus-system none
diff --git a/etc/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index b2ed3b030..b2ed3b030 100644
--- a/etc/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
diff --git a/etc/aunpack.profile b/etc/profile-a-l/aunpack.profile
index 6ce4aa491..6ce4aa491 100644
--- a/etc/aunpack.profile
+++ b/etc/profile-a-l/aunpack.profile
diff --git a/etc/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 4887299ec..131b20c70 100644
--- a/etc/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -24,7 +24,6 @@ include disable-programs.inc
 caps.drop all
 netfilter
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -43,4 +42,8 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl
 private-tmp
 
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
index b1a77c0a4..b1a77c0a4 100644
--- a/etc/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
diff --git a/etc/autokey-gtk.profile b/etc/profile-a-l/autokey-gtk.profile
index e16449064..e16449064 100644
--- a/etc/autokey-gtk.profile
+++ b/etc/profile-a-l/autokey-gtk.profile
diff --git a/etc/autokey-qt.profile b/etc/profile-a-l/autokey-qt.profile
index b6f1210dd..b6f1210dd 100644
--- a/etc/autokey-qt.profile
+++ b/etc/profile-a-l/autokey-qt.profile
diff --git a/etc/autokey-run.profile b/etc/profile-a-l/autokey-run.profile
index 05669351a..05669351a 100644
--- a/etc/autokey-run.profile
+++ b/etc/profile-a-l/autokey-run.profile
diff --git a/etc/autokey-shell.profile b/etc/profile-a-l/autokey-shell.profile
index dfbd8759f..dfbd8759f 100644
--- a/etc/autokey-shell.profile
+++ b/etc/profile-a-l/autokey-shell.profile
diff --git a/etc/aweather.profile b/etc/profile-a-l/aweather.profile
index d7228570f..44c3110a0 100644
--- a/etc/aweather.profile
+++ b/etc/profile-a-l/aweather.profile
@@ -13,6 +13,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/aweather
 whitelist ${HOME}/.config/aweather
diff --git a/etc/awesome.profile b/etc/profile-a-l/awesome.profile
index 5d1bf5071..5d1bf5071 100644
--- a/etc/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
diff --git a/etc/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index 785e37a16..785e37a16 100644
--- a/etc/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
diff --git a/etc/baloo_filemetadata_temp_extractor.profile b/etc/profile-a-l/baloo_filemetadata_temp_extractor.profile
index ff10e9965..ff10e9965 100644
--- a/etc/baloo_filemetadata_temp_extractor.profile
+++ b/etc/profile-a-l/baloo_filemetadata_temp_extractor.profile
diff --git a/etc/baobab.profile b/etc/profile-a-l/baobab.profile
index 18c862a4d..3937e1966 100644
--- a/etc/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -12,12 +12,14 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 # include disable-programs.inc
+include disable-shell.inc
 # include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 net none
 no3d
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -29,9 +31,13 @@ novideo
 protocol unix
 seccomp
 shell none
+tracelog
 
 private-bin baobab
 private-dev
 private-tmp
 
+# dbus-user none
+# dbus-system none
+
 read-only ${HOME}
diff --git a/etc/barrier.profile b/etc/profile-a-l/barrier.profile
index f5da3782e..f5da3782e 100644
--- a/etc/barrier.profile
+++ b/etc/profile-a-l/barrier.profile
diff --git a/etc/basilisk.profile b/etc/profile-a-l/basilisk.profile
index 8dc3847a0..8dc3847a0 100644
--- a/etc/basilisk.profile
+++ b/etc/profile-a-l/basilisk.profile
diff --git a/etc/beaker.profile b/etc/profile-a-l/beaker.profile
index cc1886a49..cc1886a49 100644
--- a/etc/beaker.profile
+++ b/etc/profile-a-l/beaker.profile
diff --git a/etc/bibletime.profile b/etc/profile-a-l/bibletime.profile
index b76bc8367..99e2802eb 100644
--- a/etc/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -35,7 +35,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -54,3 +53,6 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/bibtex.profile b/etc/profile-a-l/bibtex.profile
index e868dcbab..e868dcbab 100644
--- a/etc/bibtex.profile
+++ b/etc/profile-a-l/bibtex.profile
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
new file mode 100644
index 000000000..c1c338536
--- /dev/null
+++ b/etc/profile-a-l/bijiben.profile
@@ -0,0 +1,58 @@
+# Firejail profile for bijiben
+# Description: Simple Note Viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bijiben.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/bijiben
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/bijiben
+whitelist ${HOME}/.local/share/bijiben
+whitelist ${HOME}/.cache/tracker
+whitelist /usr/share/bijiben
+whitelist /usr/share/tracker
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bijiben
+# private-cache -- access to .cache/tracker is required
+private-dev
+private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Notes
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Tracker1
+dbus-system none
diff --git a/etc/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile
index ac1e21ba7..3a3f2b62c 100644
--- a/etc/bitcoin-qt.profile
+++ b/etc/profile-a-l/bitcoin-qt.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.bitcoin
 mkdir ${HOME}/.config/Bitcoin
diff --git a/etc/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index 62eeb88f3..62eeb88f3 100644
--- a/etc/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
diff --git a/etc/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index a5538bacc..41f8e51fd 100644
--- a/etc/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/Bitwarden
@@ -29,7 +30,6 @@ caps.drop all
 machine-id
 netfilter
 no3d
-#nodbus - breaks appindicator (tray) functionality
 nodvd
 nogroups
 nonewprivs
@@ -39,7 +39,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 shell none
 #tracelog - breaks on Arch
 
@@ -51,4 +51,8 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.co
 private-opt Bitwarden
 private-tmp
 
+# breaks appindicator (tray) functionality
+# dbus-user none
+# dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/blackbox.profile b/etc/profile-a-l/blackbox.profile
index 13e83493d..13e83493d 100644
--- a/etc/blackbox.profile
+++ b/etc/profile-a-l/blackbox.profile
diff --git a/etc/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
index 47c0cfa48..8f230a413 100644
--- a/etc/bleachbit.profile
+++ b/etc/profile-a-l/bleachbit.profile
@@ -20,7 +20,6 @@ include disable-passwdmgr.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,5 +35,8 @@ shell none
 private-dev
 # private-tmp
 
+dbus-user none
+dbus-system none
+
 # memory-deny-write-execute breaks some systems, see issue #1850
 # memory-deny-write-execute
diff --git a/etc/blender-2.8.profile b/etc/profile-a-l/blender-2.8.profile
index b7242c443..b7242c443 100644
--- a/etc/blender-2.8.profile
+++ b/etc/profile-a-l/blender-2.8.profile
diff --git a/etc/blender.profile b/etc/profile-a-l/blender.profile
index 6a72fb602..0f80f0a63 100644
--- a/etc/blender.profile
+++ b/etc/profile-a-l/blender.profile
@@ -33,9 +33,8 @@ noroot
 notv
 nou2f
 protocol unix,inet,inet6,netlink
-seccomp
+# numpy, used by many add-ons, requires the mbind syscall
+seccomp !mbind
 shell none
 
 private-dev
-private-tmp
-
diff --git a/etc/bless.profile b/etc/profile-a-l/bless.profile
index 35235962e..216e86109 100644
--- a/etc/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -20,7 +20,6 @@ include whitelist-var-common.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +38,5 @@ private-dev
 private-etc alternatives,fonts,mono
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
new file mode 100644
index 000000000..d43a9d241
--- /dev/null
+++ b/etc/profile-a-l/blobwars.profile
@@ -0,0 +1,50 @@
+# Firejail profile for blobwars
+# Description: Mission and Objective based 2D Platform Game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include blobwars.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.parallelrealities/blobwars
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.parallelrealities/blobwars
+whitelist ${HOME}/.parallelrealities/blobwars
+whitelist /usr/share/blobwars
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin blobwars
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/bluefish.profile b/etc/profile-a-l/bluefish.profile
index 412088ba9..88ac9c0ed 100644
--- a/etc/bluefish.profile
+++ b/etc/profile-a-l/bluefish.profile
@@ -15,10 +15,10 @@ include disable-programs.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,3 +36,5 @@ private-bin bluefish
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/bnox.profile b/etc/profile-a-l/bnox.profile
index 031f3f4bd..031f3f4bd 100644
--- a/etc/bnox.profile
+++ b/etc/profile-a-l/bnox.profile
diff --git a/etc/brackets.profile b/etc/profile-a-l/brackets.profile
index 70f62813e..70f62813e 100644
--- a/etc/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
diff --git a/etc/brasero.profile b/etc/profile-a-l/brasero.profile
index 67fc07afb..417a6b3e0 100644
--- a/etc/brasero.profile
+++ b/etc/profile-a-l/brasero.profile
@@ -15,6 +15,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
 net none
 nogroups
diff --git a/etc/brave-browser-beta.profile b/etc/profile-a-l/brave-browser-beta.profile
index 528a6402d..528a6402d 100644
--- a/etc/brave-browser-beta.profile
+++ b/etc/profile-a-l/brave-browser-beta.profile
diff --git a/etc/brave-browser-dev.profile b/etc/profile-a-l/brave-browser-dev.profile
index 4601de119..4601de119 100644
--- a/etc/brave-browser-dev.profile
+++ b/etc/profile-a-l/brave-browser-dev.profile
diff --git a/etc/brave-browser-nightly.profile b/etc/profile-a-l/brave-browser-nightly.profile
index 43d3cc724..43d3cc724 100644
--- a/etc/brave-browser-nightly.profile
+++ b/etc/profile-a-l/brave-browser-nightly.profile
diff --git a/etc/brave-browser-stable.profile b/etc/profile-a-l/brave-browser-stable.profile
index 06d33dea4..06d33dea4 100644
--- a/etc/brave-browser-stable.profile
+++ b/etc/profile-a-l/brave-browser-stable.profile
diff --git a/etc/brave-browser.profile b/etc/profile-a-l/brave-browser.profile
index e223ecf87..e223ecf87 100644
--- a/etc/brave-browser.profile
+++ b/etc/profile-a-l/brave-browser.profile
diff --git a/etc/brave.profile b/etc/profile-a-l/brave.profile
index 35c59f5a3..35c59f5a3 100644
--- a/etc/brave.profile
+++ b/etc/profile-a-l/brave.profile
diff --git a/etc/bsdcat.profile b/etc/profile-a-l/bsdcat.profile
index 5271ee5d6..5271ee5d6 100644
--- a/etc/bsdcat.profile
+++ b/etc/profile-a-l/bsdcat.profile
diff --git a/etc/bsdcpio.profile b/etc/profile-a-l/bsdcpio.profile
index 5271ee5d6..5271ee5d6 100644
--- a/etc/bsdcpio.profile
+++ b/etc/profile-a-l/bsdcpio.profile
diff --git a/etc/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index 5ce9b6406..08e51f3c1 100644
--- a/etc/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -22,7 +22,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,4 +42,7 @@ private-cache
 private-dev
 private-etc alternatives,group,localtime,passwd
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/bunzip2.profile b/etc/profile-a-l/bunzip2.profile
index 37b47c2ce..37b47c2ce 100644
--- a/etc/bunzip2.profile
+++ b/etc/profile-a-l/bunzip2.profile
diff --git a/etc/bzcat.profile b/etc/profile-a-l/bzcat.profile
index edefb6bb8..edefb6bb8 100644
--- a/etc/bzcat.profile
+++ b/etc/profile-a-l/bzcat.profile
diff --git a/etc/bzflag.profile b/etc/profile-a-l/bzflag.profile
index 86ab73e0b..f06bead1e 100644
--- a/etc/bzflag.profile
+++ b/etc/profile-a-l/bzflag.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.bzf
@@ -24,7 +25,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +42,6 @@ private-bin bzadmin,bzflag,bzflag-wrapper,bzfs
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/bzip2.profile b/etc/profile-a-l/bzip2.profile
index 0756e0537..0756e0537 100644
--- a/etc/bzip2.profile
+++ b/etc/profile-a-l/bzip2.profile
diff --git a/etc/profile-a-l/caja.profile b/etc/profile-a-l/caja.profile
new file mode 100644
index 000000000..1af102ca8
--- /dev/null
+++ b/etc/profile-a-l/caja.profile
@@ -0,0 +1,15 @@
+# Firejail profile for caja
+# Description: File manager for the MATE desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include caja.local
+# Persistent global definitions
+include globals.local
+
+# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there
+# is already a caja process running on MATE desktops firejail will have no effect.
+
+# Put 'ignore noroot' in your caja.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
diff --git a/etc/calibre.profile b/etc/profile-a-l/calibre.profile
index ad6f0aa0d..d17cfa85f 100644
--- a/etc/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/calligra.profile b/etc/profile-a-l/calligra.profile
index 7054739c8..f4ce47018 100644
--- a/etc/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -6,6 +6,8 @@ include calligra.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.local/share/kxmlgui5/calligra
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
@@ -16,7 +18,6 @@ caps.drop all
 ipc-namespace
 # net none
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -31,5 +32,8 @@ shell none
 private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch,kbuildsycoca4,kdeinit4
 private-dev
 
+# dbus-user none
+# dbus-system none
+
 # noexec ${HOME}
 noexec /tmp
diff --git a/etc/calligraauthor.profile b/etc/profile-a-l/calligraauthor.profile
index 7804a3b97..7804a3b97 100644
--- a/etc/calligraauthor.profile
+++ b/etc/profile-a-l/calligraauthor.profile
diff --git a/etc/calligraconverter.profile b/etc/profile-a-l/calligraconverter.profile
index 7804a3b97..7804a3b97 100644
--- a/etc/calligraconverter.profile
+++ b/etc/profile-a-l/calligraconverter.profile
diff --git a/etc/calligraflow.profile b/etc/profile-a-l/calligraflow.profile
index 7804a3b97..7804a3b97 100644
--- a/etc/calligraflow.profile
+++ b/etc/profile-a-l/calligraflow.profile
diff --git a/etc/calligraplan.profile b/etc/profile-a-l/calligraplan.profile
index 7804a3b97..23dd61175 100644
--- a/etc/calligraplan.profile
+++ b/etc/profile-a-l/calligraplan.profile
@@ -1,5 +1,7 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
+
 # Redirect
 include calligra.profile
diff --git a/etc/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile
index 7804a3b97..1c283a3cb 100644
--- a/etc/calligraplanwork.profile
+++ b/etc/profile-a-l/calligraplanwork.profile
@@ -1,5 +1,7 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
+
 # Redirect
 include calligra.profile
diff --git a/etc/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile
index 7804a3b97..8ef75be71 100644
--- a/etc/calligrasheets.profile
+++ b/etc/profile-a-l/calligrasheets.profile
@@ -1,5 +1,7 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
+
 # Redirect
 include calligra.profile
diff --git a/etc/calligrastage.profile b/etc/profile-a-l/calligrastage.profile
index 7804a3b97..d5c960248 100644
--- a/etc/calligrastage.profile
+++ b/etc/profile-a-l/calligrastage.profile
@@ -1,5 +1,7 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
+
 # Redirect
 include calligra.profile
diff --git a/etc/calligrawords.profile b/etc/profile-a-l/calligrawords.profile
index 7804a3b97..5985b4250 100644
--- a/etc/calligrawords.profile
+++ b/etc/profile-a-l/calligrawords.profile
@@ -1,5 +1,7 @@
 # Firejail profile alias for calligra
 # This file is overwritten after every install/update
 
+noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
+
 # Redirect
 include calligra.profile
diff --git a/etc/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index 1d7aa0f9c..74c7cc34b 100644
--- a/etc/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/cameramonitor
@@ -30,7 +31,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +50,7 @@ private-cache
 private-etc alternatives,fonts
 private-tmp
 
+# dbus-user none
+# dbus-system none
+
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/cantata.profile b/etc/profile-a-l/cantata.profile
index c44d56b90..294bb31b3 100644
--- a/etc/cantata.profile
+++ b/etc/profile-a-l/cantata.profile
@@ -20,6 +20,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 # apparmor
diff --git a/etc/catfish.profile b/etc/profile-a-l/catfish.profile
index c6c2d7e8a..009d3a049 100644
--- a/etc/catfish.profile
+++ b/etc/profile-a-l/catfish.profile
@@ -24,10 +24,10 @@ include disable-passwdmgr.inc
 whitelist /var/lib/mlocate
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,3 +45,6 @@ tracelog
 # private-bin bash,catfish,env,locate,ls,mlocate,python*
 # private-dev
 # private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
new file mode 100644
index 000000000..3d29c3817
--- /dev/null
+++ b/etc/profile-a-l/cawbird.profile
@@ -0,0 +1,46 @@
+# Firejail profile for cawbird
+# Description: Open-source Twitter client for Linux
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cawbird.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/cawbird
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin cawbird
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
+private-tmp
+
+# dbus-user none
+dbus-system none
diff --git a/etc/celluloid.profile b/etc/profile-a-l/celluloid.profile
index d099ba11e..567bd912a 100644
--- a/etc/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -24,13 +24,13 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
 netfilter
-# nodbus -- uses dconf, MPRIS
 nogroups
 nonewprivs
 noroot
@@ -46,5 +46,10 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3
 private-dev
 private-tmp
 
+dbus-user filter
+dbus-user.own io.github.celluloid_player.Celluloid
+dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
+dbus-system none
+
 read-only ${HOME}
 read-write ${HOME}/.config/celluloid
diff --git a/etc/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile
index e15131dca..93f61091b 100644
--- a/etc/checkbashisms.profile
+++ b/etc/profile-a-l/checkbashisms.profile
@@ -32,7 +32,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -51,4 +50,7 @@ private-dev
 private-lib libfreebl3.so,perl*
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/cheese.profile b/etc/profile-a-l/cheese.profile
index 633928260..337117c4a 100644
--- a/etc/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -26,7 +26,6 @@ apparmor
 caps.drop all
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,3 +42,6 @@ private-bin cheese
 private-cache
 private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/cherrytree.profile b/etc/profile-a-l/cherrytree.profile
index 70dea5bd9..70dea5bd9 100644
--- a/etc/cherrytree.profile
+++ b/etc/profile-a-l/cherrytree.profile
diff --git a/etc/chromium-browser.profile b/etc/profile-a-l/chromium-browser.profile
index f83052d9a..f83052d9a 100644
--- a/etc/chromium-browser.profile
+++ b/etc/profile-a-l/chromium-browser.profile
diff --git a/etc/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index c54fb0e19..899400d25 100644
--- a/etc/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -29,7 +29,6 @@ include whitelist-var-common.inc
 apparmor
 caps.keep sys_admin,sys_chroot
 netfilter
-# nodbus - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
 nodvd
 nogroups
 notv
@@ -40,5 +39,9 @@ disable-mnt
 ?BROWSER_DISABLE_U2F: private-dev
 # private-tmp - problems with multiple browser sessions
 
+# prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
+# dbus-user none
+dbus-system none
+
 # the file dialog needs to work without d-bus
 ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/chromium.profile b/etc/profile-a-l/chromium.profile
index dab9ce449..dab9ce449 100644
--- a/etc/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
diff --git a/etc/cin.profile b/etc/profile-a-l/cin.profile
index efeb9cd14..8c3fb42d1 100644
--- a/etc/cin.profile
+++ b/etc/profile-a-l/cin.profile
@@ -17,7 +17,6 @@ include disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 #nogroups
 nonewprivs
@@ -34,3 +33,5 @@ shell none
 private-cache
 private-dev
 
+dbus-user none
+dbus-system none
diff --git a/etc/cinelerra.profile b/etc/profile-a-l/cinelerra.profile
index 88a65037e..88a65037e 100644
--- a/etc/cinelerra.profile
+++ b/etc/profile-a-l/cinelerra.profile
diff --git a/etc/clamav.profile b/etc/profile-a-l/clamav.profile
index 51bc58108..2726ab5af 100644
--- a/etc/clamav.profile
+++ b/etc/profile-a-l/clamav.profile
@@ -15,7 +15,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -31,6 +30,10 @@ tracelog
 x11 none
 
 private-dev
+
+dbus-user none
+dbus-system none
+
 read-only ${HOME}
 
 memory-deny-write-execute
diff --git a/etc/clamdscan.profile b/etc/profile-a-l/clamdscan.profile
index 4c6c56c5f..4c6c56c5f 100644
--- a/etc/clamdscan.profile
+++ b/etc/profile-a-l/clamdscan.profile
diff --git a/etc/clamdtop.profile b/etc/profile-a-l/clamdtop.profile
index 4c6c56c5f..4c6c56c5f 100644
--- a/etc/clamdtop.profile
+++ b/etc/profile-a-l/clamdtop.profile
diff --git a/etc/clamscan.profile b/etc/profile-a-l/clamscan.profile
index 4c6c56c5f..4c6c56c5f 100644
--- a/etc/clamscan.profile
+++ b/etc/profile-a-l/clamscan.profile
diff --git a/etc/clamtk.profile b/etc/profile-a-l/clamtk.profile
index bc09808cb..4425a2bd0 100644
--- a/etc/clamtk.profile
+++ b/etc/profile-a-l/clamtk.profile
@@ -11,7 +11,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -25,3 +24,6 @@ seccomp
 shell none
 
 private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 24954b2d8..24954b2d8 100644
--- a/etc/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
diff --git a/etc/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 07db86c92..12ce47401 100644
--- a/etc/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -29,7 +29,6 @@ apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +49,7 @@ private-etc alternatives,fonts
 private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
 private-tmp
 
+dbus-user none
+dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/clementine.profile b/etc/profile-a-l/clementine.profile
index 4d92157d0..4d92157d0 100644
--- a/etc/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
diff --git a/etc/clion.profile b/etc/profile-a-l/clion.profile
index b27d93684..b27d93684 100644
--- a/etc/clion.profile
+++ b/etc/profile-a-l/clion.profile
diff --git a/etc/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index 786d1c866..dace5e83e 100644
--- a/etc/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -25,8 +25,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-# Breaks tray-icon, uncommend or add to clipgrab.local if you don't need it.
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,3 +41,7 @@ disable-mnt
 private-cache
 private-dev
 private-tmp
+
+# Breaks tray icon, uncomment or add to clipgrab.local if you don't need it
+# dbus-user none
+# dbus-system none
diff --git a/etc/clipit.profile b/etc/profile-a-l/clipit.profile
index 66b5fc859..66b5fc859 100644
--- a/etc/clipit.profile
+++ b/etc/profile-a-l/clipit.profile
diff --git a/etc/cliqz.profile b/etc/profile-a-l/cliqz.profile
index d0b8cc0ef..d0b8cc0ef 100644
--- a/etc/cliqz.profile
+++ b/etc/profile-a-l/cliqz.profile
diff --git a/etc/clocks.profile b/etc/profile-a-l/clocks.profile
index da50e7d49..da50e7d49 100644
--- a/etc/clocks.profile
+++ b/etc/profile-a-l/clocks.profile
diff --git a/etc/cmus.profile b/etc/profile-a-l/cmus.profile
index fa1e5d722..bcd557787 100644
--- a/etc/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -14,6 +14,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 caps.drop all
diff --git a/etc/code-oss.profile b/etc/profile-a-l/code-oss.profile
index 6d45d5994..6d45d5994 100644
--- a/etc/code-oss.profile
+++ b/etc/profile-a-l/code-oss.profile
diff --git a/etc/code.profile b/etc/profile-a-l/code.profile
index 6f8a25211..6f8a25211 100644
--- a/etc/code.profile
+++ b/etc/profile-a-l/code.profile
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
new file mode 100644
index 000000000..77b6c7bd8
--- /dev/null
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -0,0 +1,66 @@
+# Firejail profile for com.github.dahenson.agenda
+# Description: Simple, fast, no-nonsense to-do (task) list
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.dahenson.agenda.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/agenda
+noblacklist ${HOME}/.config/agenda
+noblacklist ${HOME}/.local/share/agenda
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/agenda
+mkdir ${HOME}/.config/agenda
+mkdir ${HOME}/.local/share/agenda
+whitelist ${HOME}/.cache/agenda
+whitelist ${HOME}/.config/agenda
+whitelist ${HOME}/.local/share/agenda
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin com.github.dahenson.agenda
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0
+private-tmp
+
+dbus-user filter
+dbus-user.own com.github.dahenson.agenda
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.cache/agenda
+read-write ${HOME}/.config/agenda
+read-write ${HOME}/.local/share/agenda
diff --git a/etc/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index 39a9a360d..c1800fe4c 100644
--- a/etc/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate
diff --git a/etc/profile-a-l/com.gitlab.newsflash.profile b/etc/profile-a-l/com.gitlab.newsflash.profile
new file mode 100644
index 000000000..0628d3d01
--- /dev/null
+++ b/etc/profile-a-l/com.gitlab.newsflash.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for newsflash
+# This file is overwritten after every install/update
+
+# Redirect
+include newsflash.profile
diff --git a/etc/conkeror.profile b/etc/profile-a-l/conkeror.profile
index 38edf0d21..38edf0d21 100644
--- a/etc/conkeror.profile
+++ b/etc/profile-a-l/conkeror.profile
diff --git a/etc/conky.profile b/etc/profile-a-l/conky.profile
index 10a243cd3..e5cd7085a 100644
--- a/etc/conky.profile
+++ b/etc/profile-a-l/conky.profile
@@ -8,6 +8,9 @@ include globals.local
 
 noblacklist ${PICTURES}
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/conplay.profile b/etc/profile-a-l/conplay.profile
index 8d9f3324f..8d9f3324f 100644
--- a/etc/conplay.profile
+++ b/etc/profile-a-l/conplay.profile
diff --git a/etc/corebird.profile b/etc/profile-a-l/corebird.profile
index dbb043c17..e9a2c9441 100644
--- a/etc/corebird.profile
+++ b/etc/profile-a-l/corebird.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
diff --git a/etc/cower.profile b/etc/profile-a-l/cower.profile
index 8efe48240..0ab5a7f78 100644
--- a/etc/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 # This profile could be significantly strengthened by adding the following to cower.local
diff --git a/etc/cpio.profile b/etc/profile-a-l/cpio.profile
index 1156b7439..087a5b2bb 100644
--- a/etc/cpio.profile
+++ b/etc/profile-a-l/cpio.profile
@@ -25,7 +25,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,4 +40,7 @@ x11 none
 private-cache
 private-dev
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/crawl-tiles.profile b/etc/profile-a-l/crawl-tiles.profile
index 39151865e..39151865e 100644
--- a/etc/crawl-tiles.profile
+++ b/etc/profile-a-l/crawl-tiles.profile
diff --git a/etc/crawl.profile b/etc/profile-a-l/crawl.profile
index af78ac738..3da2413d9 100644
--- a/etc/crawl.profile
+++ b/etc/profile-a-l/crawl.profile
@@ -25,7 +25,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,3 +42,6 @@ private-bin crawl,crawl-tiles
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/crow.profile b/etc/profile-a-l/crow.profile
index 755b6e9f8..db4be7679 100644
--- a/etc/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
diff --git a/etc/cryptocat.profile b/etc/profile-a-l/cryptocat.profile
index 69aa39de2..69aa39de2 100644
--- a/etc/cryptocat.profile
+++ b/etc/profile-a-l/cryptocat.profile
diff --git a/etc/curl.profile b/etc/profile-a-l/curl.profile
index 3f93e5f7e..996ff51d3 100644
--- a/etc/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -10,6 +10,8 @@ include globals.local
 noblacklist ${HOME}/.curlrc
 
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-exec.inc
@@ -19,13 +21,14 @@ include disable-programs.inc
 #include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -44,3 +47,6 @@ private-cache
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/cvlc.profile b/etc/profile-a-l/cvlc.profile
index 56c0d965c..56c0d965c 100644
--- a/etc/cvlc.profile
+++ b/etc/profile-a-l/cvlc.profile
diff --git a/etc/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index d1fff0004..d1fff0004 100644
--- a/etc/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
diff --git a/etc/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 897bf5f5d..7e622799a 100644
--- a/etc/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -18,12 +18,14 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/d-feet
 whitelist ${HOME}/.config/d-feet
 whitelist /usr/share/d-feet
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/darktable.profile b/etc/profile-a-l/darktable.profile
index 2a71ad11c..2a71ad11c 100644
--- a/etc/darktable.profile
+++ b/etc/profile-a-l/darktable.profile
diff --git a/etc/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index a9d25128f..d6541850d 100644
--- a/etc/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -12,10 +12,12 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist ${HOME}/.local/share/glib-2.0
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -43,3 +45,8 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
 private-lib
 private-tmp
+
+dbus-user filter
+dbus-user.own ca.desrt.dconf-editor
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/dconf.profile b/etc/profile-a-l/dconf.profile
index ea19b2209..ea19b2209 100644
--- a/etc/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
diff --git a/etc/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 3dfc657bc..5b95b74be 100644
--- a/etc/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -30,7 +30,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +49,7 @@ private-cache
 private-etc alternatives,fonts
 private-tmp
 
+dbus-user none
+dbus-system none
+
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
index 8e67d9daa..8e67d9daa 100644
--- a/etc/deadbeef.profile
+++ b/etc/profile-a-l/deadbeef.profile
diff --git a/etc/default.profile b/etc/profile-a-l/default.profile
index 95a6e8095..74314cf92 100644
--- a/etc/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -16,6 +16,11 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 # include disable-xdg.inc
 
+# include whitelist-common.inc
+# include whitelist-usr-share-common.inc
+# include whitelist-runuser-common.inc
+# include whitelist-var-common.inc
+
 # apparmor
 caps.drop all
 # ipc-namespace
@@ -23,7 +28,6 @@ caps.drop all
 # net none
 netfilter
 # no3d
-# nodbus
 # nodvd
 # nogroups
 nonewprivs
@@ -42,8 +46,14 @@ seccomp
 # private-bin program
 # private-cache
 # private-dev
-# private-etc alternatives
+# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
+# private-etc alternatives,fonts,machine-id
 # private-lib
+# private-opt none
 # private-tmp
 
+# dbus-user none
+# dbus-system none
+
 # memory-deny-write-execute
+# read-only ${HOME}
diff --git a/etc/deluge.profile b/etc/profile-a-l/deluge.profile
index 8f4f9fbe9..17c5059f5 100644
--- a/etc/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -14,6 +14,7 @@ include allow-python3.inc
 
 include disable-common.inc
 # include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -24,6 +25,7 @@ whitelist ${HOME}/.config/deluge
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 machine-id
 netfilter
diff --git a/etc/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile
index d0c727c5c..9a98c4933 100644
--- a/etc/desktopeditors.profile
+++ b/etc/profile-a-l/desktopeditors.profile
@@ -24,7 +24,6 @@ apparmor
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,6 @@ private-bin desktopeditors,sh
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/devhelp.profile b/etc/profile-a-l/devhelp.profile
index cc9553e73..b8b07469d 100644
--- a/etc/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -13,6 +13,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/devhelp
@@ -24,7 +25,6 @@ include whitelist-usr-share-common.inc
 apparmor
 caps.drop all
 # net none - makes settings immutable
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -45,6 +45,10 @@ private-dev
 private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl
 private-tmp
 
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
 
 read-only ${HOME}
diff --git a/etc/devilspie.profile b/etc/profile-a-l/devilspie.profile
index b561787d8..1ab10a6f6 100644
--- a/etc/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -30,7 +30,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -53,6 +52,9 @@ private-etc alternatives
 private-lib gconv
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
 
 read-only ${HOME}
diff --git a/etc/devilspie2.profile b/etc/profile-a-l/devilspie2.profile
index 9eab3f536..9eab3f536 100644
--- a/etc/devilspie2.profile
+++ b/etc/profile-a-l/devilspie2.profile
diff --git a/etc/dex2jar.profile b/etc/profile-a-l/dex2jar.profile
index e5f37b06a..7a59c5d73 100644
--- a/etc/dex2jar.profile
+++ b/etc/profile-a-l/dex2jar.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +38,5 @@ private-bin bash,dex2jar,dirname,expr,grep,java,ls,sh,uname
 private-cache
 private-dev
 
+dbus-user none
+dbus-system none
diff --git a/etc/dia.profile b/etc/profile-a-l/dia.profile
index bd79797b7..52bf1c7f8 100644
--- a/etc/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -19,10 +19,12 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +43,5 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/dig.profile b/etc/profile-a-l/dig.profile
index 054e4891d..152dfd980 100644
--- a/etc/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -8,8 +8,11 @@ include dig.local
 include globals.local
 
 noblacklist ${HOME}/.digrc
+noblacklist ${PATH}/dig
 
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 # include disable-devel.inc
@@ -25,12 +28,12 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,12 +48,13 @@ shell none
 tracelog
 
 disable-mnt
-private
 private-bin bash,dig,sh
-private-cache
 private-dev
 # Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)
 #private-lib
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/digikam.profile b/etc/profile-a-l/digikam.profile
index e66434444..ae4a63c62 100644
--- a/etc/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -25,7 +25,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +38,6 @@ shell none
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
 # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/dillo.profile b/etc/profile-a-l/dillo.profile
index 7103d0285..7103d0285 100644
--- a/etc/dillo.profile
+++ b/etc/profile-a-l/dillo.profile
diff --git a/etc/profile-a-l/dino-im.profile b/etc/profile-a-l/dino-im.profile
new file mode 100644
index 000000000..ae0549d3e
--- /dev/null
+++ b/etc/profile-a-l/dino-im.profile
@@ -0,0 +1,14 @@
+# Firejail profile for dino-im
+# Description: Modern XMPP Chat Client using GTK+/Vala, Ubuntu specific bin name
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dino-im.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Add Ubuntu specific binary name
+private-bin dino-im
+
+# Redirect
+include dino.profile
diff --git a/etc/dino.profile b/etc/profile-a-l/dino.profile
index 82ddf2819..d06ca042e 100644
--- a/etc/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.local/share/dino
 whitelist ${HOME}/.local/share/dino
diff --git a/etc/discord-canary.profile b/etc/profile-a-l/discord-canary.profile
index 3e9dacd1e..3e9dacd1e 100644
--- a/etc/discord-canary.profile
+++ b/etc/profile-a-l/discord-canary.profile
diff --git a/etc/discord-common.profile b/etc/profile-a-l/discord-common.profile
index a6e730937..35bea4aaa 100644
--- a/etc/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -6,12 +6,17 @@ include discord-common.local
 # added by caller profile
 #include globals.local
 
+ignore noexec ${HOME}
+
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/BetterDiscord
+whitelist ${HOME}/.local/share/betterdiscordctl
 include whitelist-common.inc
 include whitelist-var-common.inc
 
@@ -25,11 +30,9 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 
-private-bin bash,cut,echo,egrep,grep,head,sed,sh,tr,xdg-mime,xdg-open,zsh
+private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
 private-tmp
-
-noexec /tmp
diff --git a/etc/discord.profile b/etc/profile-a-l/discord.profile
index 8ef02a30f..8ef02a30f 100644
--- a/etc/discord.profile
+++ b/etc/profile-a-l/discord.profile
diff --git a/etc/display.profile b/etc/profile-a-l/display.profile
index 9e976c11a..9de634da9 100644
--- a/etc/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
@@ -24,7 +25,6 @@ include whitelist-var-common.inc
 
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +42,6 @@ private-dev
 # On Debian-based systems, display is a symlink in /etc/alternatives
 private-etc alternatives
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/dnox.profile b/etc/profile-a-l/dnox.profile
index e02395771..e02395771 100644
--- a/etc/dnox.profile
+++ b/etc/profile-a-l/dnox.profile
diff --git a/etc/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile
index 6637b8d02..e48e9d1ac 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/profile-a-l/dnscrypt-proxy.profile
@@ -31,7 +31,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nonewprivs
 nosound
@@ -48,5 +47,8 @@ private
 private-cache
 private-dev
 
+dbus-user none
+dbus-system none
+
 # mdwe can break modules/plugins
 memory-deny-write-execute
diff --git a/etc/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile
index 6db71bd49..6db71bd49 100644
--- a/etc/dnsmasq.profile
+++ b/etc/profile-a-l/dnsmasq.profile
diff --git a/etc/profile-a-l/dolphin.profile b/etc/profile-a-l/dolphin.profile
new file mode 100644
index 000000000..e0300a577
--- /dev/null
+++ b/etc/profile-a-l/dolphin.profile
@@ -0,0 +1,14 @@
+# Firejail profile for dolphin
+# Description: File manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dolphin.local
+# Persistent global definitions
+include globals.local
+
+# Put 'ignore noroot' in your dolphin.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
+
+join-or-start dolphin
diff --git a/etc/dooble-qt4.profile b/etc/profile-a-l/dooble-qt4.profile
index 70a21e11c..70a21e11c 100644
--- a/etc/dooble-qt4.profile
+++ b/etc/profile-a-l/dooble-qt4.profile
diff --git a/etc/dooble.profile b/etc/profile-a-l/dooble.profile
index bc197b223..bc197b223 100644
--- a/etc/dooble.profile
+++ b/etc/profile-a-l/dooble.profile
diff --git a/etc/dosbox.profile b/etc/profile-a-l/dosbox.profile
index 17ccc9b9a..11b9a4f42 100644
--- a/etc/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -14,6 +14,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
diff --git a/etc/dragon.profile b/etc/profile-a-l/dragon.profile
index df839cc47..d355cd121 100644
--- a/etc/dragon.profile
+++ b/etc/profile-a-l/dragon.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/dragonplayer
diff --git a/etc/drawio.profile b/etc/profile-a-l/drawio.profile
index d4fd735a1..4d723c8aa 100644
--- a/etc/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/draw.io
@@ -28,7 +29,6 @@ caps.drop all
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,4 +48,7 @@ private-dev
 private-etc alternatives,fonts
 private-tmp
 
+dbus-user none
+dbus-system none
+
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/dropbox.profile b/etc/profile-a-l/dropbox.profile
index 1b242d422..1b242d422 100644
--- a/etc/dropbox.profile
+++ b/etc/profile-a-l/dropbox.profile
diff --git a/etc/easystroke.profile b/etc/profile-a-l/easystroke.profile
index 1297f5f40..bb711b1bf 100644
--- a/etc/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -27,7 +27,6 @@ caps.drop all
 machine-id
 net none
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -51,4 +50,7 @@ private-etc alternatives,fonts,group,passwd
 #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 
+# dbus-user none
+# dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/ebook-viewer.profile b/etc/profile-a-l/ebook-viewer.profile
index 29cb87a62..706aec737 100644
--- a/etc/ebook-viewer.profile
+++ b/etc/profile-a-l/ebook-viewer.profile
@@ -4,7 +4,8 @@
 include ebook-viewer.local
 
 net none
-nodbus
+dbus-user none
+dbus-system none
 
 # Redirect
 include calibre.profile
diff --git a/etc/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index bde8978df..39366470f 100644
--- a/etc/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/electron-mail
@@ -29,7 +30,6 @@ apparmor
 caps.drop all
 netfilter
 no3d
-# nodbus - breaks tray functionality
 nodvd
 nogroups
 nonewprivs
@@ -49,4 +49,8 @@ private-etc alternatives,fonts
 private-opt ElectronMail
 private-tmp
 
+# breaks tray functionality
+# dbus-user none
+# dbus-system none
+
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/electron.profile b/etc/profile-a-l/electron.profile
index c24100f17..9b99c7ffb 100644
--- a/etc/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -15,7 +15,6 @@ whitelist ${DOWNLOADS}
 apparmor
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -23,3 +22,6 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 seccomp
+
+dbus-user none
+dbus-system none
diff --git a/etc/electrum.profile b/etc/profile-a-l/electrum.profile
index c9f50f12a..73c19f380 100644
--- a/etc/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.electrum
@@ -29,7 +30,6 @@ caps.drop all
 ipc-namespace
 netfilter
 no3d
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,3 +50,5 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl
 private-tmp
 
+# dbus-user none
+# dbus-system none
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
new file mode 100644
index 000000000..c1aa821e3
--- /dev/null
+++ b/etc/profile-a-l/element-desktop.profile
@@ -0,0 +1,22 @@
+# Firejail profile for element-desktop
+# Description: All-in-one secure chat app for teams, friends and organisations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include element-desktop.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/Element
+noblacklist ${HOME}/.config/Element (Riot)
+
+mkdir ${HOME}/.config/Element
+mkdir ${HOME}/.config/Element (Riot)
+whitelist ${HOME}/.config/Element
+whitelist ${HOME}/.config/Element (Riot)
+whitelist /opt/Element
+
+private-opt Element
+
+# Redirect
+include riot-desktop.profile
diff --git a/etc/elinks.profile b/etc/profile-a-l/elinks.profile
index 82d1ba528..2a306d704 100644
--- a/etc/elinks.profile
+++ b/etc/profile-a-l/elinks.profile
@@ -18,6 +18,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/emacs.profile b/etc/profile-a-l/emacs.profile
index ab378105e..226237b5b 100644
--- a/etc/emacs.profile
+++ b/etc/profile-a-l/emacs.profile
@@ -29,3 +29,6 @@ notv
 novideo
 protocol unix,inet,inet6
 seccomp
+
+read-write ${HOME}/.emacs
+read-write ${HOME}/.emacs.d
diff --git a/etc/email-common.profile b/etc/profile-a-l/email-common.profile
index f9d96858b..67af04267 100644
--- a/etc/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -63,6 +63,8 @@ read-only ${HOME}/.config/mimeapps.list
 writable-run-user
 
 # If you want to read local mail stored in /var/mail, add the following to email-common.local:
-# whitelist /var/mail
-# whitelist /var/spool/mail
-# writable-var
+#noblacklist /var/mail
+#noblacklist /var/spool/mail
+#whitelist /var/mail
+#whitelist /var/spool/mail
+#writable-var
diff --git a/etc/empathy.profile b/etc/profile-a-l/empathy.profile
index 5ca640d30..5ca640d30 100644
--- a/etc/empathy.profile
+++ b/etc/profile-a-l/empathy.profile
diff --git a/etc/enchant-2.profile b/etc/profile-a-l/enchant-2.profile
index 32cc0e691..32cc0e691 100644
--- a/etc/enchant-2.profile
+++ b/etc/profile-a-l/enchant-2.profile
diff --git a/etc/enchant-lsmod-2.profile b/etc/profile-a-l/enchant-lsmod-2.profile
index a7199955e..a7199955e 100644
--- a/etc/enchant-lsmod-2.profile
+++ b/etc/profile-a-l/enchant-lsmod-2.profile
diff --git a/etc/enchant-lsmod.profile b/etc/profile-a-l/enchant-lsmod.profile
index ba4353d15..ba4353d15 100644
--- a/etc/enchant-lsmod.profile
+++ b/etc/profile-a-l/enchant-lsmod.profile
diff --git a/etc/enchant.profile b/etc/profile-a-l/enchant.profile
index fa556c7d2..2b5de799f 100644
--- a/etc/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -21,6 +21,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/enchant
 whitelist ${HOME}/.config/enchant
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -30,7 +31,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -52,4 +52,7 @@ private-etc alternatives
 private-lib
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/engrampa.profile b/etc/profile-a-l/engrampa.profile
index aaf3e3382..6c0892c56 100644
--- a/etc/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -19,7 +19,6 @@ apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -37,4 +36,7 @@ tracelog
 private-dev
 # private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/enox.profile b/etc/profile-a-l/enox.profile
index d8ac8b24a..d8ac8b24a 100644
--- a/etc/enox.profile
+++ b/etc/profile-a-l/enox.profile
diff --git a/etc/enpass.profile b/etc/profile-a-l/enpass.profile
index 68113e294..68113e294 100644
--- a/etc/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
diff --git a/etc/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 13f498c03..80c704c6b 100644
--- a/etc/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -18,6 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/eog.profile b/etc/profile-a-l/eog.profile
index 6690b33ca..0d0153fc2 100644
--- a/etc/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -15,5 +15,10 @@ whitelist /usr/share/eog
 # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local
 private-bin eog
 
+dbus-user filter
+dbus-user.own org.gnome.eog
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
 # Redirect
 include eo-common.profile
diff --git a/etc/eom.profile b/etc/profile-a-l/eom.profile
index 5bfeb8c8f..5bfeb8c8f 100644
--- a/etc/eom.profile
+++ b/etc/profile-a-l/eom.profile
diff --git a/etc/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index c688c2324..029f613c6 100644
--- a/etc/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -39,8 +39,6 @@ caps.drop all
 # machine-id breaks pulse audio; it should work fine in setups where sound is not required.
 #machine-id
 netfilter
-# nodbus breaks preferences
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -59,3 +57,7 @@ private-cache
 # private-etc below works fine on most distributions. There are some problems on CentOS.
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
+
+# breaks preferences
+# dbus-user none
+# dbus-system none
diff --git a/etc/epiphany.profile b/etc/profile-a-l/epiphany.profile
index 225811226..225811226 100644
--- a/etc/epiphany.profile
+++ b/etc/profile-a-l/epiphany.profile
diff --git a/etc/et.profile b/etc/profile-a-l/et.profile
index 4e70bb114..4e70bb114 100644
--- a/etc/et.profile
+++ b/etc/profile-a-l/et.profile
diff --git a/etc/etr.profile b/etc/profile-a-l/etr.profile
index 97a43bb59..1c34335d2 100644
--- a/etc/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -9,21 +9,25 @@ include globals.local
 noblacklist ${HOME}/.etr
 
 include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.etr
 whitelist ${HOME}/.etr
+whitelist /usr/share/etr
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +46,6 @@ private-cache
 private-dev
 # private-etc alternatives,drirc,machine-id,openal
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/evince-previewer.profile b/etc/profile-a-l/evince-previewer.profile
index 3857d6f7b..3857d6f7b 100644
--- a/etc/evince-previewer.profile
+++ b/etc/profile-a-l/evince-previewer.profile
diff --git a/etc/evince-thumbnailer.profile b/etc/profile-a-l/evince-thumbnailer.profile
index 080a04a52..080a04a52 100644
--- a/etc/evince-thumbnailer.profile
+++ b/etc/profile-a-l/evince-thumbnailer.profile
diff --git a/etc/evince.profile b/etc/profile-a-l/evince.profile
index 143a347e6..77a48f0ba 100644
--- a/etc/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -15,12 +15,14 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/doc
 whitelist /usr/share/evince
 whitelist /usr/share/poppler
 whitelist /usr/share/tracker
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -29,8 +31,6 @@ machine-id
 # net none - breaks AppArmor on Ubuntu systems
 netfilter
 no3d
-# nodbus might break two-page-view on some systems
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -51,3 +51,7 @@ private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
 # private-lib might break two-page-view on some systems
 private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
+
+# might break two-page-view on some systems
+dbus-user none
+dbus-system none
diff --git a/etc/evolution.profile b/etc/profile-a-l/evolution.profile
index 71a7a5600..422200ffe 100644
--- a/etc/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -23,6 +23,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 # no3d breaks under wayland
@@ -41,4 +43,4 @@ shell none
 
 private-dev
 private-tmp
-
+writable-var
diff --git a/etc/exfalso.profile b/etc/profile-a-l/exfalso.profile
index 04bafdde4..192858304 100644
--- a/etc/exfalso.profile
+++ b/etc/profile-a-l/exfalso.profile
@@ -22,6 +22,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.quodlibet
@@ -35,7 +36,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -55,4 +55,7 @@ private-etc alternatives,fonts,group,passwd
 private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3*
 private-tmp
 
+dbus-user none
+dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/exiftool.profile b/etc/profile-a-l/exiftool.profile
index daacbc0c7..90d8a0fc2 100644
--- a/etc/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -29,7 +29,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -52,4 +51,7 @@ private-dev
 private-etc alternatives
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/falkon.profile b/etc/profile-a-l/falkon.profile
index 0024b6660..0024b6660 100644
--- a/etc/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
diff --git a/etc/fbreader.profile b/etc/profile-a-l/fbreader.profile
index 701f14dce..e9fcc2231 100644
--- a/etc/fbreader.profile
+++ b/etc/profile-a-l/fbreader.profile
@@ -11,15 +11,18 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-netfilter
+net none
 nodvd
 nonewprivs
 noroot
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
new file mode 100644
index 000000000..179540806
--- /dev/null
+++ b/etc/profile-a-l/fdns.profile
@@ -0,0 +1,50 @@
+# Firejail profile for server
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fdns.local
+# Persistent global definitions
+include globals.local
+
+noblacklist /sbin
+noblacklist /usr/sbin
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+#include whitelist-usr-share-common.inc
+#include whitelist-var-common.inc
+
+caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot
+ipc-namespace
+# netfilter /etc/firejail/webserver.net
+no3d
+nodvd
+nogroups
+nonewprivs
+# noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+#seccomp
+#shell none
+
+disable-mnt
+private
+private-bin bash,fdns,sh
+# private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
+# private-lib
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 5a72b60ea..2abd80b06 100644
--- a/etc/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/feedreader
@@ -23,6 +24,7 @@ whitelist ${HOME}/.cache/feedreader
 whitelist ${HOME}/.local/share/feedreader
 whitelist /usr/share/feedreader
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -47,3 +49,11 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user filter
+dbus-user.own org.gnome.FeedReader
+dbus-user.own org.gnome.FeedReader.ArticleView
+dbus-user.talk org.freedesktop.secrets
+# Enable as you need.
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system none
diff --git a/etc/feh.profile b/etc/profile-a-l/feh.profile
index 6a8071c28..3ee07e559 100644
--- a/etc/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -12,6 +12,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 # This profile disables network access
 # In order to enable network access,
@@ -21,7 +22,6 @@ include disable-programs.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +39,6 @@ private-cache
 private-dev
 private-etc alternatives,feh
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
new file mode 100644
index 000000000..9b4c5f114
--- /dev/null
+++ b/etc/profile-a-l/ferdi.profile
@@ -0,0 +1,46 @@
+# Firejail profile for ferdi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ferdi.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.cache/Ferdi
+noblacklist ${HOME}/.config/Ferdi
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.cache/Ferdi
+mkdir ${HOME}/.config/Ferdi
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/Ferdi
+whitelist ${HOME}/.config/Ferdi
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+include whitelist-common.inc
+
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+
+disable-mnt
+private-dev
+private-tmp
diff --git a/etc/fetchmail.profile b/etc/profile-a-l/fetchmail.profile
index d64fe830f..d64fe830f 100644
--- a/etc/fetchmail.profile
+++ b/etc/profile-a-l/fetchmail.profile
diff --git a/etc/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index b392087e8..fb5c9ee57 100644
--- a/etc/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/devedeng
@@ -29,7 +30,6 @@ caps.drop all
 ipc-namespace
 machine-id
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +50,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl
 private-tmp
 
+dbus-user none
+dbus-system none
+
 # memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/ffmpegthumbnailer.profile b/etc/profile-a-l/ffmpegthumbnailer.profile
index 6d72c3b99..6d72c3b99 100644
--- a/etc/ffmpegthumbnailer.profile
+++ b/etc/profile-a-l/ffmpegthumbnailer.profile
diff --git a/etc/ffplay.profile b/etc/profile-a-l/ffplay.profile
index 04134cbf4..04134cbf4 100644
--- a/etc/ffplay.profile
+++ b/etc/profile-a-l/ffplay.profile
diff --git a/etc/ffprobe.profile b/etc/profile-a-l/ffprobe.profile
index e7c9f678d..e7c9f678d 100644
--- a/etc/ffprobe.profile
+++ b/etc/profile-a-l/ffprobe.profile
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile
new file mode 100644
index 000000000..24339953b
--- /dev/null
+++ b/etc/profile-a-l/file-manager-common.profile
@@ -0,0 +1,52 @@
+# Firejail profile for file managers
+# Description: Common profile for GUI file managers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include file-manager-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+# File managers need to be able to see everything under ${HOME}
+# and be able to start arbitrary applications
+
+ignore noexec ${HOME}
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow perl
+include allow-perl.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+#include disable-programs.inc
+
+allusers
+#apparmor
+caps.drop all
+#net none
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-dev
+
+#dbus-user none
+#dbus-system none
diff --git a/etc/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 253b82cfe..745b8b8e9 100644
--- a/etc/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /usr/share/file-roller
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -36,8 +37,10 @@ seccomp
 shell none
 tracelog
 
-private-bin 7z,7za,7zr,ar,arj,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,rar,rzip,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo
+private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo
 private-cache
 private-dev
 private-etc dconf,fonts,gtk-3.0,xdg
 # private-tmp
+
+dbus-system none
diff --git a/etc/file.profile b/etc/profile-a-l/file.profile
index 9b21818f8..74620d4cd 100644
--- a/etc/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -8,6 +8,7 @@ include file.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-exec.inc
@@ -21,7 +22,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,8 +38,11 @@ x11 none
 #private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd
 private-cache
 private-dev
-private-etc alternatives,localtime,magic,magic.mgc
-private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*
+#private-etc alternatives,localtime,magic,magic.mgc
+#private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*,libseccomp.so.*
+
+dbus-user none
+dbus-system none
 
 memory-deny-write-execute
 read-only ${HOME}
diff --git a/etc/filezilla.profile b/etc/profile-a-l/filezilla.profile
index d8d4c1746..6c7ab8f0d 100644
--- a/etc/filezilla.profile
+++ b/etc/profile-a-l/filezilla.profile
@@ -17,6 +17,8 @@ include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
+
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/firefox-beta.profile b/etc/profile-a-l/firefox-beta.profile
index fa8bbb1f5..fa8bbb1f5 100644
--- a/etc/firefox-beta.profile
+++ b/etc/profile-a-l/firefox-beta.profile
diff --git a/etc/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 323070289..7c343c26d 100644
--- a/etc/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -34,9 +34,6 @@ caps.drop all
 # machine-id breaks pulse audio; it should work fine in setups where sound is not required.
 #machine-id
 netfilter
-# nodbus breaks various desktop integration features
-# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -56,3 +53,8 @@ disable-mnt
 # private-etc below works fine on most distributions. There are some problems on CentOS.
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
+
+# breaks various desktop integration features
+# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
+dbus-user none
+dbus-system none
diff --git a/etc/firefox-developer-edition.profile b/etc/profile-a-l/firefox-developer-edition.profile
index 8c7ca3887..8c7ca3887 100644
--- a/etc/firefox-developer-edition.profile
+++ b/etc/profile-a-l/firefox-developer-edition.profile
diff --git a/etc/firefox-esr.profile b/etc/profile-a-l/firefox-esr.profile
index 6c1d77986..5e69fdb51 100644
--- a/etc/firefox-esr.profile
+++ b/etc/profile-a-l/firefox-esr.profile
@@ -6,5 +6,7 @@ include firefox-esr.local
 # added by included profile
 #include globals.local
 
+whitelist /usr/share/firefox-esr
+
 # Redirect
 include firefox.profile
diff --git a/etc/firefox-nightly.profile b/etc/profile-a-l/firefox-nightly.profile
index 96d2bf898..96d2bf898 100644
--- a/etc/firefox-nightly.profile
+++ b/etc/profile-a-l/firefox-nightly.profile
diff --git a/etc/firefox-wayland.profile b/etc/profile-a-l/firefox-wayland.profile
index 17c9f059e..17c9f059e 100644
--- a/etc/firefox-wayland.profile
+++ b/etc/profile-a-l/firefox-wayland.profile
diff --git a/etc/firefox-x11.profile b/etc/profile-a-l/firefox-x11.profile
index ffd64aad7..ffd64aad7 100644
--- a/etc/firefox-x11.profile
+++ b/etc/profile-a-l/firefox-x11.profile
diff --git a/etc/firefox.profile b/etc/profile-a-l/firefox.profile
index 0530516d8..337311ed8 100644
--- a/etc/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -15,6 +15,7 @@ whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
 
 whitelist /usr/share/doc
+whitelist /usr/share/firefox
 whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/mozilla
 whitelist /usr/share/webext
@@ -27,5 +28,12 @@ include whitelist-usr-share-common.inc
 # private-etc must first be enabled in firefox-common.profile
 #private-etc firefox
 
+dbus-user filter
+dbus-user.own org.mozilla.firefox.*
+dbus-user.own org.mpris.MediaPlayer2.firefox.*
+# Uncomment or put in your firefox.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+ignore dbus-user none
+
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/five-or-more.profile b/etc/profile-a-l/five-or-more.profile
new file mode 100644
index 000000000..2c86d3ac7
--- /dev/null
+++ b/etc/profile-a-l/five-or-more.profile
@@ -0,0 +1,21 @@
+# Firejail profile for five-or-more
+# Description: GNOME port of the once-popular Colour Lines game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include five-or-more.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/five-or-more
+
+mkdir ${HOME}/.local/share/five-or-more
+whitelist ${HOME}/.local/share/five-or-more
+
+whitelist /usr/share/five-or-more
+
+private-bin five-or-more
+
+dbus-user.own org.gnome.five-or-more
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/flacsplt.profile b/etc/profile-a-l/flacsplt.profile
index 2efef0f22..2efef0f22 100644
--- a/etc/flacsplt.profile
+++ b/etc/profile-a-l/flacsplt.profile
diff --git a/etc/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 3aad9723b..7c41417ec 100644
--- a/etc/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -8,6 +8,7 @@ include flameshot.local
 include globals.local
 
 noblacklist ${PICTURES}
+noblacklist ${HOME}/.config/Dharkael
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,13 +16,21 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
+#whitelist ${PICTURES}
+#whitelist ${HOME}/.config/Dharkael
+whitelist /usr/share/flameshot
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
 caps.drop all
 ipc-namespace
 netfilter
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -33,11 +42,15 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl
 private-dev
 private-tmp
 
+dbus-user filter
+dbus-user.own org.dharkael.Flameshot
+dbus-system none
diff --git a/etc/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile
index b841bce75..b841bce75 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/profile-a-l/flashpeak-slimjet.profile
diff --git a/etc/flowblade.profile b/etc/profile-a-l/flowblade.profile
index 40472ab93..40472ab93 100644
--- a/etc/flowblade.profile
+++ b/etc/profile-a-l/flowblade.profile
diff --git a/etc/fluxbox.profile b/etc/profile-a-l/fluxbox.profile
index c296c0491..c296c0491 100644
--- a/etc/fluxbox.profile
+++ b/etc/profile-a-l/fluxbox.profile
diff --git a/etc/font-manager.profile b/etc/profile-a-l/font-manager.profile
index ae0e32d1e..acad6ad13 100644
--- a/etc/font-manager.profile
+++ b/etc/profile-a-l/font-manager.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/font-manager
diff --git a/etc/fontforge.profile b/etc/profile-a-l/fontforge.profile
index 6d305e2af..6d305e2af 100644
--- a/etc/fontforge.profile
+++ b/etc/profile-a-l/fontforge.profile
diff --git a/etc/fossamail.profile b/etc/profile-a-l/fossamail.profile
index 2d700d336..2d700d336 100644
--- a/etc/fossamail.profile
+++ b/etc/profile-a-l/fossamail.profile
diff --git a/etc/profile-a-l/four-in-a-row.profile b/etc/profile-a-l/four-in-a-row.profile
new file mode 100644
index 000000000..eb0c43ca5
--- /dev/null
+++ b/etc/profile-a-l/four-in-a-row.profile
@@ -0,0 +1,19 @@
+# Firejail profile for four-in-a-row
+# Description: four-in-a-row game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include four-in-a-row.local
+# Persistent global definitions
+include globals.local
+
+ignore machine-id
+ignore nosound
+
+whitelist /usr/share/four-in-a-row
+
+private-bin four-in-a-row
+
+dbus-user.own org.gnome.Four-in-a-row
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/franz.profile b/etc/profile-a-l/franz.profile
index 344804ca9..344804ca9 100644
--- a/etc/franz.profile
+++ b/etc/profile-a-l/franz.profile
diff --git a/etc/freecad.profile b/etc/profile-a-l/freecad.profile
index 6f0f52a55..0a1d4a750 100644
--- a/etc/freecad.profile
+++ b/etc/profile-a-l/freecad.profile
@@ -24,7 +24,6 @@ include disable-xdg.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +41,5 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/freecadcmd.profile b/etc/profile-a-l/freecadcmd.profile
index 44bf62cfe..44bf62cfe 100644
--- a/etc/freecadcmd.profile
+++ b/etc/profile-a-l/freecadcmd.profile
diff --git a/etc/freeciv-gtk3.profile b/etc/profile-a-l/freeciv-gtk3.profile
index fa36459e7..fa36459e7 100644
--- a/etc/freeciv-gtk3.profile
+++ b/etc/profile-a-l/freeciv-gtk3.profile
diff --git a/etc/freeciv-mp-gtk3.profile b/etc/profile-a-l/freeciv-mp-gtk3.profile
index fa36459e7..fa36459e7 100644
--- a/etc/freeciv-mp-gtk3.profile
+++ b/etc/profile-a-l/freeciv-mp-gtk3.profile
diff --git a/etc/freeciv.profile b/etc/profile-a-l/freeciv.profile
index fa115d325..0fe933478 100644
--- a/etc/freeciv.profile
+++ b/etc/profile-a-l/freeciv.profile
@@ -21,10 +21,10 @@ whitelist ${HOME}/.freeciv
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +42,6 @@ private-bin freeciv-gtk3,freeciv-manual,freeciv-mp-gtk3,freeciv-server
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/freecol.profile b/etc/profile-a-l/freecol.profile
index baeb4c528..3cbd2ff53 100644
--- a/etc/freecol.profile
+++ b/etc/profile-a-l/freecol.profile
@@ -37,7 +37,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -54,3 +53,6 @@ disable-mnt
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/freemind.profile b/etc/profile-a-l/freemind.profile
index ba945c0fb..0ffb5c54d 100644
--- a/etc/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -27,7 +27,6 @@ caps.drop all
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,3 +48,6 @@ private-dev
 private-tmp
 private-opt none
 private-srv none
+
+dbus-user none
+dbus-system none
diff --git a/etc/freeoffice-planmaker.profile b/etc/profile-a-l/freeoffice-planmaker.profile
index b6ca167eb..9449e7c48 100644
--- a/etc/freeoffice-planmaker.profile
+++ b/etc/profile-a-l/freeoffice-planmaker.profile
@@ -7,4 +7,4 @@ include freeoffice-planmaker.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/freeoffice-presentations.profile b/etc/profile-a-l/freeoffice-presentations.profile
index 43661028c..636868e2e 100644
--- a/etc/freeoffice-presentations.profile
+++ b/etc/profile-a-l/freeoffice-presentations.profile
@@ -7,4 +7,4 @@ include freeoffice-presentations.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/freeoffice-textmaker.profile b/etc/profile-a-l/freeoffice-textmaker.profile
index f7d30eaed..5d98d1cc6 100644
--- a/etc/freeoffice-textmaker.profile
+++ b/etc/profile-a-l/freeoffice-textmaker.profile
@@ -6,4 +6,4 @@ include freeoffice-textmaker.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
new file mode 100644
index 000000000..91f0caf87
--- /dev/null
+++ b/etc/profile-a-l/freetube.profile
@@ -0,0 +1,31 @@
+# Firejail profile for freetube
+# Description: Youtube client with local subscription feature
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freetube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/FreeTube
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-shell.inc 
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/FreeTube
+whitelist ${HOME}/.config/FreeTube
+
+seccomp !chroot
+shell none
+
+disable-mnt
+private-bin freetube
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/freshclam.profile b/etc/profile-a-l/freshclam.profile
index 2bab79e2e..2bab79e2e 100644
--- a/etc/freshclam.profile
+++ b/etc/profile-a-l/freshclam.profile
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
new file mode 100644
index 000000000..653272499
--- /dev/null
+++ b/etc/profile-a-l/frogatto.profile
@@ -0,0 +1,50 @@
+# Firejail profile for frogatto
+# Description: 2D platformer game starring a quixotic frog
+# This file is overwritten after every install/update
+# Persistent local customizations
+include frogatto.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.frogatto
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.frogatto
+whitelist ${HOME}/.frogatto
+whitelist /usr/share/frogatto
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin frogatto,sh
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index 6cef181c8..9245ae3a9 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -13,18 +13,23 @@ include allow-perl.inc
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.frozen-bubble
 whitelist ${HOME}/.frozen-bubble
+whitelist /usr/share/perl5
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -35,8 +40,12 @@ novideo
 protocol unix,netlink
 seccomp
 shell none
+tracelog
 
 disable-mnt
 # private-bin frozen-bubble
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/gajim-history-manager.profile b/etc/profile-a-l/gajim-history-manager.profile
index 2ae6dd9d8..2ae6dd9d8 100644
--- a/etc/gajim-history-manager.profile
+++ b/etc/profile-a-l/gajim-history-manager.profile
diff --git a/etc/gajim.profile b/etc/profile-a-l/gajim.profile
index 85d9b9bd9..85d9b9bd9 100644
--- a/etc/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
diff --git a/etc/galculator.profile b/etc/profile-a-l/galculator.profile
index f757aed69..89f20b923 100644
--- a/etc/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/galculator
@@ -26,7 +27,6 @@ caps.drop all
 #hostname galculator - breaks Arch Linux
 #ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +47,7 @@ private-etc alternatives,fonts
 private-lib
 private-tmp
 
+dbus-user none
+dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
new file mode 100644
index 000000000..74b468020
--- /dev/null
+++ b/etc/profile-a-l/gapplication.profile
@@ -0,0 +1,71 @@
+# Firejail profile for gapplication
+# Description: D-Bus application launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gapplication.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private
+private-bin gapplication
+private-cache
+private-dev
+private-etc none
+private-tmp
+
+# Uncomment (or add to your gapplcation.local) the next line to filter D-Bus names.
+# You might need to add additional dbus-user.talk rules. see 'gapplication list-apps'.
+#dbus-user filter
+dbus-user.talk org.gnome.Boxes
+dbus-user.talk org.gnome.Builder
+dbus-user.talk org.gnome.Calendar
+dbus-user.talk org.gnome.ChromeGnomeShell
+dbus-user.talk org.gnome.DejaDup
+dbus-user.talk org.gnome.DiskUtility
+dbus-user.talk org.gnome.Extensions
+dbus-user.talk org.gnome.Maps
+dbus-user.talk org.gnome.Nautilus
+dbus-user.talk org.gnome.Shell.PortalHelper
+dbus-user.talk org.gnome.Software
+dbus-user.talk org.gnome.Weather
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/gcalccmd.profile b/etc/profile-a-l/gcalccmd.profile
index 691d6b0c4..691d6b0c4 100644
--- a/etc/gcalccmd.profile
+++ b/etc/profile-a-l/gcalccmd.profile
diff --git a/etc/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 7ca99f420..46a862a21 100644
--- a/etc/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -21,7 +21,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-nodbus
 nodvd
 # required for sudo-free docker
 #nogroups
@@ -38,3 +37,6 @@ disable-mnt
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/gconf-editor.profile b/etc/profile-a-l/gconf-editor.profile
index cb39174e5..cb39174e5 100644
--- a/etc/gconf-editor.profile
+++ b/etc/profile-a-l/gconf-editor.profile
diff --git a/etc/gconf-merge-schema.profile b/etc/profile-a-l/gconf-merge-schema.profile
index 619f801b0..619f801b0 100644
--- a/etc/gconf-merge-schema.profile
+++ b/etc/profile-a-l/gconf-merge-schema.profile
diff --git a/etc/gconf-merge-tree.profile b/etc/profile-a-l/gconf-merge-tree.profile
index 2f6bfe5e5..2f6bfe5e5 100644
--- a/etc/gconf-merge-tree.profile
+++ b/etc/profile-a-l/gconf-merge-tree.profile
diff --git a/etc/gconf.profile b/etc/profile-a-l/gconf.profile
index 96848575d..96848575d 100644
--- a/etc/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
diff --git a/etc/gconfpkg.profile b/etc/profile-a-l/gconfpkg.profile
index 5bfc1250a..5bfc1250a 100644
--- a/etc/gconfpkg.profile
+++ b/etc/profile-a-l/gconfpkg.profile
diff --git a/etc/gconftool-2.profile b/etc/profile-a-l/gconftool-2.profile
index 947e4252f..947e4252f 100644
--- a/etc/gconftool-2.profile
+++ b/etc/profile-a-l/gconftool-2.profile
diff --git a/etc/geany.profile b/etc/profile-a-l/geany.profile
index 31599e32a..31599e32a 100644
--- a/etc/geany.profile
+++ b/etc/profile-a-l/geany.profile
diff --git a/etc/geary.profile b/etc/profile-a-l/geary.profile
index eb427c077..fa01d04b7 100644
--- a/etc/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -10,7 +10,8 @@ include geary.local
 # Users have Geary set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
 
-ignore nodbus
+ignore dbus-user none
+ignore dbus-system none
 ignore private-tmp
 
 noblacklist ${HOME}/.gnupg
diff --git a/etc/gedit.profile b/etc/profile-a-l/gedit.profile
index a4471077a..17b7ad563 100644
--- a/etc/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 # apparmor - makes settings immutable
@@ -26,7 +27,6 @@ caps.drop all
 machine-id
 # net none - makes settings immutable
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -46,3 +46,6 @@ private-dev
 #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
 
+# makes settings immutable
+# dbus-user none
+# dbus-system none
diff --git a/etc/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 6398505ed..e06a9afad 100644
--- a/etc/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -25,7 +25,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,6 +47,9 @@ private-lib gcc/*/*/libstdc++.so.*
 private-opt none
 private-tmp
 
+dbus-user none
+dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
 
 read-only ${HOME}
diff --git a/etc/geeqie.profile b/etc/profile-a-l/geeqie.profile
index 8810ca161..8810ca161 100644
--- a/etc/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
diff --git a/etc/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index d332c1bbe..d97ab530b 100644
--- a/etc/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/gfeeds
@@ -29,6 +30,7 @@ whitelist ${HOME}/.cache/org.gabmus.gfeeds
 whitelist ${HOME}/.config/org.gabmus.gfeeds.json
 whitelist /usr/share/gfeeds
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -37,7 +39,6 @@ caps.drop all
 machine-id
 netfilter
 no3d
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -57,3 +58,8 @@ private-bin gfeeds,python3*
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
+
+dbus-user filter
+dbus-user.own org.gabmus.gfeeds
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/ghb.profile b/etc/profile-a-l/ghb.profile
index 1e7ce2350..1e7ce2350 100644
--- a/etc/ghb.profile
+++ b/etc/profile-a-l/ghb.profile
diff --git a/etc/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index 27becf8fe..5bb410278 100644
--- a/etc/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -17,13 +17,15 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
-#whitelist /usr/share/ghostwriter
-#whitelist /usr/share/mozilla-dicts
-#whitelist /usr/share/texlive
-#whitelist /usr/share/pandoc*
-#include whitelist-usr-share-common.inc
+whitelist /usr/share/ghostwriter
+whitelist /usr/share/mozilla-dicts
+whitelist /usr/share/texlive
+whitelist /usr/share/pandoc*
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 
 apparmor
 caps.drop all
@@ -48,3 +50,6 @@ private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
 private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/gimp-2.10.profile b/etc/profile-a-l/gimp-2.10.profile
index dbf49ac22..dbf49ac22 100644
--- a/etc/gimp-2.10.profile
+++ b/etc/profile-a-l/gimp-2.10.profile
diff --git a/etc/gimp-2.8.profile b/etc/profile-a-l/gimp-2.8.profile
index dbf49ac22..dbf49ac22 100644
--- a/etc/gimp-2.8.profile
+++ b/etc/profile-a-l/gimp-2.8.profile
diff --git a/etc/gimp.profile b/etc/profile-a-l/gimp.profile
index 94035bc02..8093c0c39 100644
--- a/etc/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -36,7 +36,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -51,3 +50,6 @@ tracelog
 
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/gist-paste.profile b/etc/profile-a-l/gist-paste.profile
index 56b3176ed..56b3176ed 100644
--- a/etc/gist-paste.profile
+++ b/etc/profile-a-l/gist-paste.profile
diff --git a/etc/gist.profile b/etc/profile-a-l/gist.profile
index 59fcb2775..681fc2829 100644
--- a/etc/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -36,7 +36,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -56,4 +55,7 @@ private-dev
 private-etc alternatives
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
new file mode 100644
index 000000000..30e80f519
--- /dev/null
+++ b/etc/profile-a-l/git-cola.profile
@@ -0,0 +1,66 @@
+# Firejail profile for git-cola
+# Description: Linux native frontend for Git
+# This file is overwritten after every install/update
+# Persistent local customizations
+include git-cola.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.git-credentials
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.config/git
+noblacklist ${HOME}/.config/git-cola
+# Put your editor,diff viewer config path below and uncomment to load settings
+# noblacklist ${HOME}/
+
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+# private-bin atom,bash,colordiff,emacs,fldiff,geany,gedit,git,git gui,git-cola,git-dag,gitk,gpg,gvim,leafpad,meld,mousepad,nano,notepadqq,python*,sh,ssh,vim,vimdiff,which,xed
+private-cache
+private-dev
+# Comment if you sign commits with GPG
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user filter
+# Uncomment if you need keyring access
+# dbus-user.talk org.freedesktop.secrets
+dbus-system none
+
+read-only ${HOME}/.ssh
+read-only ${HOME}/.gnupg
+read-only ${HOME}/.git-credentials
diff --git a/etc/git.profile b/etc/profile-a-l/git.profile
index e5a2f3985..e5a2f3985 100644
--- a/etc/git.profile
+++ b/etc/profile-a-l/git.profile
diff --git a/etc/gitg.profile b/etc/profile-a-l/gitg.profile
index 56f8e136f..71b8e9b11 100644
--- a/etc/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -19,7 +19,16 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+#whitelist ${HOME}/YOUR_GIT_PROJECTS_DIRECTORY
+#whitelist ${HOME}/.config/git
+#whitelist ${HOME}/.gitconfig
+#whitelist ${HOME}/.git-credentials
+#whitelist ${HOME}/.local/share/gitg
+#whitelist ${HOME}/.ssh
+#include whitelist-common.inc
+
 whitelist /usr/share/gitg
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -43,3 +52,10 @@ private-bin git,gitg,ssh
 private-cache
 private-dev
 private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.gitg
+dbus-user.talk ca.desrt.dconf
+# Uncomment (or put in your gitg.local) if you need keyring access.
+#dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff --git a/etc/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index b25b138ad..152396553 100644
--- a/etc/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -30,7 +30,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 
 # Note: On debian-based distributions the binary might be located in
 # /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
diff --git a/etc/gitter.profile b/etc/profile-a-l/gitter.profile
index 017b1765a..017b1765a 100644
--- a/etc/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
diff --git a/etc/gjs.profile b/etc/profile-a-l/gjs.profile
index 85dd57f29..9c8848b8a 100644
--- a/etc/gjs.profile
+++ b/etc/profile-a-l/gjs.profile
@@ -22,6 +22,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/globaltime.profile b/etc/profile-a-l/globaltime.profile
index bb78a608e..bb78a608e 100644
--- a/etc/globaltime.profile
+++ b/etc/profile-a-l/globaltime.profile
diff --git a/etc/gmpc.profile b/etc/profile-a-l/gmpc.profile
index b1546db30..b3aad8b2c 100644
--- a/etc/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -30,7 +30,6 @@ caps.drop all
 ipc-namespace
 netfilter
 no3d
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +49,7 @@ private-etc alternatives,fonts
 private-tmp
 writable-run-user
 
+# dbus-user none
+# dbus-system none
+
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/gnome-2048.profile b/etc/profile-a-l/gnome-2048.profile
new file mode 100644
index 000000000..777c81dbe
--- /dev/null
+++ b/etc/profile-a-l/gnome-2048.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-2048
+# Description: Sliding tile puzzle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-2048.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/gnome-2048
+
+mkdir ${HOME}/.local/share/gnome-2048
+whitelist ${HOME}/.local/share/gnome-2048
+
+private-bin gnome-2048
+
+dbus-user.own org.gnome.TwentyFortyEight
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
index 84e38d0e1..998109ca7 100644
--- a/etc/gnome-books.profile
+++ b/etc/profile-a-l/gnome-books.profile
@@ -23,8 +23,9 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-netfilter
+net none
 no3d
 nodvd
 nogroups
diff --git a/etc/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
index eaf48931d..7a684dd59 100644
--- a/etc/gnome-builder.profile
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -17,6 +17,8 @@ include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index 6709a331e..ceb01f2a0 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -13,9 +13,11 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -23,10 +25,9 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
-# net none
+#net none -- breaks currency conversion
 netfilter
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -38,6 +39,7 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
 disable-mnt
 private-bin gnome-calculator
@@ -46,4 +48,7 @@ private-dev
 #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.*
 private-tmp
 
-# memory-deny-write-execute
+dbus-user filter
+dbus-user.own org.gnome.Calculator
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
new file mode 100644
index 000000000..3e815234c
--- /dev/null
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -0,0 +1,62 @@
+# Firejail profile for gnome-calendar
+# Description: Calendar for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-calendar.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/libgweather
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin gnome-calendar
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Calendar
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.evolution.dataserver.*
+#dbus-user.talk org.gnome.OnlineAccounts
+#dbus-user.talk org.gnome.ControlCenter
+# NOTE: dbus-system none fails, filter without rules works.
+dbus-system filter
+#dbus-system.talk org.freedesktop.timedate1
+#dbus-system.talk org.freedesktop.login1
+#dbus-system.talk org.freedesktop.GeoClue2
+
+read-only ${HOME}
diff --git a/etc/gnome-character-map.profile b/etc/profile-a-l/gnome-character-map.profile
index 27804fdd0..27804fdd0 100644
--- a/etc/gnome-character-map.profile
+++ b/etc/profile-a-l/gnome-character-map.profile
diff --git a/etc/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 2d4724610..f4f3ae2d7 100644
--- a/etc/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -15,20 +15,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/org.gnome.Characters
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 machine-id
 net none
 no3d
-# Uncomment the next line (or add it to your gnome-characters.local)
-# if you don't need recently used chars
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -52,4 +52,9 @@ private-dev
 private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg
 private-tmp
 
+# Uncomment the next lines (or add it to your gnome-characters.local)
+# if you don't need recently used chars
+# dbus-user none
+# dbus-system none
+
 read-only ${HOME}
diff --git a/etc/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index e657293ac..84a3cabd6 100644
--- a/etc/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -6,6 +6,7 @@ include gnome-chess.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.config/gnome-chess
 noblacklist ${HOME}/.local/share/gnome-chess
 
 include disable-common.inc
@@ -14,8 +15,17 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
+#mkdir ${HOME}/.local/share/gnome-chess
+#whitelist ${HOME}/.local/share/gnome-chess
+#include whitelist-common.inc
+
+whitelist /usr/share/gnuchess
+whitelist /usr/share/gnome-chess
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index 025335a23..fc899178f 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -12,11 +12,13 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/gnome-clocks
 whitelist /usr/share/libgweather
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index ac6d82451..7a38bdc8a 100644
--- a/etc/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -17,11 +17,12 @@ include disable-programs.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-no3d
+#no3d - breaks on Arch
 nodvd
 nonewprivs
 noroot
diff --git a/etc/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile
index 705fe624e..705fe624e 100644
--- a/etc/gnome-documents.profile
+++ b/etc/profile-a-l/gnome-documents.profile
diff --git a/etc/gnome-font-viewer.profile b/etc/profile-a-l/gnome-font-viewer.profile
index 468ef0401..b2327133c 100644
--- a/etc/gnome-font-viewer.profile
+++ b/etc/profile-a-l/gnome-font-viewer.profile
@@ -17,8 +17,9 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-netfilter
+net none
 no3d
 nodvd
 nonewprivs
diff --git a/etc/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 386c33d7f..5ae7bbe01 100644
--- a/etc/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -12,19 +12,18 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/mesa_shader_cache
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/wayland-0
 whitelist /usr/share/gnome-hexgl
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,8 +41,11 @@ private
 private-bin gnome-hexgl
 private-cache
 private-dev
-private-etc machine-id
+private-etc alsa,asound.conf,machine-id,pulse
 private-tmp
 
+dbus-user none
+dbus-system none
+
 read-only ${HOME}
 read-write ${HOME}/.cache/mesa_shader_cache
diff --git a/etc/gnome-keyring-3.profile b/etc/profile-a-l/gnome-keyring-3.profile
index e9961e4f0..e9961e4f0 100644
--- a/etc/gnome-keyring-3.profile
+++ b/etc/profile-a-l/gnome-keyring-3.profile
diff --git a/etc/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index 7e2d701b7..ecbb74158 100644
--- a/etc/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -31,7 +31,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -52,4 +51,7 @@ private-dev
 #private-lib alternatives,gnome-keyring,libsecret-1.so.*,pkcs11,security
 private-tmp
 
+# dbus-user none
+# dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-klotski.profile b/etc/profile-a-l/gnome-klotski.profile
new file mode 100644
index 000000000..c67a5c0da
--- /dev/null
+++ b/etc/profile-a-l/gnome-klotski.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-klotski
+# Description: Sliding block puzzles game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-klotski.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/gnome-klotski
+
+mkdir ${HOME}/.local/share/gnome-klotski
+whitelist ${HOME}/.local/share/gnome-klotski
+
+private-bin gnome-klotski
+
+dbus-user.own org.gnome.Klotski
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 1bf48c6ab..eb5e9ec40 100644
--- a/etc/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -22,6 +22,7 @@ include disable-programs.inc
 whitelist /usr/share/gnome-latex
 whitelist /usr/share/perl5
 whitelist /usr/share/texlive
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 # May cause issues.
 #include whitelist-var-common.inc
@@ -48,3 +49,5 @@ private-cache
 private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
 private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
+
+dbus-system none
diff --git a/etc/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 0c5bec144..41218d3f7 100644
--- a/etc/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -12,9 +12,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /var/log/journal
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -23,7 +25,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
 # comment both 'nogroups' and 'noroot'
@@ -49,6 +50,9 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s
 private-tmp
 writable-var-log
 
+dbus-user none
+dbus-system none
+
 # comment this if you export logs to a file in your ${HOME}
 # or put 'ignore read-only ${HOME}' in your gnome-logs.local.
 read-only ${HOME}
diff --git a/etc/profile-a-l/gnome-mahjongg.profile b/etc/profile-a-l/gnome-mahjongg.profile
new file mode 100644
index 000000000..42409dce8
--- /dev/null
+++ b/etc/profile-a-l/gnome-mahjongg.profile
@@ -0,0 +1,16 @@
+# Firejail profile for gnome-mahjongg
+# Description: A matching game played with Mahjongg tiles
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-mahjongg.local
+# Persistent global definitions
+include globals.local
+
+whitelist /usr/share/gnome-mahjongg
+
+private-bin gnome-mahjongg
+
+dbus-user.own org.gnome.Mahjongg
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index 62350b862..eb0030dda 100644
--- a/etc/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -13,7 +13,6 @@ include globals.local
 
 noblacklist ${HOME}/.cache/champlain
 noblacklist ${HOME}/.cache/org.gnome.Maps
-noblacklist ${HOME}/.local/share/flatpak
 noblacklist ${HOME}/.local/share/maps-places.json
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
@@ -25,6 +24,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/champlain
@@ -36,6 +36,7 @@ whitelist ${PICTURES}
 whitelist /usr/share/gnome-maps
 whitelist /usr/share/libgweather
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -62,3 +63,11 @@ private-bin gjs,gnome-maps
 private-dev
 private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Maps
+#dbus-user.talk org.freedesktop.secrets
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system filter
+#dbus-system.talk org.freedesktop.NetworkManager
+dbus-system.talk org.freedesktop.GeoClue2
diff --git a/etc/profile-a-l/gnome-mines.profile b/etc/profile-a-l/gnome-mines.profile
new file mode 100644
index 000000000..4fe8986c2
--- /dev/null
+++ b/etc/profile-a-l/gnome-mines.profile
@@ -0,0 +1,20 @@
+# Firejail profile for gnome-mines
+# Description: The popular logic puzzle minesweeper
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-mines.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/gnome-mines
+
+mkdir ${HOME}/.local/share/gnome-mines
+whitelist ${HOME}/.local/share/gnome-mines
+whitelist /usr/share/gnome-mines
+
+private-bin gnome-mines
+
+dbus-user.own org.gnome.Mines
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
index 12bee6448..12bee6448 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/profile-a-l/gnome-mplayer.profile
diff --git a/etc/gnome-mpv.profile b/etc/profile-a-l/gnome-mpv.profile
index f5d652732..f5d652732 100644
--- a/etc/gnome-mpv.profile
+++ b/etc/profile-a-l/gnome-mpv.profile
diff --git a/etc/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index ad3fa1753..36b46897c 100644
--- a/etc/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -21,8 +21,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 no3d
@@ -37,8 +39,9 @@ seccomp
 shell none
 tracelog
 
-private-bin env,gio-launch-desktop,gnome-music,python*,yelp
+# private-bin calls a file manager - whatever is installed!
+#private-bin env,gio-launch-desktop,gnome-music,python*,yelp
 private-dev
-private-etc alternatives,asound.conf,fonts,machine-id,pulse
+private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg
 private-tmp
 
diff --git a/etc/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
index d15299890..33eb9c81a 100644
--- a/etc/gnome-nettool.profile
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -16,6 +16,7 @@ include disable-xdg.inc
 
 whitelist /usr/share/gnome-nettool
 #include whitelist-common.inc -- see #903
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -24,7 +25,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 # ping needs to elevate privileges, noroot and nonewprivs will kill it
@@ -44,3 +44,5 @@ private-dev
 private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libgtk-3.so.*,libgtop*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.*
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gnome-nibbles.profile b/etc/profile-a-l/gnome-nibbles.profile
new file mode 100644
index 000000000..b22810d34
--- /dev/null
+++ b/etc/profile-a-l/gnome-nibbles.profile
@@ -0,0 +1,23 @@
+# Firejail profile for gnome-nibbles
+# Description: A worm game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-nibbles.local
+# Persistent global definitions
+include globals.local
+
+ignore machine-id
+ignore nosound
+
+noblacklist ${HOME}/.local/share/gnome-nibbles
+
+mkdir ${HOME}/.local/share/gnome-nibbles
+whitelist ${HOME}/.local/share/gnome-nibbles
+whitelist /usr/share/gnome-nibbles
+
+private-bin gnome-nibbles
+
+dbus-user.own org.gnome.Nibbles
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index de8f6ad7d..615be7873 100644
--- a/etc/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -19,15 +19,12 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${RUNUSER}/bus
-# If you have a second wayland compositor, whitelist its socket here.
-whitelist ${RUNUSER}/wayland-0
-whitelist ${RUNUSER}/gdm/Xauthority
-
 whitelist /usr/share/cracklib
 whitelist /usr/share/passwordsafe
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index aa0b7dbe3..2af406af9 100644
--- a/etc/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -17,8 +17,10 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index c1d2dae35..c1d2dae35 100644
--- a/etc/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
new file mode 100644
index 000000000..a46e47759
--- /dev/null
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -0,0 +1,59 @@
+# Firejail profile for gnome-pomodoro
+# Description: time management utility for GNOME based on the pomodoro technique
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-pomodoro.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/gnome-pomodoro
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/gnome-pomodoro
+whitelist ${HOME}/.local/share/gnome-pomodoro
+whitelist /usr/share/gnome-pomodoro
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin gnome-pomodoro
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Pomodoro
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.Mutter.IdleMonitor
+dbus-user.talk org.gnome.Shell
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.local/share/gnome-pomodoro
diff --git a/etc/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index b4791afc5..c4969590f 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.cache/gnome-recipes
 mkdir ${HOME}/.local/share/gnome-recipes
@@ -26,6 +27,7 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
diff --git a/etc/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
index 78ceb9c4f..78ceb9c4f 100644
--- a/etc/gnome-ring.profile
+++ b/etc/profile-a-l/gnome-ring.profile
diff --git a/etc/profile-a-l/gnome-robots.profile b/etc/profile-a-l/gnome-robots.profile
new file mode 100644
index 000000000..8835f2b93
--- /dev/null
+++ b/etc/profile-a-l/gnome-robots.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-robots
+# Description: Based on classic BSD Robots
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-robots.local
+# Persistent global definitions
+include globals.local
+
+ignore machine-id
+ignore nosound
+
+whitelist /usr/share/gnome-robots
+
+private-bin gnome-robots
+
+dbus-user.own org.gnome.Robots
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
index c8dd8ead7..55913a2d7 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -39,6 +39,7 @@ whitelist /usr/share/gnome-schedule
 whitelist /var/spool/atd
 whitelist /var/spool/cron
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
new file mode 100644
index 000000000..82fb1b658
--- /dev/null
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -0,0 +1,50 @@
+# Firejail profile for gnome-screenshot
+# Description: GNOME screenshot tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-screenshot.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+noblacklist ${HOME}/.cache/gnome-screenshot
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin gnome-screenshot
+private-dev
+private-etc dconf,fonts,gtk-3.0,localtime,machine-id
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Screenshot
+dbus-user.talk org.gnome.Shell.Screenshot
+dbus-system none
diff --git a/etc/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index 7f8fc8a0c..a64ec25a9 100644
--- a/etc/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -7,7 +7,6 @@ include gnome-sound-recorder.local
 include globals.local
 
 noblacklist ${MUSIC}
-noblacklist ${HOME}/.local/share/flatpak
 noblacklist ${HOME}/.local/share/Trash
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
diff --git a/etc/profile-a-l/gnome-sudoku.profile b/etc/profile-a-l/gnome-sudoku.profile
new file mode 100644
index 000000000..12fd48a86
--- /dev/null
+++ b/etc/profile-a-l/gnome-sudoku.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-sudoku
+# Description: puzzle game for the popular Japanese sudoku logic puzzle
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-sudoku.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/gnome-sudoku
+
+mkdir ${HOME}/.local/share/gnome-sudoku
+whitelist ${HOME}/.local/share/gnome-sudoku
+
+private-bin gnome-sudoku
+
+dbus-user.own org.gnome.Sudoku
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index cfe39d18b..14b0f758e 100644
--- a/etc/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -12,6 +12,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /var/log
@@ -24,7 +25,6 @@ caps.drop all
 ipc-namespace
 # net none - breaks dbus
 no3d
-# nodbus
 nodvd
 # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
 # comment both 'nogroups' and 'noroot'
@@ -49,6 +49,9 @@ private-lib
 private-tmp
 writable-var-log
 
+# dbus-user none
+# dbus-system none
+
 memory-deny-write-execute
 
 # comment this if you export logs to a file in your ${HOME}
diff --git a/etc/profile-a-l/gnome-taquin.profile b/etc/profile-a-l/gnome-taquin.profile
new file mode 100644
index 000000000..2341334f7
--- /dev/null
+++ b/etc/profile-a-l/gnome-taquin.profile
@@ -0,0 +1,19 @@
+# Firejail profile for gnome-taquin
+# Description: A sliding puzzle game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-taquin.local
+# Persistent global definitions
+include globals.local
+
+ignore machine-id
+ignore nosound
+
+whitelist /usr/share/gnome-taquin
+
+private-bin gnome-taquin
+
+dbus-user.own org.gnome.Taquin
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-tetravex.profile b/etc/profile-a-l/gnome-tetravex.profile
new file mode 100644
index 000000000..6e820dd70
--- /dev/null
+++ b/etc/profile-a-l/gnome-tetravex.profile
@@ -0,0 +1,14 @@
+# Firejail profile for gnome-tetravex
+# Description: A simple puzzle game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-tetravex.local
+# Persistent global definitions
+include globals.local
+
+private-bin gnome-tetravex
+
+dbus-user.own org.gnome.Tetravex
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
new file mode 100644
index 000000000..2fab3dcc7
--- /dev/null
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -0,0 +1,64 @@
+# Firejail profile for gnome-todo
+# Description: Personal task manager for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-todo.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/gnome-todo
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+#private
+private-bin gnome-todo
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Todo
+dbus-user.talk ca.desrt.dconf
+#dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
+#dbus-user.talk org.gnome.evolution.dataserver.Calendar8
+#dbus-user.talk org.gnome.evolution.dataserver.Sources5
+#dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system none
+#dbus-system filter
+#dbus-system.talk org.freedesktop.login1
+
+read-only ${HOME}
diff --git a/etc/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile
index 5e8153035..5e8153035 100644
--- a/etc/gnome-twitch.profile
+++ b/etc/profile-a-l/gnome-twitch.profile
diff --git a/etc/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index 10db6296b..a181f1b9e 100644
--- a/etc/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -21,6 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
new file mode 100644
index 000000000..c46fbc1d9
--- /dev/null
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -0,0 +1,48 @@
+# Firejail profile for gnome_games-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome_games-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11
+private-tmp
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
new file mode 100644
index 000000000..1b5129fc5
--- /dev/null
+++ b/etc/profile-a-l/gnote.profile
@@ -0,0 +1,59 @@
+# Firejail profile for gnote
+# Description: A simple note-taking application for Gnome
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnote.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/gnote
+noblacklist ${HOME}/.local/share/gnote
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/gnote
+mkdir ${HOME}/.local/share/gnote
+whitelist ${HOME}/.config/gnote
+whitelist ${HOME}/.local/share/gnote
+whitelist /usr/share/gnote
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin gnote
+private-cache
+private-dev
+private-etc dconf,fonts,gtk-3.0,pango,X11
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Gnote
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
new file mode 100644
index 000000000..8eaba161c
--- /dev/null
+++ b/etc/profile-a-l/gnubik.profile
@@ -0,0 +1,50 @@
+# Firejail profile for gnubik
+# Description: DESCRIPTION
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnubik.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/gnubik
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin gnubik
+private-cache
+private-dev
+private-etc drirc,fonts,gtk-2.0
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/godot.profile b/etc/profile-a-l/godot.profile
index 2baf09b1d..8324a4eb5 100644
--- a/etc/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -22,7 +22,6 @@ include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,6 @@ private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/goobox.profile b/etc/profile-a-l/goobox.profile
index c932ad528..c932ad528 100644
--- a/etc/goobox.profile
+++ b/etc/profile-a-l/goobox.profile
diff --git a/etc/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile
index 73101f509..a62e4cf74 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/profile-a-l/google-chrome-beta.profile
@@ -8,10 +8,16 @@ include globals.local
 noblacklist ${HOME}/.cache/google-chrome-beta
 noblacklist ${HOME}/.config/google-chrome-beta
 
+noblacklist ${HOME}/.config/chrome-beta-flags.conf
+noblacklist ${HOME}/.config/chrome-beta-flags.config
+
 mkdir ${HOME}/.cache/google-chrome-beta
 mkdir ${HOME}/.config/google-chrome-beta
 whitelist ${HOME}/.cache/google-chrome-beta
 whitelist ${HOME}/.config/google-chrome-beta
 
+whitelist ${HOME}/.config/chrome-beta-flags.conf
+whitelist ${HOME}/.config/chrome-beta-flags.config
+
 # Redirect
 include chromium-common.profile
diff --git a/etc/google-chrome-stable.profile b/etc/profile-a-l/google-chrome-stable.profile
index a456e8d61..a456e8d61 100644
--- a/etc/google-chrome-stable.profile
+++ b/etc/profile-a-l/google-chrome-stable.profile
diff --git a/etc/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile
index 50e9923aa..14547eab2 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/profile-a-l/google-chrome-unstable.profile
@@ -8,10 +8,16 @@ include globals.local
 noblacklist ${HOME}/.cache/google-chrome-unstable
 noblacklist ${HOME}/.config/google-chrome-unstable
 
+noblacklist ${HOME}/.config/chrome-unstable-flags.conf
+noblacklist ${HOME}/.config/chrome-unstable-flags.config
+
 mkdir ${HOME}/.cache/google-chrome-unstable
 mkdir ${HOME}/.config/google-chrome-unstable
 whitelist ${HOME}/.cache/google-chrome-unstable
 whitelist ${HOME}/.config/google-chrome-unstable
 
+whitelist ${HOME}/.config/chrome-unstable-flags.conf
+whitelist ${HOME}/.config/chrome-unstable-flags.config
+
 # Redirect
 include chromium-common.profile
diff --git a/etc/google-chrome.profile b/etc/profile-a-l/google-chrome.profile
index c69e98271..66f76caa0 100644
--- a/etc/google-chrome.profile
+++ b/etc/profile-a-l/google-chrome.profile
@@ -8,10 +8,16 @@ include globals.local
 noblacklist ${HOME}/.cache/google-chrome
 noblacklist ${HOME}/.config/google-chrome
 
+noblacklist ${HOME}/.config/chrome-flags.conf
+noblacklist ${HOME}/.config/chrome-flags.config
+
 mkdir ${HOME}/.cache/google-chrome
 mkdir ${HOME}/.config/google-chrome
 whitelist ${HOME}/.cache/google-chrome
 whitelist ${HOME}/.config/google-chrome
 
+whitelist ${HOME}/.config/chrome-flags.conf
+whitelist ${HOME}/.config/chrome-flags.config
+
 # Redirect
 include chromium-common.profile
diff --git a/etc/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile
index c1f919769..c1f919769 100644
--- a/etc/google-earth-pro.profile
+++ b/etc/profile-a-l/google-earth-pro.profile
diff --git a/etc/google-earth.profile b/etc/profile-a-l/google-earth.profile
index a331ef8d2..a331ef8d2 100644
--- a/etc/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
diff --git a/etc/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
index daa385234..daa385234 100644
--- a/etc/google-play-music-desktop-player.profile
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
diff --git a/etc/gpa.profile b/etc/profile-a-l/gpa.profile
index ce7c8496d..ce7c8496d 100644
--- a/etc/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
diff --git a/etc/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
index 16bda186e..adc8957e6 100644
--- a/etc/gpg-agent.profile
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -21,9 +21,12 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.gnupg
 whitelist ${HOME}/.gnupg
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gpg.profile b/etc/profile-a-l/gpg.profile
index b408a0123..787f35f9e 100644
--- a/etc/gpg.profile
+++ b/etc/profile-a-l/gpg.profile
@@ -18,9 +18,12 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /usr/share/pacman/keyrings
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gpg2.profile b/etc/profile-a-l/gpg2.profile
index b831b0f62..b831b0f62 100644
--- a/etc/gpg2.profile
+++ b/etc/profile-a-l/gpg2.profile
diff --git a/etc/gpicview.profile b/etc/profile-a-l/gpicview.profile
index eb00688dd..a536e5985 100644
--- a/etc/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 whitelist /usr/share/gpicview
 include whitelist-usr-share-common.inc
@@ -24,7 +25,6 @@ caps.drop all
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,4 +45,7 @@ private-etc alternatives,fonts,group,passwd
 private-lib
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/gpredict.profile b/etc/profile-a-l/gpredict.profile
index c1f1b53a0..3152db096 100644
--- a/etc/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/Gpredict
 whitelist ${HOME}/.config/Gpredict
diff --git a/etc/gradio.profile b/etc/profile-a-l/gradio.profile
index 82e2504b9..a16e65efb 100644
--- a/etc/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -14,12 +14,15 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/gradio
 mkdir ${HOME}/.local/share/gradio
 whitelist ${HOME}/.cache/gradio
 whitelist ${HOME}/.local/share/gradio
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
@@ -30,11 +33,23 @@ nogroups
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
 
+disable-mnt
+private-bin gradio
+private-cache
+private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 
+dbus-user filter
+dbus-user.own de.haeckerfelix.gradio
+dbus-user.own org.mpris.MediaPlayer2.gradio
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/gramps.profile b/etc/profile-a-l/gramps.profile
index 54b154964..427fe2d7a 100644
--- a/etc/gramps.profile
+++ b/etc/profile-a-l/gramps.profile
@@ -30,7 +30,6 @@ caps.drop all
 ipc-namespace
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +46,6 @@ disable-mnt
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
new file mode 100644
index 000000000..0cb3aa864
--- /dev/null
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -0,0 +1,47 @@
+# Firejail profile for gravity-beams-and-evaporating-stars
+# Description: a game about hurling asteroids into the sun
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gravity-beams-and-evaporating-stars.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/gravity-beams-and-evaporating-stars
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin gravity-beams-and-evaporating-stars
+private-cache
+private-dev
+private-etc fonts,machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/gsettings-data-convert.profile b/etc/profile-a-l/gsettings-data-convert.profile
index 6f1d43939..6f1d43939 100644
--- a/etc/gsettings-data-convert.profile
+++ b/etc/profile-a-l/gsettings-data-convert.profile
diff --git a/etc/gsettings-schema-convert.profile b/etc/profile-a-l/gsettings-schema-convert.profile
index 5c8b0e2e2..5c8b0e2e2 100644
--- a/etc/gsettings-schema-convert.profile
+++ b/etc/profile-a-l/gsettings-schema-convert.profile
diff --git a/etc/gsettings.profile b/etc/profile-a-l/gsettings.profile
index 2203fac15..2203fac15 100644
--- a/etc/gsettings.profile
+++ b/etc/profile-a-l/gsettings.profile
diff --git a/etc/gtar.profile b/etc/profile-a-l/gtar.profile
index 2391c121b..2391c121b 100644
--- a/etc/gtar.profile
+++ b/etc/profile-a-l/gtar.profile
diff --git a/etc/gthumb.profile b/etc/profile-a-l/gthumb.profile
index 77de59802..de0fc96ae 100644
--- a/etc/gthumb.profile
+++ b/etc/profile-a-l/gthumb.profile
@@ -15,6 +15,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 caps.drop all
 nodvd
diff --git a/etc/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index 668a48f9a..2051a8af6 100644
--- a/etc/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
@@ -27,7 +28,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +50,7 @@ private-etc none
 private-lib
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer
new file mode 100644
index 000000000..023f10d3d
--- /dev/null
+++ b/etc/profile-a-l/gtk-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+
+ignore quiet
+
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include youtube-viewer.profile
\ No newline at end of file
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer
new file mode 100644
index 000000000..331e73218
--- /dev/null
+++ b/etc/profile-a-l/gtk2-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk2-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk2-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+
+ignore quiet
+
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include youtube-viewer.profile
\ No newline at end of file
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer
new file mode 100644
index 000000000..4c5bde55f
--- /dev/null
+++ b/etc/profile-a-l/gtk3-youtube-viewer
@@ -0,0 +1,18 @@
+# Firejail profile for gtk3-youtube-viewer
+# Description: Gtk front-end to youtube-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk3-youtube-viewer.local
+# Persistent global definitions
+# include globals.local
+
+ignore quiet
+
+noblacklist /tmp/.X11-unix
+noblacklist ${RUNUSER}/wayland-*
+noblacklist ${RUNUSER}
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include youtube-viewer.profile
\ No newline at end of file
diff --git a/etc/guayadeque.profile b/etc/profile-a-l/guayadeque.profile
index 8ffd7ff58..8a7f65918 100644
--- a/etc/guayadeque.profile
+++ b/etc/profile-a-l/guayadeque.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 caps.drop all
diff --git a/etc/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index b3aa58d29..c0254b5ec 100644
--- a/etc/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -12,9 +12,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -23,7 +25,6 @@ caps.drop all
 machine-id
 #net none - breaks dbus
 no3d
-#nodbus - breaks state saveing
 nodvd
 nogroups
 nonewprivs
@@ -45,4 +46,8 @@ private-etc alternatives,dbus-1,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld
 private-lib
 private-tmp
 
+# breaks state saving
+# dbus-user none
+# dbus-system none
+
 read-only ${HOME}
diff --git a/etc/gummi.profile b/etc/profile-a-l/gummi.profile
index 922b2cbde..40c268c46 100644
--- a/etc/gummi.profile
+++ b/etc/profile-a-l/gummi.profile
@@ -12,8 +12,7 @@ include allow-lua.inc
 include allow-perl.inc
 include allow-python3.inc
 
-private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,lualatex,luatex,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex
+private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex
 
 # Redirect
 include latex-common.profile
-
diff --git a/etc/gunzip.profile b/etc/profile-a-l/gunzip.profile
index 6e97c6b78..6e97c6b78 100644
--- a/etc/gunzip.profile
+++ b/etc/profile-a-l/gunzip.profile
diff --git a/etc/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 5a5d81378..efdc56e38 100644
--- a/etc/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.kde/share/config/gwenviewrc
 noblacklist ${HOME}/.kde4/share/apps/gwenview
 noblacklist ${HOME}/.kde4/share/config/gwenviewrc
 noblacklist ${HOME}/.local/share/gwenview
+noblacklist ${HOME}/.local/share/kxmlgui5/gwenview
 noblacklist ${HOME}/.local/share/org.kde.gwenview
 
 include disable-common.inc
@@ -23,6 +24,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 include whitelist-var-common.inc
 
@@ -30,7 +32,6 @@ apparmor
 caps.drop all
 # net none
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +48,7 @@ private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
 private-dev
 private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg
 
+# dbus-user none
+# dbus-system none
+
 # memory-deny-write-execute
diff --git a/etc/gzexe.profile b/etc/profile-a-l/gzexe.profile
index bb570d553..bb570d553 100644
--- a/etc/gzexe.profile
+++ b/etc/profile-a-l/gzexe.profile
diff --git a/etc/gzip.profile b/etc/profile-a-l/gzip.profile
index 1af15d227..8ec39d8ca 100644
--- a/etc/gzip.profile
+++ b/etc/profile-a-l/gzip.profile
@@ -26,7 +26,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -44,4 +43,7 @@ x11 none
 private-cache
 private-dev
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/handbrake-gtk.profile b/etc/profile-a-l/handbrake-gtk.profile
index 1e7ce2350..1e7ce2350 100644
--- a/etc/handbrake-gtk.profile
+++ b/etc/profile-a-l/handbrake-gtk.profile
diff --git a/etc/handbrake.profile b/etc/profile-a-l/handbrake.profile
index 324c629e3..0539ffcb8 100644
--- a/etc/handbrake.profile
+++ b/etc/profile-a-l/handbrake.profile
@@ -22,8 +22,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-netfilter
-nodbus
+net none
 nogroups
 nonewprivs
 noroot
@@ -36,3 +35,5 @@ shell none
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/hashcat.profile b/etc/profile-a-l/hashcat.profile
index b4d6d52f0..8ec67ff19 100644
--- a/etc/hashcat.profile
+++ b/etc/profile-a-l/hashcat.profile
@@ -23,7 +23,6 @@ include disable-xdg.inc
 
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,3 +42,5 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
index 898a07a5f..898a07a5f 100644
--- a/etc/hedgewars.profile
+++ b/etc/profile-a-l/hedgewars.profile
diff --git a/etc/hexchat.profile b/etc/profile-a-l/hexchat.profile
index 7723cbd6b..4c8911a06 100644
--- a/etc/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/hexchat
diff --git a/etc/highlight.profile b/etc/profile-a-l/highlight.profile
index 036de8d99..0761aa2fc 100644
--- a/etc/highlight.profile
+++ b/etc/profile-a-l/highlight.profile
@@ -7,17 +7,18 @@ include highlight.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,3 +37,6 @@ private-bin highlight
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/hitori.profile b/etc/profile-a-l/hitori.profile
new file mode 100644
index 000000000..6d67f4587
--- /dev/null
+++ b/etc/profile-a-l/hitori.profile
@@ -0,0 +1,14 @@
+# Firejail profile for hitori
+# Description: Play the Hitori puzzle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include hitori.local
+# Persistent global definitions
+include globals.local
+
+private-bin hitori
+
+dbus-user.own org.gnome.Hitori
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
new file mode 100644
index 000000000..8e600a2d7
--- /dev/null
+++ b/etc/profile-a-l/homebank.profile
@@ -0,0 +1,59 @@
+# Firejail profile for homebank
+# Description: Personal finance manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include homebank.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/homebank
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/homebank
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/homebank
+whitelist /usr/share/homebank
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+# net none
+netfilter
+nodvd
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin homebank
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11
+private-tmp
+
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile
new file mode 100644
index 000000000..e5a5a7efa
--- /dev/null
+++ b/etc/profile-a-l/host.profile
@@ -0,0 +1,52 @@
+# Firejail profile for host
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include host.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+noblacklist ${PATH}/host
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin bash,host,sh
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/hugin.profile b/etc/profile-a-l/hugin.profile
index 07a697c05..e03b68128 100644
--- a/etc/hugin.profile
+++ b/etc/profile-a-l/hugin.profile
@@ -16,11 +16,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,3 +38,5 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
new file mode 100644
index 000000000..f2cb25edf
--- /dev/null
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -0,0 +1,51 @@
+# Firejail profile for hyperrogue
+# Description: An SDL roguelike in a non-euclidean world
+# This file is overwritten after every install/update
+# Persistent local customizations
+include hyperrogue.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/hyperrogue.ini
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkfile ${HOME}/hyperrogue.ini
+whitelist ${HOME}/hyperrogue.ini
+whitelist /usr/share/hyperrogue
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin hyperrogue
+private-cache
+private-cwd ${HOME}
+private-dev
+private-etc fonts,machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index 9ffdb9e9b..9ffdb9e9b 100644
--- a/etc/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
diff --git a/etc/i3.profile b/etc/profile-a-l/i3.profile
index c1ca0e413..c1ca0e413 100644
--- a/etc/i3.profile
+++ b/etc/profile-a-l/i3.profile
diff --git a/etc/gnome-2048.profile b/etc/profile-a-l/iagno.profile
index 9eb4c147d..42fc7d449 100644
--- a/etc/gnome-2048.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -1,38 +1,40 @@
-# Firejail profile for gnome-2048
-# Description: Sliding tile puzzle game
+# Firejail profile for iagno
+# Description: Reversi clone for Gnome desktop
 # This file is overwritten after every install/update
 # Persistent local customizations
-include gnome-2048.local
+include iagno.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-2048
-
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 include whitelist-var-common.inc
 
-mkdir ${HOME}/.local/share/gnome-2048
-whitelist ${HOME}/.local/share/gnome-2048
-include whitelist-common.inc
-
+apparmor
 caps.drop all
-netfilter
+net none
 nodvd
+nogroups
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix
 seccomp
+shell none
 
 disable-mnt
+private
+private-bin iagno
 private-dev
 private-tmp
 
+# dbus-user none
+# dbus-system none
diff --git a/etc/icecat.profile b/etc/profile-a-l/icecat.profile
index 660343a29..660343a29 100644
--- a/etc/icecat.profile
+++ b/etc/profile-a-l/icecat.profile
diff --git a/etc/icedove.profile b/etc/profile-a-l/icedove.profile
index 19690cd5a..19690cd5a 100644
--- a/etc/icedove.profile
+++ b/etc/profile-a-l/icedove.profile
diff --git a/etc/iceweasel.profile b/etc/profile-a-l/iceweasel.profile
index badd2648a..badd2648a 100644
--- a/etc/iceweasel.profile
+++ b/etc/profile-a-l/iceweasel.profile
diff --git a/etc/idea.profile b/etc/profile-a-l/idea.profile
index 4e43bb629..4e43bb629 100644
--- a/etc/idea.profile
+++ b/etc/profile-a-l/idea.profile
diff --git a/etc/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index a7d0d531f..a7d0d531f 100644
--- a/etc/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
diff --git a/etc/ideaIC.profile b/etc/profile-a-l/ideaIC.profile
index 7e1778f58..7e1778f58 100644
--- a/etc/ideaIC.profile
+++ b/etc/profile-a-l/ideaIC.profile
diff --git a/etc/imagej.profile b/etc/profile-a-l/imagej.profile
index 00ee115ed..91a60c188 100644
--- a/etc/imagej.profile
+++ b/etc/profile-a-l/imagej.profile
@@ -21,7 +21,6 @@ include disable-programs.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,3 +37,5 @@ private-bin awk,basename,bash,cut,free,grep,hostname,imagej,ln,ls,mkdir,rm,sort,
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/img2txt.profile b/etc/profile-a-l/img2txt.profile
index 0b30ec33f..ae03fc8bc 100644
--- a/etc/img2txt.profile
+++ b/etc/profile-a-l/img2txt.profile
@@ -27,7 +27,6 @@ caps.drop all
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +46,7 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/impressive.profile b/etc/profile-a-l/impressive.profile
index 0bfe5de5a..af82fb059 100644
--- a/etc/impressive.profile
+++ b/etc/profile-a-l/impressive.profile
@@ -33,7 +33,6 @@ caps.drop all
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -51,5 +50,8 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 read-only ${HOME}
 read-write ${HOME}/.cache/mesa_shader_cache
diff --git a/etc/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 30cb5d75d..f14868668 100644
--- a/etc/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -37,7 +37,6 @@ caps.drop all
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -56,4 +55,7 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 # memory-deny-write-execute
diff --git a/etc/inkview.profile b/etc/profile-a-l/inkview.profile
index 4f88b0258..4f88b0258 100644
--- a/etc/inkview.profile
+++ b/etc/profile-a-l/inkview.profile
diff --git a/etc/inox.profile b/etc/profile-a-l/inox.profile
index 1b3db73b4..1b3db73b4 100644
--- a/etc/inox.profile
+++ b/etc/profile-a-l/inox.profile
diff --git a/etc/iridium-browser.profile b/etc/profile-a-l/iridium-browser.profile
index c7ee64d56..c7ee64d56 100644
--- a/etc/iridium-browser.profile
+++ b/etc/profile-a-l/iridium-browser.profile
diff --git a/etc/iridium.profile b/etc/profile-a-l/iridium.profile
index ebb39b0a3..ebb39b0a3 100644
--- a/etc/iridium.profile
+++ b/etc/profile-a-l/iridium.profile
diff --git a/etc/itch.profile b/etc/profile-a-l/itch.profile
index b3c78c810..b3c78c810 100644
--- a/etc/itch.profile
+++ b/etc/profile-a-l/itch.profile
diff --git a/etc/jd-gui.profile b/etc/profile-a-l/jd-gui.profile
index 5b7275718..0944051e5 100644
--- a/etc/jd-gui.profile
+++ b/etc/profile-a-l/jd-gui.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,5 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/jdownloader.profile b/etc/profile-a-l/jdownloader.profile
index b5f892a9d..b5f892a9d 100644
--- a/etc/jdownloader.profile
+++ b/etc/profile-a-l/jdownloader.profile
diff --git a/etc/jerry.profile b/etc/profile-a-l/jerry.profile
index f6bfb9953..b79ae0ee0 100644
--- a/etc/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -20,7 +20,6 @@ caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,4 +37,7 @@ private-dev
 private-etc fonts,gtk-2.0,gtk-3.0
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
new file mode 100644
index 000000000..c4121d835
--- /dev/null
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -0,0 +1,39 @@
+# Firejail profile for jitsi-meet-desktop
+# Description: Jitsi Meet desktop application powered by Electron
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jitsi-meet-desktop.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.config/Jitsi Meet
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-xdg.inc
+
+nowhitelist ${DOWNLOADS}
+
+mkdir ${HOME}/.config/Jitsi Meet
+
+whitelist ${HOME}/.config/Jitsi Meet
+
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+seccomp !chroot
+
+disable-mnt
+private-bin bash,jitsi-meet-desktop
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/jitsi.profile b/etc/profile-a-l/jitsi.profile
index 223c360b8..223c360b8 100644
--- a/etc/jitsi.profile
+++ b/etc/profile-a-l/jitsi.profile
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
new file mode 100644
index 000000000..b1852b015
--- /dev/null
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -0,0 +1,15 @@
+# Firejail profile for jumpnbump-menu
+# Description: Level selection and config menu for the Jump 'n Bump game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jumpnbump-menu.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+include allow-python3.inc
+
+private-bin jumpnbump-menu,python3*
+
+# Redirect
+include jumpnbump.profile
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
new file mode 100644
index 000000000..daeb54610
--- /dev/null
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -0,0 +1,49 @@
+# Firejail profile for jumpnbump
+# Description: Cute multiplayer platform game with bunnies
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jumpnbump.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.jumpnbump
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.jumpnbump
+whitelist ${HOME}/.jumpnbump
+whitelist /usr/share/jumpnbump
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin jumpnbump
+private-cache
+private-dev
+private-etc none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/k3b.profile b/etc/profile-a-l/k3b.profile
index 0c1da7ae1..86292744c 100644
--- a/etc/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -9,6 +9,7 @@ include globals.local
 noblacklist ${HOME}/.config/k3brc
 noblacklist ${HOME}/.kde/share/config/k3brc
 noblacklist ${HOME}/.kde4/share/config/k3brc
+noblacklist ${HOME}/.local/share/kxmlgui5/k3b
 noblacklist ${MUSIC}
 
 include disable-common.inc
diff --git a/etc/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index c7f811939..c7f811939 100644
--- a/etc/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
diff --git a/etc/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index 2dc90b9b9..e1e93163b 100644
--- a/etc/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -25,7 +25,6 @@ apparmor
 caps.drop all
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,3 +44,6 @@ private-cache
 private-dev
 private-etc fonts,machine-id
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/kalgebramobile.profile b/etc/profile-a-l/kalgebramobile.profile
index d2394fe20..d2394fe20 100644
--- a/etc/kalgebramobile.profile
+++ b/etc/profile-a-l/kalgebramobile.profile
diff --git a/etc/karbon.profile b/etc/profile-a-l/karbon.profile
index 3b2e93b0a..d54d6d3d0 100644
--- a/etc/karbon.profile
+++ b/etc/profile-a-l/karbon.profile
@@ -1,5 +1,7 @@
 # Firejail profile alias for krita
 # This file is overwritten after every install/update
 
+noblacklist ${HOME}/.local/share/kxmlgui5/karbon
+
 # Redirect
 include krita.profile
diff --git a/etc/kate.profile b/etc/profile-a-l/kate.profile
index 3035393c4..37605dfa9 100644
--- a/etc/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -15,6 +15,13 @@ noblacklist ${HOME}/.config/kateschemarc
 noblacklist ${HOME}/.config/katesyntaxhighlightingrc
 noblacklist ${HOME}/.config/katevirc
 noblacklist ${HOME}/.local/share/kate
+noblacklist ${HOME}/.local/share/kxmlgui5/kate
+noblacklist ${HOME}/.local/share/kxmlgui5/katefiletree
+noblacklist ${HOME}/.local/share/kxmlgui5/katekonsole
+noblacklist ${HOME}/.local/share/kxmlgui5/kateopenheaderplugin
+noblacklist ${HOME}/.local/share/kxmlgui5/katepart
+noblacklist ${HOME}/.local/share/kxmlgui5/kateproject
+noblacklist ${HOME}/.local/share/kxmlgui5/katesearch
 
 include disable-common.inc
 # include disable-devel.inc
@@ -28,7 +35,6 @@ include whitelist-var-common.inc
 # apparmor
 caps.drop all
 # net none
-# nodbus
 netfilter
 nodvd
 nogroups
@@ -48,4 +54,7 @@ private-dev
 # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
 
+# dbus-user none
+# dbus-system none
+
 join-or-start kate
diff --git a/etc/kcalc.profile b/etc/profile-a-l/kcalc.profile
index 8c641802b..fa82e76f3 100644
--- a/etc/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -6,6 +6,7 @@ include kcalc.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.local/share/kxmlgui5/kcalc
 
 include disable-common.inc
 include disable-devel.inc
@@ -13,13 +14,16 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
+mkdir ${HOME}/.local/share/kxmlgui5/kcalc
 mkfile ${HOME}/.config/kcalcrc
 mkfile ${HOME}/.kde/share/config/kcalcrc
 mkfile ${HOME}/.kde4/share/config/kcalcrc
 whitelist ${HOME}/.config/kcalcrc
 whitelist ${HOME}/.kde/share/config/kcalcrc
 whitelist ${HOME}/.kde4/share/config/kcalcrc
+whitelist ${HOME}/.local/share/kxmlgui5/kcalc
 include whitelist-common.inc
 include whitelist-var-common.inc
 
@@ -27,7 +31,6 @@ apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,3 +49,5 @@ private-dev
 # private-lib - problems on Arch
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile
index 082045c62..f7235ea84 100644
--- a/etc/kdeinit4.profile
+++ b/etc/profile-a-l/kdeinit4.profile
@@ -13,6 +13,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 include whitelist-var-common.inc
 
diff --git a/etc/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
index 361109127..9ca33b68e 100644
--- a/etc/kdenlive.profile
+++ b/etc/profile-a-l/kdenlive.profile
@@ -11,6 +11,7 @@ ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/kdenlive
 noblacklist ${HOME}/.config/kdenliverc
 noblacklist ${HOME}/.local/share/kdenlive
+noblacklist ${HOME}/.local/share/kxmlgui5/kdenlive
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,7 +23,6 @@ include disable-programs.inc
 apparmor
 caps.drop all
 # net none
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,3 +36,6 @@ shell none
 private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
 private-dev
 # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/keepass.profile b/etc/profile-a-l/keepass.profile
index 9852f8a79..9852f8a79 100644
--- a/etc/keepass.profile
+++ b/etc/profile-a-l/keepass.profile
diff --git a/etc/keepass2.profile b/etc/profile-a-l/keepass2.profile
index aef236ccc..aef236ccc 100644
--- a/etc/keepass2.profile
+++ b/etc/profile-a-l/keepass2.profile
diff --git a/etc/keepassx.profile b/etc/profile-a-l/keepassx.profile
index 44e9c67bb..b8239e140 100644
--- a/etc/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -26,7 +26,6 @@ caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,4 +44,7 @@ private-dev
 private-etc alternatives,fonts,machine-id
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/keepassx2.profile b/etc/profile-a-l/keepassx2.profile
index fdd27e9f9..fdd27e9f9 100644
--- a/etc/keepassx2.profile
+++ b/etc/profile-a-l/keepassx2.profile
diff --git a/etc/keepassxc-cli.profile b/etc/profile-a-l/keepassxc-cli.profile
index 925609384..925609384 100644
--- a/etc/keepassxc-cli.profile
+++ b/etc/profile-a-l/keepassxc-cli.profile
diff --git a/etc/keepassxc-proxy.profile b/etc/profile-a-l/keepassxc-proxy.profile
index b2b6763ee..b2b6763ee 100644
--- a/etc/keepassxc-proxy.profile
+++ b/etc/profile-a-l/keepassxc-proxy.profile
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
new file mode 100644
index 000000000..e8fc4e632
--- /dev/null
+++ b/etc/profile-a-l/keepassxc.profile
@@ -0,0 +1,81 @@
+# Firejail profile for keepassxc
+# Description: Cross Platform Password Manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include keepassxc.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/*.kdb
+noblacklist ${HOME}/*.kdbx
+noblacklist ${HOME}/.cache/keepassxc
+noblacklist ${HOME}/.config/keepassxc
+noblacklist ${HOME}/.keepassxc
+# 2.2.4 needs this path when compiled with "Native messaging browser extension"
+noblacklist ${HOME}/.mozilla
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines.
+# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
+#mkdir ${HOME}/Documents/KeePassXC
+#whitelist ${HOME}/Documents/KeePassXC
+# Needed for KeePassXC-Browser
+#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json
+#mkdir ${HOME}/.cache/keepassxc
+#mkdir ${HOME}/.config/keepassxc
+#whitelist ${HOME}/.cache/keepassxc
+#whitelist ${HOME}/.config/keepassxc
+#include whitelist-common.inc
+
+whitelist /usr/share/keepassxc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+private-bin keepassxc,keepassxc-cli,keepassxc-proxy
+private-dev
+private-etc alternatives,fonts,ld.so.cache,machine-id
+private-tmp
+
+dbus-user filter
+#dbus-user.own org.keepassxc.KeePassXC
+dbus-user.talk com.canonical.Unity.Session
+dbus-user.talk org.freedesktop.ScreenSaver
+dbus-user.talk org.freedesktop.login1.Manager
+dbus-user.talk org.freedesktop.login1.Session
+dbus-user.talk org.gnome.ScreenSaver
+dbus-user.talk org.gnome.SessionManager
+dbus-user.talk org.gnome.SessionManager.Presence
+# Uncomment or add to your keepassxc.local to allow Notifications.
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
+
+# Mutex is stored in /tmp by default, which is broken by private-tmp
+join-or-start keepassxc
diff --git a/etc/kfind.profile b/etc/profile-a-l/kfind.profile
index ee4c35825..ed815676a 100644
--- a/etc/kfind.profile
+++ b/etc/profile-a-l/kfind.profile
@@ -27,7 +27,6 @@ machine-id
 # net none
 netfilter
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,3 +42,6 @@ shell none
 # private-bin kbuildsycoca4,kdeinit4,kfind
 private-dev
 private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/kget.profile b/etc/profile-a-l/kget.profile
index 485edc1a4..5990d0752 100644
--- a/etc/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.kde/share/config/kgetrc
 noblacklist ${HOME}/.kde4/share/apps/kget
 noblacklist ${HOME}/.kde4/share/config/kgetrc
 noblacklist ${HOME}/.local/share/kget
+noblacklist ${HOME}/.local/share/kxmlgui5/kget
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/kid3-cli.profile b/etc/profile-a-l/kid3-cli.profile
index bee62b5d9..bee62b5d9 100644
--- a/etc/kid3-cli.profile
+++ b/etc/profile-a-l/kid3-cli.profile
diff --git a/etc/kid3-qt.profile b/etc/profile-a-l/kid3-qt.profile
index 9bcede077..9bcede077 100644
--- a/etc/kid3-qt.profile
+++ b/etc/profile-a-l/kid3-qt.profile
diff --git a/etc/kid3.profile b/etc/profile-a-l/kid3.profile
index 01064feb5..aa2e0ad1e 100644
--- a/etc/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${MUSIC}
 noblacklist ${HOME}/.config/kid3rc
+noblacklist ${HOME}/.local/share/kxmlgui5/kid3
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,7 +23,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,4 +42,7 @@ private-tmp
 private-opt none
 private-srv none
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/kino.profile b/etc/profile-a-l/kino.profile
index 9e8d61391..b3ade0dd9 100644
--- a/etc/kino.profile
+++ b/etc/profile-a-l/kino.profile
@@ -16,6 +16,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
 netfilter
 nogroups
diff --git a/etc/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 8b7b12882..d222d6d24 100644
--- a/etc/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -29,7 +29,6 @@ caps.drop all
 ipc-namespace
 netfilter
 # no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +46,6 @@ private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/klatexformula.profile b/etc/profile-a-l/klatexformula.profile
index d584f6a56..10b689ce5 100644
--- a/etc/klatexformula.profile
+++ b/etc/profile-a-l/klatexformula.profile
@@ -24,7 +24,6 @@ apparmor
 caps.drop all
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,6 @@ tracelog
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/klatexformula_cmdl.profile b/etc/profile-a-l/klatexformula_cmdl.profile
index 9137963c4..9137963c4 100644
--- a/etc/klatexformula_cmdl.profile
+++ b/etc/profile-a-l/klatexformula_cmdl.profile
diff --git a/etc/klavaro.profile b/etc/profile-a-l/klavaro.profile
index b6b538557..c03d75098 100644
--- a/etc/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -29,7 +29,6 @@ caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,3 +49,6 @@ private-etc alternatives,fonts
 private-tmp
 private-opt none
 private-srv none
+
+dbus-user none
+dbus-system none
diff --git a/etc/kmail.profile b/etc/profile-a-l/kmail.profile
index 198b05a11..ab4ff10b9 100644
--- a/etc/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -25,6 +25,8 @@ noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
 noblacklist ${HOME}/.local/share/emailidentities
 noblacklist ${HOME}/.local/share/kmail2
+noblacklist ${HOME}/.local/share/kxmlgui5/kmail
+noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
 noblacklist /tmp/akonadi-*
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
new file mode 100644
index 000000000..7eabde61d
--- /dev/null
+++ b/etc/profile-a-l/kmplayer.profile
@@ -0,0 +1,41 @@
+# Firejail profile for mplayer
+# Description: mplayer KDE GUI (movie player)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kmplayer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/kmplayerrc
+noblacklist ${HOME}/.kde/share/config/kmplayerrc
+noblacklist ${HOME}/.local/share/kmplayer
+noblacklist ${MUSIC}
+noblacklist ${VIDEOS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nogroups
+nonewprivs
+noroot
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+# private-bin kmplayer,mplayer
+private-cache
+private-dev
+private-tmp
+
diff --git a/etc/knotes.profile b/etc/profile-a-l/knotes.profile
index ababfcdb1..f155d0ad6 100644
--- a/etc/knotes.profile
+++ b/etc/profile-a-l/knotes.profile
@@ -12,6 +12,7 @@ include knotes.local
 
 noblacklist ${HOME}/.config/knotesrc
 noblacklist ${HOME}/.local/share/knotes
+noblacklist ${HOME}/.local/share/kxmlgui5/knotes
 
 # Redirect
 include kmail.profile
diff --git a/etc/kodi.profile b/etc/profile-a-l/kodi.profile
index 86afe46b5..63cae6231 100644
--- a/etc/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -33,6 +33,7 @@ caps.drop all
 netfilter
 nogroups
 nonewprivs
+# Seems to cause issues with Nvidia drivers sometimes (#3501)
 noroot
 nou2f
 protocol unix,inet,inet6,netlink
diff --git a/etc/konversation.profile b/etc/profile-a-l/konversation.profile
index dd3e9617f..4dd929c6b 100644
--- a/etc/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -7,8 +7,10 @@ include konversation.local
 include globals.local
 
 noblacklist ${HOME}/.config/konversationrc
+noblacklist ${HOME}/.config/konversation.notifyrc
 noblacklist ${HOME}/.kde/share/config/konversationrc
 noblacklist ${HOME}/.kde4/share/config/konversationrc
+noblacklist ${HOME}/.local/share/kxmlgui5/konversation
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
diff --git a/etc/kopete.profile b/etc/profile-a-l/kopete.profile
index e0bdce059..a5269373d 100644
--- a/etc/kopete.profile
+++ b/etc/profile-a-l/kopete.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.kde/share/apps/kopete
 noblacklist ${HOME}/.kde/share/config/kopeterc
 noblacklist ${HOME}/.kde4/share/apps/kopete
 noblacklist ${HOME}/.kde4/share/config/kopeterc
+noblacklist ${HOME}/.local/share/kxmlgui5/kopete
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/krita.profile b/etc/profile-a-l/krita.profile
index 49c36274a..be9921478 100644
--- a/etc/krita.profile
+++ b/etc/profile-a-l/krita.profile
@@ -31,7 +31,6 @@ caps.drop all
 ipc-namespace
 # net none
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +46,6 @@ shell none
 private-cache
 private-dev
 private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/krunner.profile b/etc/profile-a-l/krunner.profile
index c64113c15..c64113c15 100644
--- a/etc/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
diff --git a/etc/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index 2eb46a7e8..b55e00f22 100644
--- a/etc/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.kde/share/config/ktorrentrc
 noblacklist ${HOME}/.kde4/share/apps/ktorrent
 noblacklist ${HOME}/.kde4/share/config/ktorrentrc
 noblacklist ${HOME}/.local/share/ktorrent
+noblacklist ${HOME}/.local/share/kxmlgui5/ktorrent
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,10 +20,12 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.kde/share/apps/ktorrent
 mkdir ${HOME}/.kde4/share/apps/ktorrent
 mkdir ${HOME}/.local/share/ktorrent
+mkdir ${HOME}/.local/share/kxmlgui5/ktorrent
 mkfile ${HOME}/.config/ktorrentrc
 mkfile ${HOME}/.kde/share/config/ktorrentrc
 mkfile ${HOME}/.kde4/share/config/ktorrentrc
@@ -33,6 +36,7 @@ whitelist ${HOME}/.kde/share/config/ktorrentrc
 whitelist ${HOME}/.kde4/share/apps/ktorrent
 whitelist ${HOME}/.kde4/share/config/ktorrentrc
 whitelist ${HOME}/.local/share/ktorrent
+whitelist ${HOME}/.local/share/kxmlgui5/ktorrent
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 446bc50ee..8d8bcdd7d 100644
--- a/etc/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.config/ktouch2rc
@@ -28,7 +29,6 @@ apparmor
 caps.drop all
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,3 +48,6 @@ private-cache
 private-dev
 private-etc alternatives,fonts,kde5rc,machine-id
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index d512dd100..316a93d30 100644
--- a/etc/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
diff --git a/etc/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 31ac19039..4ff8efa70 100644
--- a/etc/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.config/katesyntaxhighlightingrc
 noblacklist ${HOME}/.config/katevirc
 noblacklist ${HOME}/.config/kwriterc
 noblacklist ${HOME}/.local/share/kwrite
+noblacklist ${HOME}/.local/share/kxmlgui5/kwrite
 noblacklist ${DOCUMENTS}
 
 include disable-common.inc
@@ -21,6 +22,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
@@ -29,7 +31,6 @@ apparmor
 caps.drop all
 # net none
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,5 +49,7 @@ private-dev
 private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
 private-tmp
 
+# dbus-user none
+# dbus-system none
 
 join-or-start kwrite
diff --git a/etc/latex-common.profile b/etc/profile-a-l/latex-common.profile
index 712ada722..b090be726 100644
--- a/etc/latex-common.profile
+++ b/etc/profile-a-l/latex-common.profile
@@ -14,12 +14,12 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /var/lib
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -37,3 +37,5 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/latex.profile b/etc/profile-a-l/latex.profile
index 2230dd570..2230dd570 100644
--- a/etc/latex.profile
+++ b/etc/profile-a-l/latex.profile
diff --git a/etc/lbunzip2.profile b/etc/profile-a-l/lbunzip2.profile
index 338d8c8bb..338d8c8bb 100644
--- a/etc/lbunzip2.profile
+++ b/etc/profile-a-l/lbunzip2.profile
diff --git a/etc/lbzcat.profile b/etc/profile-a-l/lbzcat.profile
index 338d8c8bb..338d8c8bb 100644
--- a/etc/lbzcat.profile
+++ b/etc/profile-a-l/lbzcat.profile
diff --git a/etc/lbzip2.profile b/etc/profile-a-l/lbzip2.profile
index 338d8c8bb..338d8c8bb 100644
--- a/etc/lbzip2.profile
+++ b/etc/profile-a-l/lbzip2.profile
diff --git a/etc/leafpad.profile b/etc/profile-a-l/leafpad.profile
index 56a792c8e..eb23b200b 100644
--- a/etc/leafpad.profile
+++ b/etc/profile-a-l/leafpad.profile
@@ -14,11 +14,13 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-netfilter
+net none
 no3d
 nodvd
 nogroups
diff --git a/etc/less.profile b/etc/profile-a-l/less.profile
index 00624e0f1..de6fa67d1 100644
--- a/etc/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -8,6 +8,7 @@ include less.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${HOME}/.lesshst
 
@@ -22,7 +23,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nonewprivs
 #noroot
@@ -44,6 +44,9 @@ private-cache
 private-dev
 writable-var-log
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
 read-only ${HOME}
 read-write ${HOME}/.lesshst
diff --git a/etc/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index aa113883e..f9c92f6f6 100644
--- a/etc/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -46,4 +46,6 @@ tracelog
 private-dev
 private-tmp
 
+dbus-system none
+
 join-or-start libreoffice
diff --git a/etc/liferea.profile b/etc/profile-a-l/liferea.profile
index 7cfd4fc10..7cfd4fc10 100644
--- a/etc/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
diff --git a/etc/profile-a-l/lightsoff.profile b/etc/profile-a-l/lightsoff.profile
new file mode 100644
index 000000000..c065c44a9
--- /dev/null
+++ b/etc/profile-a-l/lightsoff.profile
@@ -0,0 +1,16 @@
+# Firejail profile for lightsoff
+# Description: GNOME Lightsoff game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lightsoff.local
+# Persistent global definitions
+include globals.local
+
+whitelist /usr/share/lightsoff
+
+private-bin lightsoff
+
+dbus-user.own org.gnome.LightsOff
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile
index b55ac9a15..91bd12d0d 100644
--- a/etc/lincity-ng.profile
+++ b/etc/profile-a-l/lincity-ng.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.lincity-ng
@@ -21,10 +22,10 @@ whitelist ${HOME}/.lincity-ng
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +43,6 @@ private-bin lincity-ng
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/links.profile b/etc/profile-a-l/links.profile
index a31001c87..b2f94d3cf 100644
--- a/etc/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -24,6 +24,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.links
 whitelist ${HOME}/.links
 whitelist ${DOWNLOADS}
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/linphone.profile b/etc/profile-a-l/linphone.profile
index dc156b298..dc156b298 100644
--- a/etc/linphone.profile
+++ b/etc/profile-a-l/linphone.profile
diff --git a/etc/lmms.profile b/etc/profile-a-l/lmms.profile
index 98ddd03e5..afe1ad635 100644
--- a/etc/lmms.profile
+++ b/etc/profile-a-l/lmms.profile
@@ -22,7 +22,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -37,3 +36,5 @@ shell none
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/lobase.profile b/etc/profile-a-l/lobase.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/lobase.profile
+++ b/etc/profile-a-l/lobase.profile
diff --git a/etc/localc.profile b/etc/profile-a-l/localc.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/localc.profile
+++ b/etc/profile-a-l/localc.profile
diff --git a/etc/lodraw.profile b/etc/profile-a-l/lodraw.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/lodraw.profile
+++ b/etc/profile-a-l/lodraw.profile
diff --git a/etc/loffice.profile b/etc/profile-a-l/loffice.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/loffice.profile
+++ b/etc/profile-a-l/loffice.profile
diff --git a/etc/lofromtemplate.profile b/etc/profile-a-l/lofromtemplate.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/lofromtemplate.profile
+++ b/etc/profile-a-l/lofromtemplate.profile
diff --git a/etc/loimpress.profile b/etc/profile-a-l/loimpress.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/loimpress.profile
+++ b/etc/profile-a-l/loimpress.profile
diff --git a/etc/lollypop.profile b/etc/profile-a-l/lollypop.profile
index 1ce83822d..1ce83822d 100644
--- a/etc/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
diff --git a/etc/lomath.profile b/etc/profile-a-l/lomath.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/lomath.profile
+++ b/etc/profile-a-l/lomath.profile
diff --git a/etc/loweb.profile b/etc/profile-a-l/loweb.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/loweb.profile
+++ b/etc/profile-a-l/loweb.profile
diff --git a/etc/lowriter.profile b/etc/profile-a-l/lowriter.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/lowriter.profile
+++ b/etc/profile-a-l/lowriter.profile
diff --git a/etc/lrunzip.profile b/etc/profile-a-l/lrunzip.profile
index c010cbd96..c010cbd96 100644
--- a/etc/lrunzip.profile
+++ b/etc/profile-a-l/lrunzip.profile
diff --git a/etc/lrz.profile b/etc/profile-a-l/lrz.profile
index 8077be945..8077be945 100644
--- a/etc/lrz.profile
+++ b/etc/profile-a-l/lrz.profile
diff --git a/etc/lrzcat.profile b/etc/profile-a-l/lrzcat.profile
index d05ee7aae..d05ee7aae 100644
--- a/etc/lrzcat.profile
+++ b/etc/profile-a-l/lrzcat.profile
diff --git a/etc/lrzip.profile b/etc/profile-a-l/lrzip.profile
index 3767767f6..3767767f6 100644
--- a/etc/lrzip.profile
+++ b/etc/profile-a-l/lrzip.profile
diff --git a/etc/lrztar.profile b/etc/profile-a-l/lrztar.profile
index 673e9f62e..673e9f62e 100644
--- a/etc/lrztar.profile
+++ b/etc/profile-a-l/lrztar.profile
diff --git a/etc/lrzuntar.profile b/etc/profile-a-l/lrzuntar.profile
index 245d1c669..245d1c669 100644
--- a/etc/lrzuntar.profile
+++ b/etc/profile-a-l/lrzuntar.profile
diff --git a/etc/lugaru.profile b/etc/profile-a-l/lugaru.profile
index d81441572..cd8f0e529 100644
--- a/etc/lugaru.profile
+++ b/etc/profile-a-l/lugaru.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/lugaru
@@ -29,7 +30,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +47,6 @@ private-bin lugaru
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile
index 2b0feaa17..2b0feaa17 100644
--- a/etc/luminance-hdr.profile
+++ b/etc/profile-a-l/luminance-hdr.profile
diff --git a/etc/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile
index 74adb7a67..a33ddab78 100644
--- a/etc/lximage-qt.profile
+++ b/etc/profile-a-l/lximage-qt.profile
@@ -14,9 +14,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-netfilter
+net none
 no3d
 nodvd
 nogroups
diff --git a/etc/lxmusic.profile b/etc/profile-a-l/lxmusic.profile
index e1a37343e..9094f4377 100644
--- a/etc/lxmusic.profile
+++ b/etc/profile-a-l/lxmusic.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/lynx.profile b/etc/profile-a-l/lynx.profile
index fb6fe94ec..dbd0a61e5 100644
--- a/etc/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -16,6 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
new file mode 100644
index 000000000..b2c0afbe7
--- /dev/null
+++ b/etc/profile-a-l/lyx.profile
@@ -0,0 +1,33 @@
+# Firejail profile for lyx
+# Description: Open source document processor based on LaTeX typsetting
+# This file is overwritten after every install/update
+# Persistent local customizations
+include lyx.local
+# Persistent global definitions
+include globals.local
+
+ignore private-tmp
+
+noblacklist ${HOME}/.config/LyX
+noblacklist ${HOME}/.lyx
+
+include allow-lua.inc
+include allow-perl.inc
+include allow-python2.inc
+include allow-python3.inc
+
+whitelist /usr/share/lyx
+whitelist /usr/share/texinfo
+whitelist /usr/share/texlive
+whitelist /usr/share/texmf-dist
+whitelist /usr/share/tlpkg
+include whitelist-usr-share-common.inc
+
+apparmor
+machine-id
+
+# private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
+private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,mime.types,passwd,texmf,X11,xdg
+
+# Redirect
+include latex-common.profile
diff --git a/etc/lzcat.profile b/etc/profile-a-l/lzcat.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzcat.profile
+++ b/etc/profile-a-l/lzcat.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzcmp.profile b/etc/profile-a-l/lzcmp.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzcmp.profile
+++ b/etc/profile-a-l/lzcmp.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzdiff.profile b/etc/profile-a-l/lzdiff.profile
index f7410b928..f7410b928 100644
--- a/etc/lzdiff.profile
+++ b/etc/profile-a-l/lzdiff.profile
diff --git a/etc/lzegrep.profile b/etc/profile-a-l/lzegrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzegrep.profile
+++ b/etc/profile-a-l/lzegrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzfgrep.profile b/etc/profile-a-l/lzfgrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzfgrep.profile
+++ b/etc/profile-a-l/lzfgrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzgrep.profile b/etc/profile-a-l/lzgrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzgrep.profile
+++ b/etc/profile-a-l/lzgrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzip.profile b/etc/profile-a-l/lzip.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzip.profile
+++ b/etc/profile-a-l/lzip.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzless.profile b/etc/profile-a-l/lzless.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzless.profile
+++ b/etc/profile-a-l/lzless.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzma.profile b/etc/profile-a-l/lzma.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzma.profile
+++ b/etc/profile-a-l/lzma.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzmadec.profile b/etc/profile-a-l/lzmadec.profile
index 0c5ec1b09..0c5ec1b09 100644
--- a/etc/lzmadec.profile
+++ b/etc/profile-a-l/lzmadec.profile
diff --git a/etc/lzmainfo.profile b/etc/profile-a-l/lzmainfo.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzmainfo.profile
+++ b/etc/profile-a-l/lzmainfo.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/lzmore.profile b/etc/profile-a-l/lzmore.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzmore.profile
+++ b/etc/profile-a-l/lzmore.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile
index cee49111e..77bce4179 100644
--- a/etc/Maelstrom.profile
+++ b/etc/profile-m-z/Maelstrom.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /var/lib/games
@@ -23,7 +24,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 #nonewprivs
@@ -41,3 +41,6 @@ private-bin Maelstrom
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/Maps.profile b/etc/profile-m-z/Maps.profile
index c52d2f2da..c52d2f2da 100644
--- a/etc/Maps.profile
+++ b/etc/profile-m-z/Maps.profile
diff --git a/etc/Mathematica.profile b/etc/profile-m-z/Mathematica.profile
index c2734b1c1..c2734b1c1 100644
--- a/etc/Mathematica.profile
+++ b/etc/profile-m-z/Mathematica.profile
diff --git a/etc/Natron.profile b/etc/profile-m-z/Natron.profile
index 42c22bf67..42c22bf67 100644
--- a/etc/Natron.profile
+++ b/etc/profile-m-z/Natron.profile
diff --git a/etc/PPSSPPQt.profile b/etc/profile-m-z/PPSSPPQt.profile
index c5592f99c..c5592f99c 100644
--- a/etc/PPSSPPQt.profile
+++ b/etc/profile-m-z/PPSSPPQt.profile
diff --git a/etc/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index b9ddd80c4..589dcfeb6 100644
--- a/etc/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -25,6 +25,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/qtchooser
@@ -34,7 +35,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
 # no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -53,4 +53,7 @@ private-cache
 private-dev
 private-tmp
 
+# dbus-user none
+# dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index 8157cdff4..e2dcf17e0 100644
--- a/etc/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/Nextcloud/Notes
diff --git a/etc/profile-m-z/Screenshot.profile b/etc/profile-m-z/Screenshot.profile
new file mode 100644
index 000000000..d4b083736
--- /dev/null
+++ b/etc/profile-m-z/Screenshot.profile
@@ -0,0 +1,6 @@
+# Firejail profile for gnome-screenshot
+# This file is overwritten after every install/update
+
+# Temporary fix for https://github.com/netblue30/firejail/issues/2624
+# Redirect
+include gnome-screenshot.profile
diff --git a/etc/Telegram.profile b/etc/profile-m-z/Telegram.profile
index 310e0237e..310e0237e 100644
--- a/etc/Telegram.profile
+++ b/etc/profile-m-z/Telegram.profile
diff --git a/etc/profile-m-z/Thunar.profile b/etc/profile-m-z/Thunar.profile
new file mode 100644
index 000000000..28acb414b
--- /dev/null
+++ b/etc/profile-m-z/Thunar.profile
@@ -0,0 +1,12 @@
+# Firejail profile for Thunar
+# Description: File Manager for Xfce
+# This file is overwritten after every install/update
+# Persistent local customizations
+include Thunar.local
+# Persistent global definitions
+include globals.local
+
+# Put 'ignore noroot' in your pcmanfm.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
diff --git a/etc/Viber.profile b/etc/profile-m-z/Viber.profile
index 925e130de..3195e39fa 100644
--- a/etc/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -6,6 +6,7 @@ include Viber.local
 include globals.local
 
 noblacklist ${HOME}/.ViberPC
+noblacklist ${PATH}/dig
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/VirtualBox.profile b/etc/profile-m-z/VirtualBox.profile
index 4c99ae9a3..4c99ae9a3 100644
--- a/etc/VirtualBox.profile
+++ b/etc/profile-m-z/VirtualBox.profile
diff --git a/etc/XMind.profile b/etc/profile-m-z/XMind.profile
index 7e7c0c3cd..7e7c0c3cd 100644
--- a/etc/XMind.profile
+++ b/etc/profile-m-z/XMind.profile
diff --git a/etc/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index ab5fdf942..ab5fdf942 100644
--- a/etc/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
diff --git a/etc/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 937d02d60..937d02d60 100644
--- a/etc/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
diff --git a/etc/profile-m-z/ZeGrapher.profile b/etc/profile-m-z/ZeGrapher.profile
new file mode 100644
index 000000000..02c5a043d
--- /dev/null
+++ b/etc/profile-m-z/ZeGrapher.profile
@@ -0,0 +1,48 @@
+# Firejail profile for ZeGrapher
+# Description: Free and opensource math graphing software
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ZeGrapher.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/ZeGrapher Project
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+
+whitelist /usr/share/ZeGrapher
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin ZeGrapher
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/macrofusion.profile b/etc/profile-m-z/macrofusion.profile
index 94d90780b..2e0071b47 100644
--- a/etc/macrofusion.profile
+++ b/etc/profile-m-z/macrofusion.profile
@@ -18,12 +18,12 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +41,5 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
new file mode 100644
index 000000000..d26aed0bb
--- /dev/null
+++ b/etc/profile-m-z/magicor.profile
@@ -0,0 +1,52 @@
+# Firejail profile for magicor
+# Description: Push ice blocks around to extinguish all fires
+# This file is overwritten after every install/update
+# Persistent local customizations
+include magicor.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.magicor
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.magicor
+whitelist ${HOME}/.magicor
+whitelist /usr/share/magicor
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin magicor,python2*
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/makepkg.profile b/etc/profile-m-z/makepkg.profile
index 513fcae55..513fcae55 100644
--- a/etc/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
diff --git a/etc/manaplus.profile b/etc/profile-m-z/manaplus.profile
index 93d409bf8..eba77c8f2 100644
--- a/etc/manaplus.profile
+++ b/etc/profile-m-z/manaplus.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/mana
@@ -28,7 +29,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,3 +46,6 @@ private-bin manaplus
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index e4da0c66a..e4da0c66a 100644
--- a/etc/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
diff --git a/etc/masterpdfeditor4.profile b/etc/profile-m-z/masterpdfeditor4.profile
index 84e78171f..84e78171f 100644
--- a/etc/masterpdfeditor4.profile
+++ b/etc/profile-m-z/masterpdfeditor4.profile
diff --git a/etc/masterpdfeditor5.profile b/etc/profile-m-z/masterpdfeditor5.profile
index 057d343dd..057d343dd 100644
--- a/etc/masterpdfeditor5.profile
+++ b/etc/profile-m-z/masterpdfeditor5.profile
diff --git a/etc/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index 2f6020ad3..ce418d68f 100644
--- a/etc/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -22,11 +22,12 @@ whitelist ${HOME}/.cache/mate-calc
 whitelist ${HOME}/.config/caja
 whitelist ${HOME}/.config/mate-menu
 include whitelist-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,4 +47,7 @@ private-dev
 private-opt none
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/mate-calculator.profile b/etc/profile-m-z/mate-calculator.profile
index bb438f5f0..bb438f5f0 100644
--- a/etc/mate-calculator.profile
+++ b/etc/profile-m-z/mate-calculator.profile
diff --git a/etc/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
index f1a7ca18f..b6dc643d4 100644
--- a/etc/mate-color-select.profile
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -11,6 +11,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 include whitelist-common.inc
 
diff --git a/etc/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index 49a776766..2267bbb50 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -13,11 +13,13 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/mate/mate-dictionary
 whitelist ${HOME}/.config/mate/mate-dictionary
 include whitelist-common.inc
 
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/mathematica.profile b/etc/profile-m-z/mathematica.profile
index 964060350..964060350 100644
--- a/etc/mathematica.profile
+++ b/etc/profile-m-z/mathematica.profile
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile
new file mode 100644
index 000000000..e4487c8aa
--- /dev/null
+++ b/etc/profile-m-z/mattermost-desktop.profile
@@ -0,0 +1,46 @@
+# Firejail profile for mattermost-desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mattermost-desktop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Mattermost
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/Mattermost
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/Mattermost
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.keep sys_admin,sys_chroot
+netfilter
+nodvd
+nogroups
+notv
+nou2f
+novideo
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+# Not tested
+#dbus-user filter
+#dbus-user.own com.mattermost.Desktop
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-system none
diff --git a/etc/mcabber.profile b/etc/profile-m-z/mcabber.profile
index 134a6ae63..b63de6c3e 100644
--- a/etc/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -14,6 +14,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 caps.drop all
 netfilter
diff --git a/etc/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index 40ae663fc..be7c8cbca 100644
--- a/etc/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -24,7 +25,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,4 +45,7 @@ private-dev
 private-etc alternatives
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
index 95cd673c6..95cd673c6 100644
--- a/etc/mediathekview.profile
+++ b/etc/profile-m-z/mediathekview.profile
diff --git a/etc/megaglest.profile b/etc/profile-m-z/megaglest.profile
index 08eae6dfc..19f9edf05 100644
--- a/etc/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -18,13 +18,16 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.megaglest
 whitelist ${HOME}/.megaglest
+whitelist /usr/share/megaglest
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +45,6 @@ private-bin megaglest,megaglest_editor,megaglest_g3dviewer
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/megaglest_editor.profile b/etc/profile-m-z/megaglest_editor.profile
index 02aad8084..02aad8084 100644
--- a/etc/megaglest_editor.profile
+++ b/etc/profile-m-z/megaglest_editor.profile
diff --git a/etc/meld.profile b/etc/profile-m-z/meld.profile
index 9a320c13d..385700648 100644
--- a/etc/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -35,6 +35,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-runuser-common.inc
 
 # Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share.
 #whitelist /usr/share/meld
@@ -67,6 +70,7 @@ private-cache
 private-dev
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc.
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
+# Comment the next line (or add 'ignore private-tmp to your meld.local') if you want to use it as a difftool (#3551)
 private-tmp
 
 read-only ${HOME}/.ssh
diff --git a/etc/mencoder.profile b/etc/profile-m-z/mencoder.profile
index ad5ce436a..caf238785 100644
--- a/etc/mencoder.profile
+++ b/etc/profile-m-z/mencoder.profile
@@ -18,7 +18,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nosound
 notv
 protocol unix
@@ -27,6 +26,9 @@ x11 none
 
 private-bin mencoder
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
 
 # Redirect
diff --git a/etc/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile
index 1f02ff5c0..6022b110a 100644
--- a/etc/mendeleydesktop.profile
+++ b/etc/profile-m-z/mendeleydesktop.profile
@@ -29,7 +29,6 @@ include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +46,5 @@ private-bin cat,env,gconftool-2,ln,mendeleydesktop,python*,sh,update-desktop-dat
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile
index 4437d86ea..c8b0a0ff1 100644
--- a/etc/meteo-qt.profile
+++ b/etc/profile-m-z/meteo-qt.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/meteo-qt
@@ -28,7 +29,6 @@ include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,4 +48,7 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/midori.profile b/etc/profile-m-z/midori.profile
index e11e2acaa..e15259608 100644
--- a/etc/midori.profile
+++ b/etc/profile-m-z/midori.profile
@@ -48,7 +48,9 @@ whitelist ${HOME}/.local/share/webkitgtk
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -60,3 +62,4 @@ seccomp
 tracelog
 
 disable-mnt
+private-tmp
diff --git a/etc/min.profile b/etc/profile-m-z/min.profile
index 7f3aeab44..7f3aeab44 100644
--- a/etc/min.profile
+++ b/etc/profile-m-z/min.profile
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
new file mode 100644
index 000000000..6108c0b69
--- /dev/null
+++ b/etc/profile-m-z/mindless.profile
@@ -0,0 +1,51 @@
+# Firejail profile for mindless
+# Description: figure out the secret code
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mindless.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/mindless
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin mindless
+private-cache
+private-dev
+private-etc fonts
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
new file mode 100644
index 000000000..8c7d18c58
--- /dev/null
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -0,0 +1,58 @@
+# Firejail profile for minecraft-launcher
+# Description: Official Minecraft launcher from Mojang
+# This file is overwritten after every install/update
+# Persistent local customizations
+include minecraft-launcher.local
+# Persistent global definitions
+include globals.local
+
+# On some distros executable may be in '/opt/minecraft-launcher/', if so, run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it.
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/.minecraft
+
+include allow-java.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.minecraft
+whitelist ${HOME}/.minecraft
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin java,java-config,minecraft-launcher
+private-cache
+private-dev
+# If multiplayer or realms break add your own java folder from /etc or comment the line below.
+private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg
+private-opt minecraft-launcher
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/minetest.profile b/etc/profile-m-z/minetest.profile
index 0439a1ccc..1da430ce6 100644
--- a/etc/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -6,6 +6,9 @@ include minetest.local
 # Persistent global definitions
 include globals.local
 
+# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:
+#   screenshot_path = /home/<USER>/.minetest/screenshots
+
 noblacklist ${HOME}/.cache/minetest
 noblacklist ${HOME}/.minetest
 
@@ -15,19 +18,22 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/minetest
 mkdir ${HOME}/.minetest
 whitelist ${HOME}/.cache/minetest
 whitelist ${HOME}/.minetest
+whitelist /usr/share/minetest
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +53,6 @@ private-dev
 # private-etc needs to be updated, see #1702
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
new file mode 100644
index 000000000..2c70978a9
--- /dev/null
+++ b/etc/profile-m-z/minitube.profile
@@ -0,0 +1,61 @@
+# Firejail profile for minitube
+# Description: Native Youtube viewer for Linux
+# This file is overwritten after every install/update
+# Persistent local customizations
+include minitube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+noblacklist ${HOME}/.cache/Flavio Tordini
+noblacklist ${HOME}/.config/Flavio Tordini
+noblacklist ${HOME}/.local/share/Flavio Tordini
+
+include allow-lua.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc 
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Flavio Tordini
+mkdir ${HOME}/.config/Flavio Tordini
+mkdir ${HOME}/.local/share/Flavio Tordini
+whitelist ${PICTURES}
+whitelist ${HOME}/.cache/Flavio Tordini
+whitelist ${HOME}/.config/Flavio Tordini
+whitelist ${HOME}/.local/share/Flavio Tordini
+whitelist /usr/share/minitube
+include whitelist-common.inc 
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin minitube
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
new file mode 100644
index 000000000..ded84bf7e
--- /dev/null
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -0,0 +1,51 @@
+# Firejail profile for mirrormagic
+# Description: Puzzle game where you steer a beam of light using mirrors
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mirrormagic.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.mirrormagic
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.mirrormagic
+whitelist ${HOME}/.mirrormagic
+whitelist /usr/share/mirrormagic
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin mirrormagic
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
new file mode 100644
index 000000000..6fc7a4d67
--- /dev/null
+++ b/etc/profile-m-z/mocp.profile
@@ -0,0 +1,53 @@
+# Firejail profile for mocp
+# Description: A powerful & easy to use console audio player
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include mocp.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.moc
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-bin mocp
+private-cache
+private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
+read-write ${HOME}/.moc
diff --git a/etc/mousepad.profile b/etc/profile-m-z/mousepad.profile
index 20370a5b5..5f15b71e2 100644
--- a/etc/mousepad.profile
+++ b/etc/profile-m-z/mousepad.profile
@@ -14,11 +14,13 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index e0936476b..3481a4a82 100644
--- a/etc/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 include whitelist-var-common.inc
 
@@ -21,7 +22,6 @@ apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +39,6 @@ private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index 7754d276b..c65754a03 100644
--- a/etc/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -26,7 +26,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,3 +48,6 @@ private-etc alternatives
 private-tmp
 
 memory-deny-write-execute
+
+dbus-user none
+dbus-system none
diff --git a/etc/mp3wrap.profile b/etc/profile-m-z/mp3wrap.profile
index 9e48f7807..9e48f7807 100644
--- a/etc/mp3wrap.profile
+++ b/etc/profile-m-z/mp3wrap.profile
diff --git a/etc/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index fd0351db0..4ba1dfbd6 100644
--- a/etc/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -20,6 +20,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist ${MUSIC}
diff --git a/etc/mpd.profile b/etc/profile-m-z/mpd.profile
index 3fda87a48..3fda87a48 100644
--- a/etc/mpd.profile
+++ b/etc/profile-m-z/mpd.profile
diff --git a/etc/mpg123-alsa.profile b/etc/profile-m-z/mpg123-alsa.profile
index 378435af1..378435af1 100644
--- a/etc/mpg123-alsa.profile
+++ b/etc/profile-m-z/mpg123-alsa.profile
diff --git a/etc/mpg123-id3dump.profile b/etc/profile-m-z/mpg123-id3dump.profile
index 370a57b3c..370a57b3c 100644
--- a/etc/mpg123-id3dump.profile
+++ b/etc/profile-m-z/mpg123-id3dump.profile
diff --git a/etc/mpg123-jack.profile b/etc/profile-m-z/mpg123-jack.profile
index e36a2e5b3..e36a2e5b3 100644
--- a/etc/mpg123-jack.profile
+++ b/etc/profile-m-z/mpg123-jack.profile
diff --git a/etc/mpg123-nas.profile b/etc/profile-m-z/mpg123-nas.profile
index cdbf0b1d2..cdbf0b1d2 100644
--- a/etc/mpg123-nas.profile
+++ b/etc/profile-m-z/mpg123-nas.profile
diff --git a/etc/mpg123-openal.profile b/etc/profile-m-z/mpg123-openal.profile
index e5585feaa..e5585feaa 100644
--- a/etc/mpg123-openal.profile
+++ b/etc/profile-m-z/mpg123-openal.profile
diff --git a/etc/mpg123-oss.profile b/etc/profile-m-z/mpg123-oss.profile
index dcb92ecd6..dcb92ecd6 100644
--- a/etc/mpg123-oss.profile
+++ b/etc/profile-m-z/mpg123-oss.profile
diff --git a/etc/mpg123-portaudio.profile b/etc/profile-m-z/mpg123-portaudio.profile
index 319843504..319843504 100644
--- a/etc/mpg123-portaudio.profile
+++ b/etc/profile-m-z/mpg123-portaudio.profile
diff --git a/etc/mpg123-pulse.profile b/etc/profile-m-z/mpg123-pulse.profile
index 31063a96b..31063a96b 100644
--- a/etc/mpg123-pulse.profile
+++ b/etc/profile-m-z/mpg123-pulse.profile
diff --git a/etc/mpg123-strip.profile b/etc/profile-m-z/mpg123-strip.profile
index 62de57c22..62de57c22 100644
--- a/etc/mpg123-strip.profile
+++ b/etc/profile-m-z/mpg123-strip.profile
diff --git a/etc/mpg123.bin.profile b/etc/profile-m-z/mpg123.bin.profile
index 0a01d0829..0a01d0829 100644
--- a/etc/mpg123.bin.profile
+++ b/etc/profile-m-z/mpg123.bin.profile
diff --git a/etc/mpg123.profile b/etc/profile-m-z/mpg123.profile
index 6dfeb4586..b1ab81c1e 100644
--- a/etc/mpg123.profile
+++ b/etc/profile-m-z/mpg123.profile
@@ -1,13 +1,13 @@
 # Firejail profile for mpg123
 # Description: MPEG audio player/decoder
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include mpg123.local
 # Persistent global definitions
 include globals.local
 
 noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,17 +23,23 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
+no3d
 nogroups
 nonewprivs
 noroot
+notv
 nou2f
+novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
+tracelog
 
 #private-bin mpg123*
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/mplayer.profile b/etc/profile-m-z/mplayer.profile
index 9ab4f8c7f..cd25d6c0b 100644
--- a/etc/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -21,7 +21,9 @@ include disable-xdg.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
+# net none - mplayer can be used for streaming.
 netfilter
 # nogroups
 nonewprivs
diff --git a/etc/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index 546755ecb..e0c6ff1c8 100644
--- a/etc/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -26,6 +26,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/mps-youtube
@@ -48,7 +49,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
 nodvd
 # Seems to cause issues with Nvidia drivers sometimes
 nogroups
@@ -67,3 +67,5 @@ private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/mpv.profile b/etc/profile-m-z/mpv.profile
index 56cd66199..2fc027257 100644
--- a/etc/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
@@ -25,8 +27,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
+whitelist /usr/share/lua
+whitelist /usr/share/lua*
 whitelist /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -34,8 +39,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
-# Seems to cause issues with Nvidia drivers sometimes
+# nogroups seems to cause issues with Nvidia drivers sometimes
 nogroups
 nonewprivs
 noroot
@@ -46,6 +50,9 @@ shell none
 tracelog
 
 private-bin env,mpv,python*,youtube-dl
-# Causes slow OSD, see #2838
+# private-cache causes slow OSD, see #2838
 #private-cache
 private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
new file mode 100644
index 000000000..f02a4f357
--- /dev/null
+++ b/etc/profile-m-z/mrrescue.profile
@@ -0,0 +1,49 @@
+# Firejail profile for mrrescue
+# Description: Arcade-style fire fighting game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mrrescue.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/love
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/love
+whitelist ${HOME}/.local/share/love
+whitelist /usr/share/mrrescue
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin love,mrrescue,sh
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/ms-excel.profile b/etc/profile-m-z/ms-excel.profile
index db24e8f9b..db24e8f9b 100644
--- a/etc/ms-excel.profile
+++ b/etc/profile-m-z/ms-excel.profile
diff --git a/etc/ms-office.profile b/etc/profile-m-z/ms-office.profile
index 3bc674134..a6892d698 100644
--- a/etc/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -21,7 +21,6 @@ include disable-programs.inc
 
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +39,5 @@ private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/ms-onenote.profile b/etc/profile-m-z/ms-onenote.profile
index 9ea0637bd..9ea0637bd 100644
--- a/etc/ms-onenote.profile
+++ b/etc/profile-m-z/ms-onenote.profile
diff --git a/etc/ms-outlook.profile b/etc/profile-m-z/ms-outlook.profile
index fc3e7c009..fc3e7c009 100644
--- a/etc/ms-outlook.profile
+++ b/etc/profile-m-z/ms-outlook.profile
diff --git a/etc/ms-powerpoint.profile b/etc/profile-m-z/ms-powerpoint.profile
index dadcd5b1e..dadcd5b1e 100644
--- a/etc/ms-powerpoint.profile
+++ b/etc/profile-m-z/ms-powerpoint.profile
diff --git a/etc/ms-skype.profile b/etc/profile-m-z/ms-skype.profile
index df1618361..df1618361 100644
--- a/etc/ms-skype.profile
+++ b/etc/profile-m-z/ms-skype.profile
diff --git a/etc/ms-word.profile b/etc/profile-m-z/ms-word.profile
index 5a617a893..5a617a893 100644
--- a/etc/ms-word.profile
+++ b/etc/profile-m-z/ms-word.profile
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile
new file mode 100644
index 000000000..cfd00e8ae
--- /dev/null
+++ b/etc/profile-m-z/mtpaint.profile
@@ -0,0 +1,49 @@
+# Firejail profile for mtpaint
+# Description: Simple painting and editing program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mtpaint.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin mtpaint
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/multimc.profile b/etc/profile-m-z/multimc.profile
index 338f494c9..338f494c9 100644
--- a/etc/multimc.profile
+++ b/etc/profile-m-z/multimc.profile
diff --git a/etc/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 475307418..475307418 100644
--- a/etc/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
diff --git a/etc/mumble.profile b/etc/profile-m-z/mumble.profile
index 94ccbad0c..0c4efc3d3 100644
--- a/etc/mumble.profile
+++ b/etc/profile-m-z/mumble.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/Mumble
 mkdir ${HOME}/.local/share/data/Mumble
@@ -34,7 +35,7 @@ nogroups
 nonewprivs
 noroot
 notv
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
diff --git a/etc/mupdf-gl.profile b/etc/profile-m-z/mupdf-gl.profile
index be94a9083..be94a9083 100644
--- a/etc/mupdf-gl.profile
+++ b/etc/profile-m-z/mupdf-gl.profile
diff --git a/etc/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile
index a04d386a2..a04d386a2 100644
--- a/etc/mupdf-x11-curl.profile
+++ b/etc/profile-m-z/mupdf-x11-curl.profile
diff --git a/etc/mupdf-x11.profile b/etc/profile-m-z/mupdf-x11.profile
index 256201d0c..256201d0c 100644
--- a/etc/mupdf-x11.profile
+++ b/etc/profile-m-z/mupdf-x11.profile
diff --git a/etc/mupdf.profile b/etc/profile-m-z/mupdf.profile
index 43afbc859..a3e56170a 100644
--- a/etc/mupdf.profile
+++ b/etc/profile-m-z/mupdf.profile
@@ -18,10 +18,10 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,3 +38,6 @@ tracelog
 private-dev
 private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/mupen64plus.profile b/etc/profile-m-z/mupen64plus.profile
index e131f5319..00983a8f3 100644
--- a/etc/mupen64plus.profile
+++ b/etc/profile-m-z/mupen64plus.profile
@@ -24,10 +24,12 @@ include whitelist-common.inc
 
 caps.drop all
 net none
-nodbus
 nodvd
 nonewprivs
 noroot
 notv
 novideo
 seccomp
+
+dbus-user none
+dbus-system none
diff --git a/etc/muraster.profile b/etc/profile-m-z/muraster.profile
index 90e3f2050..90e3f2050 100644
--- a/etc/muraster.profile
+++ b/etc/profile-m-z/muraster.profile
diff --git a/etc/musescore.profile b/etc/profile-m-z/musescore.profile
index b3693c956..679e82ae8 100644
--- a/etc/musescore.profile
+++ b/etc/profile-m-z/musescore.profile
@@ -23,6 +23,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index a6b85a8e4..a6b85a8e4 100644
--- a/etc/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
diff --git a/etc/mutool.profile b/etc/profile-m-z/mutool.profile
index e61f4665d..e61f4665d 100644
--- a/etc/mutool.profile
+++ b/etc/profile-m-z/mutool.profile
diff --git a/etc/mutt.profile b/etc/profile-m-z/mutt.profile
index 1fc412955..1ce12f54f 100644
--- a/etc/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -40,6 +40,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
@@ -57,3 +59,4 @@ shell none
 
 private-dev
 writable-run-user
+writable-var
diff --git a/etc/mypaint-ora-thumbnailer.profile b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
index 59b3024ed..59b3024ed 100644
--- a/etc/mypaint-ora-thumbnailer.profile
+++ b/etc/profile-m-z/mypaint-ora-thumbnailer.profile
diff --git a/etc/mypaint.profile b/etc/profile-m-z/mypaint.profile
index d75651d78..c592e8477 100644
--- a/etc/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -28,7 +28,6 @@ caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +46,5 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/nano.profile b/etc/profile-m-z/nano.profile
index bc8c3dde0..2a4625896 100644
--- a/etc/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -28,7 +28,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +49,7 @@ private-dev
 # Comment the next line if you want to edit files in /etc directly
 private-etc alternatives,nanorc
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/natron.profile b/etc/profile-m-z/natron.profile
index 7ad217b72..5bf152f84 100644
--- a/etc/natron.profile
+++ b/etc/profile-m-z/natron.profile
@@ -22,7 +22,6 @@ include disable-programs.inc
 
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -34,3 +33,6 @@ seccomp
 shell none
 
 private-bin natron,Natron,NatronRenderer
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/nautilus.profile b/etc/profile-m-z/nautilus.profile
new file mode 100644
index 000000000..e54bea228
--- /dev/null
+++ b/etc/profile-m-z/nautilus.profile
@@ -0,0 +1,15 @@
+# Firejail profile for nautilus
+# Description: File manager and graphical shell for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nautilus.local
+# Persistent global definitions
+include globals.local
+
+# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there
+# is already a nautilus process running on gnome desktops firejail will have no effect.
+
+# Put 'ignore noroot' in your nautilus.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
diff --git a/etc/ncdu.profile b/etc/profile-m-z/ncdu.profile
index 9fda6ebe0..651804bf1 100644
--- a/etc/ncdu.profile
+++ b/etc/profile-m-z/ncdu.profile
@@ -12,7 +12,6 @@ include disable-exec.inc
 
 caps.drop all
 ipc-namespace
-nodbus
 net none
 no3d
 nodvd
@@ -31,4 +30,7 @@ x11 none
 private-dev
 # private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/profile-m-z/nemo.profile b/etc/profile-m-z/nemo.profile
new file mode 100644
index 000000000..1b3333e8c
--- /dev/null
+++ b/etc/profile-m-z/nemo.profile
@@ -0,0 +1,12 @@
+# Firejail profile for nemo
+# Description: File manager and graphical shell for Cinnamon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nemo.local
+# Persistent global definitions
+include globals.local
+
+# Put 'ignore noroot' in your nemo.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
diff --git a/etc/netactview.profile b/etc/profile-m-z/netactview.profile
index 0618caf68..fd73cea89 100644
--- a/etc/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.netactview
@@ -29,7 +30,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,4 +49,7 @@ private-etc alternatives,fonts
 private-lib
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile
index 079f44ee7..4daa8054b 100644
--- a/etc/nethack-vultures.profile
+++ b/etc/profile-m-z/nethack-vultures.profile
@@ -24,7 +24,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 #nonewprivs
@@ -41,3 +40,6 @@ private-cache
 private-dev
 private-tmp
 writable-var
+
+dbus-user none
+dbus-system none
diff --git a/etc/nethack.profile b/etc/profile-m-z/nethack.profile
index 3df632451..c8c927db2 100644
--- a/etc/nethack.profile
+++ b/etc/profile-m-z/nethack.profile
@@ -23,7 +23,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 #nonewprivs
@@ -42,4 +41,7 @@ private-dev
 private-tmp
 writable-var
 
+dbus-user none
+dbus-system none
+
 #memory-deny-write-execute
diff --git a/etc/netsurf.profile b/etc/profile-m-z/netsurf.profile
index 0ddb7bbbe..0ddb7bbbe 100644
--- a/etc/netsurf.profile
+++ b/etc/profile-m-z/netsurf.profile
diff --git a/etc/neverball.profile b/etc/profile-m-z/neverball.profile
index 84c634549..84c634549 100644
--- a/etc/neverball.profile
+++ b/etc/profile-m-z/neverball.profile
diff --git a/etc/neverputt.profile b/etc/profile-m-z/neverputt.profile
index d370d1218..d370d1218 100644
--- a/etc/neverputt.profile
+++ b/etc/profile-m-z/neverputt.profile
diff --git a/etc/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile
index 059c2156d..85581a2f0 100644
--- a/etc/newsbeuter.profile
+++ b/etc/profile-m-z/newsbeuter.profile
@@ -1,4 +1,4 @@
-# Firejail profile for Newsboat
+# Firejail profile for Newsbeuter
 # Description: Text based Atom/RSS feed reader
 # This file is overwritten after every install/update
 # Persistent local customizations
diff --git a/etc/newsboat.profile b/etc/profile-m-z/newsboat.profile
index e063abe53..a7bac6286 100644
--- a/etc/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -19,13 +19,13 @@ include disable-xdg.inc
 mkdir ${HOME}/.newsboat
 whitelist ${HOME}/.newsboat
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
 ipc-namespace
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -44,4 +44,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
new file mode 100644
index 000000000..d0ac83baf
--- /dev/null
+++ b/etc/profile-m-z/newsflash.profile
@@ -0,0 +1,60 @@
+# Firejail profile for newsflash
+# Description: Modern feed reader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsflash.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/NewsFlashGTK
+noblacklist ${HOME}/.config/news-flash
+noblacklist ${HOME}/.local/share/news-flash
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/NewsFlashGTK
+mkdir ${HOME}/.config/news-flash
+mkdir ${HOME}/.local/share/news-flash
+whitelist ${HOME}/.cache/NewsFlashGTK
+whitelist ${HOME}/.config/news-flash
+whitelist ${HOME}/.local/share/news-flash
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin com.gitlab.newsflash,newsflash
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
+private-tmp
+
+dbus-user none
+#dbus-user.own com.gitlab.newsflash
+#dbus-user.talk org.freedesktop.Notifications
+dbus-system none
diff --git a/etc/nheko.profile b/etc/profile-m-z/nheko.profile
index 119b30239..701098f4b 100644
--- a/etc/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/nheko
 mkdir ${HOME}/.cache/nheko/nheko
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
new file mode 100644
index 000000000..6c363345e
--- /dev/null
+++ b/etc/profile-m-z/nicotine.profile
@@ -0,0 +1,56 @@
+# Firejail profile for Nicotine Plus
+# Description: Soulseek music-sharing client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nicotine.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.nicotine
+
+include allow-python2.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.nicotine
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.nicotine
+whitelist /usr/share/GeoIP
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+#ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin nicotine,python2*
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/nitroshare-cli.profile b/etc/profile-m-z/nitroshare-cli.profile
index d9cb2edc5..d9cb2edc5 100644
--- a/etc/nitroshare-cli.profile
+++ b/etc/profile-m-z/nitroshare-cli.profile
diff --git a/etc/nitroshare-nmh.profile b/etc/profile-m-z/nitroshare-nmh.profile
index d9cb2edc5..d9cb2edc5 100644
--- a/etc/nitroshare-nmh.profile
+++ b/etc/profile-m-z/nitroshare-nmh.profile
diff --git a/etc/nitroshare-send.profile b/etc/profile-m-z/nitroshare-send.profile
index d9cb2edc5..d9cb2edc5 100644
--- a/etc/nitroshare-send.profile
+++ b/etc/profile-m-z/nitroshare-send.profile
diff --git a/etc/nitroshare-ui.profile b/etc/profile-m-z/nitroshare-ui.profile
index d9cb2edc5..d9cb2edc5 100644
--- a/etc/nitroshare-ui.profile
+++ b/etc/profile-m-z/nitroshare-ui.profile
diff --git a/etc/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index dfa64cff9..1743a771e 100644
--- a/etc/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -26,7 +26,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +46,7 @@ private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,
 # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
 private-tmp
 
+# dbus-user none
+# dbus-system none
+
 # memory-deny-write-execute
diff --git a/etc/nomacs.profile b/etc/profile-m-z/nomacs.profile
index 7a7ff504a..d081c9cb7 100644
--- a/etc/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -43,5 +43,3 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl
 private-tmp
-
-memory-deny-write-execute
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile
new file mode 100644
index 000000000..a8e0ddd89
--- /dev/null
+++ b/etc/profile-m-z/nslookup.profile
@@ -0,0 +1,56 @@
+# Firejail profile for nslookup
+# Description: DNS lookup utility
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include nslookup.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+noblacklist ${PATH}/nslookup
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+whitelist ${HOME}/.nslookuprc
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,nslookup,sh
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
new file mode 100644
index 000000000..1b97eda9b
--- /dev/null
+++ b/etc/profile-m-z/nuclear.profile
@@ -0,0 +1,40 @@
+# Firejail profile for nuclear
+# Description: Stream music from Youtube,Soundcloud,Jamendo
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nuclear.local
+# Persistent global definitions
+include globals.local
+
+ignore dbus-user
+
+noblacklist ${HOME}/.config/nuclear
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-shell.inc 
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/nuclear
+whitelist ${HOME}/.config/nuclear
+include whitelist-common.inc 
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+no3d
+nou2f
+novideo
+shell none
+
+disable-mnt
+# private-bin nuclear
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-opt nuclear
+private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/nylas.profile b/etc/profile-m-z/nylas.profile
index c959eb991..c959eb991 100644
--- a/etc/nylas.profile
+++ b/etc/profile-m-z/nylas.profile
diff --git a/etc/nyx.profile b/etc/profile-m-z/nyx.profile
index c4475c75c..9e27dafab 100644
--- a/etc/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.nyx
@@ -28,7 +29,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,3 +50,5 @@ private-opt none
 private-srv none
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/obs.profile b/etc/profile-m-z/obs.profile
index 4277bdab3..4277bdab3 100644
--- a/etc/obs.profile
+++ b/etc/profile-m-z/obs.profile
diff --git a/etc/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index a523a6c56..ae18cfff9 100644
--- a/etc/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
@@ -29,8 +30,6 @@ ipc-namespace
 #net none
 netfilter
 no3d
-# nodbus - breaks preferences, comment (or put 'ignore nodbus' in your oceanaudio.local) when needed
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,4 +48,8 @@ private-dev
 private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
 private-tmp
 
+# breaks preferences
+# dbus-user none
+# dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index c0c5b671c..6201b6fba 100644
--- a/etc/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -15,12 +15,12 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,4 +40,8 @@ private-cache
 private-dev
 private-etc alternatives
 private-tmp
+
+dbus-user none
+dbus-system none
+
 read-only ${HOME}
diff --git a/etc/oggsplt.profile b/etc/profile-m-z/oggsplt.profile
index 5aedadde9..5aedadde9 100644
--- a/etc/oggsplt.profile
+++ b/etc/profile-m-z/oggsplt.profile
diff --git a/etc/okular.profile b/etc/profile-m-z/okular.profile
index 9debd86ff..36723ca29 100644
--- a/etc/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.kde/share/config/okularrc
 noblacklist ${HOME}/.kde4/share/apps/okular
 noblacklist ${HOME}/.kde4/share/config/okularpartrc
 noblacklist ${HOME}/.kde4/share/config/okularrc
+noblacklist ${HOME}/.local/share/kxmlgui5/okular
 noblacklist ${HOME}/.local/share/okular
 noblacklist ${DOCUMENTS}
 
@@ -24,9 +25,11 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/config.kcfg
+whitelist /usr/share/kxmlgui5/okular
 whitelist /usr/share/okular
 whitelist /usr/share/poppler
 include whitelist-usr-share-common.inc
@@ -37,7 +40,6 @@ caps.drop all
 machine-id
 # net none
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -56,6 +58,9 @@ private-dev
 private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
 
+# dbus-user none
+# dbus-system none
+
 # memory-deny-write-execute
 
 join-or-start okular
diff --git a/etc/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index 5bfcd0527..5bfcd0527 100644
--- a/etc/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
diff --git a/etc/ooffice.profile b/etc/profile-m-z/ooffice.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/ooffice.profile
+++ b/etc/profile-m-z/ooffice.profile
diff --git a/etc/ooviewdoc.profile b/etc/profile-m-z/ooviewdoc.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/ooviewdoc.profile
+++ b/etc/profile-m-z/ooviewdoc.profile
diff --git a/etc/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index 5925ccc09..e18599d1d 100644
--- a/etc/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -10,17 +10,20 @@ noblacklist ${HOME}/.openinvaders
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.openinvaders
 whitelist ${HOME}/.openinvaders
 include whitelist-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -32,6 +35,9 @@ protocol unix,netlink
 seccomp
 shell none
 
-# private-bin open-invaders
+private-bin open-invaders
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/openarena.profile b/etc/profile-m-z/openarena.profile
index c83e78e2c..45682fc31 100644
--- a/etc/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -16,28 +16,35 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.openarena
+whitelist ${HOME}/.openarena
+whitelist /usr/share/openarena
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.in
 include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-# ipc-namespace
-# netfilter
-# nodbus
-# nodvd
-# nogroups
+netfilter
+nodvd
+nogroups
 nonewprivs
 noroot
 notv
-# nou2f
+nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-# tracelog
+tracelog
 
-# disable-mnt
-# private-bin openarena
+disable-mnt
+private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
 private-cache
 private-dev
-# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
+private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/openarena_ded.profile b/etc/profile-m-z/openarena_ded.profile
new file mode 100644
index 000000000..c529e7e11
--- /dev/null
+++ b/etc/profile-m-z/openarena_ded.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for openarena
+# This file is overwritten after every install/update
+
+# Redirect
+include openarena.profile
diff --git a/etc/openbox.profile b/etc/profile-m-z/openbox.profile
index 1fb93c79c..1fb93c79c 100644
--- a/etc/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
diff --git a/etc/opencity.profile b/etc/profile-m-z/opencity.profile
index 6a27c8095..cb8a511ad 100644
--- a/etc/opencity.profile
+++ b/etc/profile-m-z/opencity.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.opencity
@@ -21,10 +22,10 @@ whitelist ${HOME}/.opencity
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +43,6 @@ private-bin opencity
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/openclonk.profile b/etc/profile-m-z/openclonk.profile
index da60006b3..a6760617c 100644
--- a/etc/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.clonk
@@ -21,10 +22,11 @@ whitelist ${HOME}/.clonk
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
-net none
-nodbus
+# net none - networked game
+netfilter
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +44,6 @@ private-bin c4group,openclonk
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/openoffice.org.profile b/etc/profile-m-z/openoffice.org.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/openoffice.org.profile
+++ b/etc/profile-m-z/openoffice.org.profile
diff --git a/etc/openshot-qt.profile b/etc/profile-m-z/openshot-qt.profile
index 2f886d2ac..2f886d2ac 100644
--- a/etc/openshot-qt.profile
+++ b/etc/profile-m-z/openshot-qt.profile
diff --git a/etc/openshot.profile b/etc/profile-m-z/openshot.profile
index 9d0b4c4c9..e1839c724 100644
--- a/etc/openshot.profile
+++ b/etc/profile-m-z/openshot.profile
@@ -23,9 +23,7 @@ include whitelist-var-common.inc
 
 apparmor
 caps.drop all
-#net none
-netfilter
-nodbus
+net none
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +38,5 @@ tracelog
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/openttd.profile b/etc/profile-m-z/openttd.profile
index 5de4d325d..b71883d68 100644
--- a/etc/openttd.profile
+++ b/etc/profile-m-z/openttd.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.openttd
@@ -21,10 +22,10 @@ whitelist ${HOME}/.openttd
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
-netfilter
-nodbus
+net none
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +43,6 @@ private-bin openttd
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/opera-beta.profile b/etc/profile-m-z/opera-beta.profile
index 8658d30c6..8658d30c6 100644
--- a/etc/opera-beta.profile
+++ b/etc/profile-m-z/opera-beta.profile
diff --git a/etc/opera.profile b/etc/profile-m-z/opera.profile
index b342b3961..b342b3961 100644
--- a/etc/opera.profile
+++ b/etc/profile-m-z/opera.profile
diff --git a/etc/orage.profile b/etc/profile-m-z/orage.profile
index 4e12892d6..4e12892d6 100644
--- a/etc/orage.profile
+++ b/etc/profile-m-z/orage.profile
diff --git a/etc/profile-m-z/org.gnome.NautilusPreviewer.profile b/etc/profile-m-z/org.gnome.NautilusPreviewer.profile
new file mode 100644
index 000000000..eb75add58
--- /dev/null
+++ b/etc/profile-m-z/org.gnome.NautilusPreviewer.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for sushi
+# This file is overwritten after every install/update
+# Persistent local customizations
+include org.gnome.NautilusPreviewer.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include sushi.profile
diff --git a/etc/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile
index bef784126..cc44d5a48 100644
--- a/etc/ostrichriders.profile
+++ b/etc/profile-m-z/ostrichriders.profile
@@ -14,17 +14,19 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.ostrichriders
 whitelist ${HOME}/.ostrichriders
+whitelist /usr/share/ostrichriders
 include whitelist-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,3 +45,6 @@ private-cache
 # private-dev should be commented for controllers
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
new file mode 100644
index 000000000..652b6b7cb
--- /dev/null
+++ b/etc/profile-m-z/otter-browser.profile
@@ -0,0 +1,59 @@
+# Firejail profile for otter-browser
+# Description: Lightweight web browser based on Qt5 
+# This file is overwritten after every install/update
+# Persistent local customizations
+include otter-browser.local
+# Persistent global definitions
+include globals.local
+
+?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
+
+noblacklist ${HOME}/.cache/Otter
+noblacklist ${HOME}/.config/otter
+noblacklist ${HOME}/.pki
+noblacklist ${HOME}/.local/share/pki
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Otter
+mkdir ${HOME}/.config/otter
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.local/share/pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/Otter
+whitelist ${HOME}/.config/otter
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.local/share/pki
+whitelist /usr/share/otter-browser
+include whitelist-common.inc
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+?BROWSER_DISABLE_U2F: nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+
+disable-mnt
+private-bin bash,otter-browser,sh,which
+private-cache
+?BROWSER_DISABLE_U2F: private-dev
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp 
+
+dbus-system none
diff --git a/etc/out123.profile b/etc/profile-m-z/out123.profile
index 4754c05ba..4754c05ba 100644
--- a/etc/out123.profile
+++ b/etc/profile-m-z/out123.profile
diff --git a/etc/p7zip.profile b/etc/profile-m-z/p7zip.profile
index 652fac7bd..652fac7bd 100644
--- a/etc/p7zip.profile
+++ b/etc/profile-m-z/p7zip.profile
diff --git a/etc/palemoon.profile b/etc/profile-m-z/palemoon.profile
index acb2ce176..acb2ce176 100644
--- a/etc/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
diff --git a/etc/pandoc.profile b/etc/profile-m-z/pandoc.profile
index 9a8d82a96..9ee7e75b4 100644
--- a/etc/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -8,6 +8,7 @@ include pandoc.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
@@ -17,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 # breaks pdf output
@@ -28,7 +30,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,7 +48,10 @@ disable-mnt
 private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
 private-cache
 private-dev
-private-etc alternatives,texlive
+private-etc alternatives,texlive,texmf
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/parole.profile b/etc/profile-m-z/parole.profile
index e7a0694ed..0a4422a73 100644
--- a/etc/parole.profile
+++ b/etc/profile-m-z/parole.profile
@@ -14,6 +14,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 caps.drop all
diff --git a/etc/patch.profile b/etc/profile-m-z/patch.profile
index 4a3365378..8663fb453 100644
--- a/etc/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -8,6 +8,7 @@ include patch.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
@@ -16,6 +17,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
@@ -25,7 +27,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -44,4 +45,7 @@ private-bin patch,red
 private-dev
 private-lib libfakeroot
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/pavucontrol-qt.profile b/etc/profile-m-z/pavucontrol-qt.profile
index f96ba14d2..f96ba14d2 100644
--- a/etc/pavucontrol-qt.profile
+++ b/etc/profile-m-z/pavucontrol-qt.profile
diff --git a/etc/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index 0ae9f08af..f7d3576da 100644
--- a/etc/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -29,7 +29,6 @@ apparmor
 caps.drop all
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,5 +49,8 @@ private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
 private-lib
 private-tmp
 
+dbus-user none
+dbus-system none
+
 # mdwe is broken under Wayland, but works under Xorg.
 #memory-deny-write-execute
diff --git a/etc/profile-m-z/pcmanfm.profile b/etc/profile-m-z/pcmanfm.profile
new file mode 100644
index 000000000..5718ab164
--- /dev/null
+++ b/etc/profile-m-z/pcmanfm.profile
@@ -0,0 +1,12 @@
+# Firejail profile for pcmanfm
+# Description: Extremely fast and lightweight file manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pcmanfm.local
+# Persistent global definitions
+include globals.local
+
+# Put 'ignore noroot' in your pcmanfm.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
diff --git a/etc/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index 98a9f1840..4b6da4d6f 100644
--- a/etc/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -21,7 +21,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nogroups
 nonewprivs
 noroot
@@ -38,4 +37,7 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,xdg
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/pdflatex.profile b/etc/profile-m-z/pdflatex.profile
index caf980d4d..caf980d4d 100644
--- a/etc/pdflatex.profile
+++ b/etc/profile-m-z/pdflatex.profile
diff --git a/etc/pdfmod.profile b/etc/profile-m-z/pdfmod.profile
index 177070e83..fb3c42526 100644
--- a/etc/pdfmod.profile
+++ b/etc/profile-m-z/pdfmod.profile
@@ -25,7 +25,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,5 @@ shell none
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/pdfsam.profile b/etc/profile-m-z/pdfsam.profile
index 48f424190..2f4227159 100644
--- a/etc/pdfsam.profile
+++ b/etc/profile-m-z/pdfsam.profile
@@ -23,7 +23,6 @@ caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,5 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index 73ebf4615..eee42424f 100644
--- a/etc/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -7,6 +7,7 @@ include pdftotext.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
@@ -15,6 +16,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist ${DOCUMENTS}
@@ -28,7 +30,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,3 +49,6 @@ private-cache
 private-dev
 private-etc alternatives
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/peek.profile b/etc/profile-m-z/peek.profile
index 8cbff0c64..66fdd6496 100644
--- a/etc/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -20,7 +20,6 @@ include disable-xdg.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,4 +37,7 @@ shell none
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile
new file mode 100644
index 000000000..db0d84496
--- /dev/null
+++ b/etc/profile-m-z/penguin-command.profile
@@ -0,0 +1,42 @@
+# Firejail profile for open-invaders
+# Description: Space Invaders clone
+# This file is overwritten after every install/update
+# Persistent local customizations
+include penguin-command.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.penguin-command
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+
+whitelist ${HOME}/.penguin-command
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+
+private-bin penguin-command
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/picard.profile b/etc/profile-m-z/picard.profile
index 15fc7a454..15fc7a454 100644
--- a/etc/picard.profile
+++ b/etc/profile-m-z/picard.profile
diff --git a/etc/pidgin.profile b/etc/profile-m-z/pidgin.profile
index 2e4215744..2e4215744 100644
--- a/etc/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
diff --git a/etc/ping.profile b/etc/profile-m-z/ping.profile
index 5f68ee011..3ef8ad64a 100644
--- a/etc/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -7,6 +7,10 @@ include ping.local
 # Persistent global definitions
 include globals.local
 
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,6 +23,7 @@ include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.keep net_raw
 ipc-namespace
 #net tun0
diff --git a/etc/pingus.profile b/etc/profile-m-z/pingus.profile
index a3adc55a2..ebfd236aa 100644
--- a/etc/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -10,17 +10,23 @@ noblacklist ${HOME}/.pingus
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.pingus
 whitelist ${HOME}/.pingus
+whitelist /usr/share/pingus
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -31,7 +37,14 @@ novideo
 protocol unix,netlink
 seccomp
 shell none
+tracelog
 
-# private-bin pingus
+disable-mnt
+private-bin pingus,pingus.bin,sh
+private-cache
 private-dev
+private-etc machine-id
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/pinta.profile b/etc/profile-m-z/pinta.profile
index 8151bc98f..7d94972c4 100644
--- a/etc/pinta.profile
+++ b/etc/profile-m-z/pinta.profile
@@ -21,7 +21,6 @@ include disable-xdg.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,3 +37,5 @@ private-dev
 private-cache
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/pioneer.profile b/etc/profile-m-z/pioneer.profile
index c5b936617..5f329195b 100644
--- a/etc/pioneer.profile
+++ b/etc/profile-m-z/pioneer.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.pioneer
@@ -24,7 +25,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +42,6 @@ private-bin modelcompiler,pioneer,savegamedump
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/pithos.profile b/etc/profile-m-z/pithos.profile
index ad56ce525..0864dd0bc 100644
--- a/etc/pithos.profile
+++ b/etc/profile-m-z/pithos.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
diff --git a/etc/pitivi.profile b/etc/profile-m-z/pitivi.profile
index 89a6a020b..c722e29b4 100644
--- a/etc/pitivi.profile
+++ b/etc/profile-m-z/pitivi.profile
@@ -6,7 +6,6 @@ include pitivi.local
 # Persistent global definitions
 include globals.local
 
-
 noblacklist ${HOME}/.config/pitivi
 
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -20,11 +19,13 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
-netfilter
+net none
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/pix.profile b/etc/profile-m-z/pix.profile
index 9864ed718..a2c35beb5 100644
--- a/etc/pix.profile
+++ b/etc/profile-m-z/pix.profile
@@ -15,6 +15,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 caps.drop all
 nodvd
diff --git a/etc/planmaker18.profile b/etc/profile-m-z/planmaker18.profile
index 4cf1efb7f..2ba8e86c0 100644
--- a/etc/planmaker18.profile
+++ b/etc/profile-m-z/planmaker18.profile
@@ -7,4 +7,4 @@ include planmaker18.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/planmaker18free.profile b/etc/profile-m-z/planmaker18free.profile
index bb85f1fc7..d0bce44f5 100644
--- a/etc/planmaker18free.profile
+++ b/etc/profile-m-z/planmaker18free.profile
@@ -7,4 +7,4 @@ include planmaker18free.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/playonlinux.profile b/etc/profile-m-z/playonlinux.profile
index 03091af6d..03091af6d 100644
--- a/etc/playonlinux.profile
+++ b/etc/profile-m-z/playonlinux.profile
diff --git a/etc/pluma.profile b/etc/profile-m-z/pluma.profile
index dadfcc44e..5303eae8a 100644
--- a/etc/pluma.profile
+++ b/etc/profile-m-z/pluma.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 include whitelist-var-common.inc
 
@@ -26,7 +27,6 @@ caps.drop all
 machine-id
 # net none - makes settings immutable
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -45,6 +45,10 @@ private-dev
 private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
 private-tmp
 
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
 memory-deny-write-execute
 
 join-or-start pluma
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
new file mode 100644
index 000000000..7ff59ea77
--- /dev/null
+++ b/etc/profile-m-z/plv.profile
@@ -0,0 +1,59 @@
+# Firejail profile for plv
+# Description: Inspect pacman log files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include plv.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/PacmanLogViewer
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/PacmanLogViewer
+whitelist ${HOME}/.config/PacmanLogViewer
+whitelist /var/log/pacman*
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin plv
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-opt none
+private-tmp
+writable-var-log
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute - breaks opening file-chooser
+read-only ${HOME}
+read-write ${HOME}/.config/PacmanLogViewer
diff --git a/etc/pngquant.profile b/etc/profile-m-z/pngquant.profile
index f9ce43c4c..83905b108 100644
--- a/etc/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -15,7 +15,10 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -24,7 +27,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,4 +48,7 @@ private-dev
 private-etc alternatives
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/polari.profile b/etc/profile-m-z/polari.profile
index 939e2537e..87a53775f 100644
--- a/etc/polari.profile
+++ b/etc/profile-m-z/polari.profile
@@ -28,6 +28,7 @@ whitelist ${HOME}/.local/share/TpLogger
 whitelist ${HOME}/.local/share/telepathy
 whitelist ${HOME}/.purple
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 
 caps.drop all
 netfilter
diff --git a/etc/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index 970290002..c62e53151 100644
--- a/etc/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -21,9 +21,7 @@ include whitelist-var-common.inc
 
 caps.drop all
 ipc-namespace
-netfilter
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +38,5 @@ private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts
 private-opt ppsspp
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/pragha.profile b/etc/profile-m-z/pragha.profile
index 019c1a547..019c1a547 100644
--- a/etc/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
diff --git a/etc/presentations18.profile b/etc/profile-m-z/presentations18.profile
index ac844d1af..d4f531060 100644
--- a/etc/presentations18.profile
+++ b/etc/profile-m-z/presentations18.profile
@@ -7,4 +7,5 @@ include presentations18.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
+
diff --git a/etc/presentations18free.profile b/etc/profile-m-z/presentations18free.profile
index 218747224..e2319f13f 100644
--- a/etc/presentations18free.profile
+++ b/etc/profile-m-z/presentations18free.profile
@@ -7,4 +7,4 @@ include presentations18free.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
diff --git a/etc/profanity.profile b/etc/profile-m-z/profanity.profile
index 6ca9314e9..a02bcd826 100644
--- a/etc/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -20,6 +20,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
@@ -28,7 +29,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +47,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
index 16fffe517..16fffe517 100644
--- a/etc/psi-plus.profile
+++ b/etc/profile-m-z/psi-plus.profile
diff --git a/etc/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile
index 034c144c7..034c144c7 100644
--- a/etc/pybitmessage.profile
+++ b/etc/profile-m-z/pybitmessage.profile
diff --git a/etc/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
index 9ee426a95..9ee426a95 100644
--- a/etc/pycharm-community.profile
+++ b/etc/profile-m-z/pycharm-community.profile
diff --git a/etc/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile
index a14d0268b..a14d0268b 100644
--- a/etc/pycharm-professional.profile
+++ b/etc/profile-m-z/pycharm-professional.profile
diff --git a/etc/pzstd.profile b/etc/profile-m-z/pzstd.profile
index ce9af3286..ce9af3286 100644
--- a/etc/pzstd.profile
+++ b/etc/profile-m-z/pzstd.profile
diff --git a/etc/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index fe9caec77..81ec1bc6b 100644
--- a/etc/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -21,6 +21,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.cache/qBittorrent
 mkdir ${HOME}/.config/qBittorrent
@@ -38,7 +39,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -56,4 +56,7 @@ private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
 private-tmp
 
+dbus-user none
+dbus-system none
+
 # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
diff --git a/etc/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile
index ac60384fd..ac60384fd 100644
--- a/etc/qemu-launcher.profile
+++ b/etc/profile-m-z/qemu-launcher.profile
diff --git a/etc/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile
index d7d7905dd..d7d7905dd 100644
--- a/etc/qemu-system-x86_64.profile
+++ b/etc/profile-m-z/qemu-system-x86_64.profile
diff --git a/etc/qgis.profile b/etc/profile-m-z/qgis.profile
index 88ed0cd81..eee538383 100644
--- a/etc/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -35,7 +35,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
 machine-id
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -55,3 +54,6 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/qlipper.profile b/etc/profile-m-z/qlipper.profile
index fb9dca48f..fb9dca48f 100644
--- a/etc/qlipper.profile
+++ b/etc/profile-m-z/qlipper.profile
diff --git a/etc/qmmp.profile b/etc/profile-m-z/qmmp.profile
index b69bbdef1..e1f679417 100644
--- a/etc/qmmp.profile
+++ b/etc/profile-m-z/qmmp.profile
@@ -14,12 +14,12 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 caps.drop all
 netfilter
 # no3d
-nodbus
 nogroups
 nonewprivs
 noroot
@@ -35,3 +35,5 @@ private-bin bzip2,gzip,qmmp,tar,unzip
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
index 863f57ba4..80e34334a 100644
--- a/etc/qpdfview.profile
+++ b/etc/profile-m-z/qpdfview.profile
@@ -16,14 +16,14 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 machine-id
-# needs D-Bus when started from a file manager
-#nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +40,7 @@ tracelog
 private-bin qpdfview
 private-dev
 private-tmp
+
+# needs D-Bus when started from a file manager
+# dbus-user none
+# dbus-system none
diff --git a/etc/qt-faststart.profile b/etc/profile-m-z/qt-faststart.profile
index 2cdff33a6..2cdff33a6 100644
--- a/etc/qt-faststart.profile
+++ b/etc/profile-m-z/qt-faststart.profile
diff --git a/etc/qtox.profile b/etc/profile-m-z/qtox.profile
index cb2a78920..eb8e3e314 100644
--- a/etc/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/tox
@@ -27,7 +28,6 @@ apparmor
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,4 +46,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
+dbus-user none
+dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/quadrapassel.profile b/etc/profile-m-z/quadrapassel.profile
new file mode 100644
index 000000000..91e0d9d0d
--- /dev/null
+++ b/etc/profile-m-z/quadrapassel.profile
@@ -0,0 +1,20 @@
+# Firejail profile for quadrapassel
+# Description: Tetris-like game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include quadrapassel.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/quadrapassel
+
+mkdir ${HOME}/.local/share/quadrapassel
+whitelist ${HOME}/.local/share/quadrapassel
+whitelist /usr/share/quadrapassel
+
+private-bin quadrapassel
+
+dbus-user.own org.gnome.Quadrapassel
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/quassel.profile b/etc/profile-m-z/quassel.profile
index c65089e20..c65089e20 100644
--- a/etc/quassel.profile
+++ b/etc/profile-m-z/quassel.profile
diff --git a/etc/quiterss.profile b/etc/profile-m-z/quiterss.profile
index 8dbdffdc8..366cff4ed 100644
--- a/etc/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.cache/QuiteRss
 mkdir ${HOME}/.config/QuiteRss
diff --git a/etc/qupzilla.profile b/etc/profile-m-z/qupzilla.profile
index 7aa71c848..7aa71c848 100644
--- a/etc/qupzilla.profile
+++ b/etc/profile-m-z/qupzilla.profile
diff --git a/etc/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index fc910b589..fc910b589 100644
--- a/etc/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
diff --git a/etc/rambox.profile b/etc/profile-m-z/rambox.profile
index 6f7f37aaf..ffa2022ee 100644
--- a/etc/rambox.profile
+++ b/etc/profile-m-z/rambox.profile
@@ -1,4 +1,5 @@
 # Firejail profile for rambox
+# Description: Free and Open Source messaging and emailing app that combines common web applications into one (Electron-based)
 # This file is overwritten after every install/update
 # Persistent local customizations
 include rambox.local
@@ -31,5 +32,7 @@ nonewprivs
 noroot
 notv
 protocol unix,inet,inet6,netlink
-seccomp
+# electron-based application, needing chroot
+#seccomp
+seccomp !chroot
 # tracelog
diff --git a/etc/profile-m-z/ranger.profile b/etc/profile-m-z/ranger.profile
new file mode 100644
index 000000000..8b3fe97d8
--- /dev/null
+++ b/etc/profile-m-z/ranger.profile
@@ -0,0 +1,12 @@
+# Firejail profile for ranger
+# Description: File manager with an ncurses frontend written in Python
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ranger.local
+# Persistent global definitions
+include globals.local
+
+# Put 'ignore noroot' in your ranger.local if you use MPV+Vulkan (see issue #3012)
+
+# Redirect
+include file-manager-common.profile
diff --git a/etc/redeclipse.profile b/etc/profile-m-z/redeclipse.profile
index bb1ad56d3..bb1ad56d3 100644
--- a/etc/redeclipse.profile
+++ b/etc/profile-m-z/redeclipse.profile
diff --git a/etc/redshift.profile b/etc/profile-m-z/redshift.profile
index 0f6d34ed0..298ab1902 100644
--- a/etc/redshift.profile
+++ b/etc/profile-m-z/redshift.profile
@@ -29,7 +29,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,4 +47,7 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/regextester.profile b/etc/profile-m-z/regextester.profile
index e30748946..6fb0d4b5f 100644
--- a/etc/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -12,6 +12,7 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/com.github.artemanufrij.regextester
@@ -26,7 +27,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -48,6 +48,10 @@ private-etc alternatives,fonts
 private-lib libgranite.so.*
 private-tmp
 
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
 memory-deny-write-execute
 
 # never write anything
diff --git a/etc/remmina.profile b/etc/profile-m-z/remmina.profile
index e85ceca13..6311c91df 100644
--- a/etc/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -19,6 +19,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/rhythmbox-client.profile b/etc/profile-m-z/rhythmbox-client.profile
index 29e65d716..29e65d716 100644
--- a/etc/rhythmbox-client.profile
+++ b/etc/profile-m-z/rhythmbox-client.profile
diff --git a/etc/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index ad8b1015e..b76f2b947 100644
--- a/etc/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -20,25 +20,26 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/rhythmbox
 whitelist /usr/share/lua
 whitelist /usr/share/libquvi-scripts
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-# apparmor - makes settings immutable
+apparmor
 caps.drop all
 netfilter
-# nodbus - makes settings immutable
 nogroups
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
@@ -46,3 +47,13 @@ tracelog
 private-bin rhythmbox,rhythmbox-client
 private-dev
 private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Rhythmbox3
+dbus-user.own org.mpris.MediaPlayer2.rhythmbox
+dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+dbus-system filter
+dbus-system.talk org.freedesktop.Avahi
diff --git a/etc/ricochet.profile b/etc/profile-m-z/ricochet.profile
index 1b8fbbc97..86e3fbfb5 100644
--- a/etc/ricochet.profile
+++ b/etc/profile-m-z/ricochet.profile
@@ -13,6 +13,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.local/share/Ricochet
 whitelist ${DOWNLOADS}
diff --git a/etc/riot-desktop.profile b/etc/profile-m-z/riot-desktop.profile
index 4372fabe1..4372fabe1 100644
--- a/etc/riot-desktop.profile
+++ b/etc/profile-m-z/riot-desktop.profile
diff --git a/etc/riot-web.profile b/etc/profile-m-z/riot-web.profile
index b930adf2b..b930adf2b 100644
--- a/etc/riot-web.profile
+++ b/etc/profile-m-z/riot-web.profile
diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile
new file mode 100644
index 000000000..cf6daada5
--- /dev/null
+++ b/etc/profile-m-z/ripperx.profile
@@ -0,0 +1,43 @@
+# Firejail profile for mpv
+# Description: Graphical audio CD ripper and encoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ripperx.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ripperXrc
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nou2f
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/ristretto.profile b/etc/profile-m-z/ristretto.profile
index 8fcbb203c..a1cbdf16c 100644
--- a/etc/ristretto.profile
+++ b/etc/profile-m-z/ristretto.profile
@@ -17,7 +17,11 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
+net none
 netfilter
 no3d
 nodvd
diff --git a/etc/rnano.profile b/etc/profile-m-z/rnano.profile
index d9048982a..d9048982a 100644
--- a/etc/rnano.profile
+++ b/etc/profile-m-z/rnano.profile
diff --git a/etc/rocketchat.profile b/etc/profile-m-z/rocketchat.profile
index a574e4e8b..a574e4e8b 100644
--- a/etc/rocketchat.profile
+++ b/etc/profile-m-z/rocketchat.profile
diff --git a/etc/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 84147f0a5..95deed119 100644
--- a/etc/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -14,6 +14,7 @@ include globals.local
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,6 +22,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 # Uncomment or add to rsync.local to enable extra hardening
@@ -32,7 +34,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -53,4 +54,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/rtorrent.profile b/etc/profile-m-z/rtorrent.profile
index 0b4d6e1b1..308c1c802 100644
--- a/etc/rtorrent.profile
+++ b/etc/profile-m-z/rtorrent.profile
@@ -12,6 +12,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 caps.drop all
 machine-id
diff --git a/etc/rtv.profile b/etc/profile-m-z/rtv.profile
index af4b7e94b..14740e05f 100644
--- a/etc/rtv.profile
+++ b/etc/profile-m-z/rtv.profile
@@ -35,7 +35,6 @@ caps.drop all
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -54,3 +53,6 @@ private-bin python*,rtv,sh,xdg-settings
 private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+
+dbus-user none
+dbus-system none
diff --git a/etc/runenpass.sh.profile b/etc/profile-m-z/runenpass.sh.profile
index 64432c171..64432c171 100644
--- a/etc/runenpass.sh.profile
+++ b/etc/profile-m-z/runenpass.sh.profile
diff --git a/etc/rview.profile b/etc/profile-m-z/rview.profile
index fb72a00de..fb72a00de 100644
--- a/etc/rview.profile
+++ b/etc/profile-m-z/rview.profile
diff --git a/etc/rvim.profile b/etc/profile-m-z/rvim.profile
index 7c6465d3c..7c6465d3c 100644
--- a/etc/rvim.profile
+++ b/etc/profile-m-z/rvim.profile
diff --git a/etc/sayonara.profile b/etc/profile-m-z/sayonara.profile
index 8f0544f33..6557c0c42 100644
--- a/etc/sayonara.profile
+++ b/etc/profile-m-z/sayonara.profile
@@ -13,6 +13,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 caps.drop all
diff --git a/etc/scallion.profile b/etc/profile-m-z/scallion.profile
index dee9e1f40..0f67d4d09 100644
--- a/etc/scallion.profile
+++ b/etc/profile-m-z/scallion.profile
@@ -23,7 +23,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +39,6 @@ disable-mnt
 private
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/scorched3d-wrapper.profile b/etc/profile-m-z/scorched3d-wrapper.profile
new file mode 100644
index 000000000..507d0827e
--- /dev/null
+++ b/etc/profile-m-z/scorched3d-wrapper.profile
@@ -0,0 +1,10 @@
+# Firejail profile for scorched3d
+# This file is overwritten after every install/update
+# Persistent local customizations
+include scorched3d-wrapper.local
+
+whitelist /usr/share/opengl-games-utils
+private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
+
+# Redirect
+include scorched3d.profile
diff --git a/etc/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
index e94d436cf..6a1003c33 100644
--- a/etc/scorched3d.profile
+++ b/etc/profile-m-z/scorched3d.profile
@@ -18,13 +18,15 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.scorched3d
 whitelist ${HOME}/.scorched3d
+whitelist /usr/share/scorched3d
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +44,6 @@ private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
new file mode 100644
index 000000000..484ebc38e
--- /dev/null
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -0,0 +1,50 @@
+# Firejail profile for scorchwentbonkers
+# Description: Realtime remake of Scorched Earth
+# This file is overwritten after every install/update
+# Persistent local customizations
+include scorchwentbonkers.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.swb.ini
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.swb.ini
+whitelist ${HOME}/.swb.ini
+whitelist /usr/share/scorchwentbonkers
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin scorchwentbonkers
+private-cache
+private-dev
+private-etc alsa,asound.conf,machine-id,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/scp.profile b/etc/profile-m-z/scp.profile
index 287b8029a..287b8029a 100644
--- a/etc/scp.profile
+++ b/etc/profile-m-z/scp.profile
diff --git a/etc/scribus.profile b/etc/profile-m-z/scribus.profile
index e20cd1b5a..22cd10737 100644
--- a/etc/scribus.profile
+++ b/etc/profile-m-z/scribus.profile
@@ -40,9 +40,9 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -60,3 +60,5 @@ tracelog
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/sdat2img.profile b/etc/profile-m-z/sdat2img.profile
index a367acad5..8d16cd07f 100644
--- a/etc/sdat2img.profile
+++ b/etc/profile-m-z/sdat2img.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
@@ -23,7 +24,6 @@ include whitelist-var-common.inc
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,3 +40,5 @@ private-bin env,python*,sdat2img
 private-cache
 private-dev
 
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
new file mode 100644
index 000000000..cb2e5ef91
--- /dev/null
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -0,0 +1,51 @@
+# Firejail profile for seahorse-adventures
+# Description: Help barbie the seahorse float on bubbles to the moon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include seahorse-adventures.local
+# Persistent global definitions
+include globals.local
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/seahorse-adventures
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin python*,seahorse-adventures
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/seahorse-daemon.profile b/etc/profile-m-z/seahorse-daemon.profile
index 6410da4d8..6410da4d8 100644
--- a/etc/seahorse-daemon.profile
+++ b/etc/profile-m-z/seahorse-daemon.profile
diff --git a/etc/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile
index 96ff74edf..96ff74edf 100644
--- a/etc/seahorse-tool.profile
+++ b/etc/profile-m-z/seahorse-tool.profile
diff --git a/etc/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 5a742d05f..85d86d646 100644
--- a/etc/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -31,7 +31,10 @@ whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /usr/share/seahorse
 whitelist /usr/share/seahorse-nautilus
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 #include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -58,3 +61,8 @@ private-cache
 private-dev
 private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
 writable-run-user
+
+dbus-user filter
+dbus-user.own org.gnome.seahorse.Application
+dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff --git a/etc/seamonkey-bin.profile b/etc/profile-m-z/seamonkey-bin.profile
index 532294950..532294950 100644
--- a/etc/seamonkey-bin.profile
+++ b/etc/profile-m-z/seamonkey-bin.profile
diff --git a/etc/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
index 807effbeb..807effbeb 100644
--- a/etc/seamonkey.profile
+++ b/etc/profile-m-z/seamonkey.profile
diff --git a/etc/secret-tool.profile b/etc/profile-m-z/secret-tool.profile
index 70d9a5b1d..99ba11d30 100644
--- a/etc/secret-tool.profile
+++ b/etc/profile-m-z/secret-tool.profile
@@ -1,6 +1,7 @@
 # Firejail profile for secret-tool
 # Description: Library for storing and retrieving passwords and other secrets
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include secret-tool.local
 # Persistent global definitions
diff --git a/etc/server.profile b/etc/profile-m-z/server.profile
index ce318a828..5bc4735ae 100644
--- a/etc/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -1,4 +1,27 @@
-# Firejail profile for server
+# Generic Firejail profile for servers started as root
+#
+# This profile is used as a default when starting the sandbox as root.
+# Example:
+#
+#       $ sudo firejail
+#       [sudo] password for netblue:
+#       Reading profile /etc/firejail/server.profile
+#       Reading profile /etc/firejail/disable-common.inc
+#       Reading profile /etc/firejail/disable-passwdmgr.inc
+#       Reading profile /etc/firejail/disable-programs.inc
+#
+#       ** Note: you can use --noprofile to disable server.profile **
+#
+#       Parent pid 5347, child pid 5348
+#       The new log directory is /proc/5348/root/var/log
+#       Child process initialized in 64.43 ms
+#       root@debian:~#
+#
+# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
+# All the rules for regular user profiles apply with the exception of
+# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
+# by default for root user.
+
 # This file is overwritten after every install/update
 # Persistent local customizations
 include server.local
@@ -28,7 +51,6 @@ caps
 # ipc-namespace
 # netfilter /etc/firejail/webserver.net
 no3d
-# nodbus
 nodvd
 # nogroups
 # nonewprivs
@@ -49,4 +71,7 @@ private-dev
 # private-lib
 private-tmp
 
+# dbus-user none
+# dbus-system none
+
 # memory-deny-write-execute
diff --git a/etc/sftp.profile b/etc/profile-m-z/sftp.profile
index 66dc2a57b..66dc2a57b 100644
--- a/etc/sftp.profile
+++ b/etc/profile-m-z/sftp.profile
diff --git a/etc/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index f8744bdf8..6cd70c2ea 100644
--- a/etc/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -8,6 +8,7 @@ include shellcheck.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
@@ -23,12 +24,12 @@ whitelist /usr/share/shellcheck
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,4 +48,7 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile
new file mode 100644
index 000000000..ee2314833
--- /dev/null
+++ b/etc/profile-m-z/shortwave.profile
@@ -0,0 +1,50 @@
+# Firejail profile for shortwave
+# Description: Listen to internet radio
+# This file is overwritten after every install/update
+# Persistent local customizations
+include shortwave.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Shortwave
+noblacklist ${HOME}/.local/share/Shortwave
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Shortwave
+mkdir ${HOME}/.local/share/Shortwave
+whitelist ${HOME}/.cache/Shortwave
+whitelist ${HOME}/.local/share/Shortwave
+whitelist /usr/share/shortwave
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin shortwave
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
diff --git a/etc/shotcut.profile b/etc/profile-m-z/shotcut.profile
index 072cc2c0d..bec0bfbb0 100644
--- a/etc/shotcut.profile
+++ b/etc/profile-m-z/shotcut.profile
@@ -19,7 +19,6 @@ include disable-programs.inc
 
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -34,3 +33,6 @@ tracelog
 #private-bin melt,nice,qmelt,shotcut
 private-cache
 private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/signal-cli.profile b/etc/profile-m-z/signal-cli.profile
index 6a2f5c434..6a2f5c434 100644
--- a/etc/signal-cli.profile
+++ b/etc/profile-m-z/signal-cli.profile
diff --git a/etc/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index f810a37ec..b51a86e7d 100644
--- a/etc/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -9,6 +9,11 @@ ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Signal
 
+# These lines are needed to allow Firefox to open links
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -22,14 +27,20 @@ whitelist ${HOME}/.config/Signal
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
 notv
 nou2f
+novideo
 shell none
 
 disable-mnt
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/silentarmy.profile b/etc/profile-m-z/silentarmy.profile
index cfc33d074..220035ee7 100644
--- a/etc/silentarmy.profile
+++ b/etc/profile-m-z/silentarmy.profile
@@ -12,6 +12,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
diff --git a/etc/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
index 40fe8c566..17920677b 100644
--- a/etc/simple-scan.profile
+++ b/etc/profile-m-z/simple-scan.profile
@@ -16,6 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+whitelist /usr/share/hplip
 whitelist /usr/share/simple-scan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile
index edcc2a0f4..edcc2a0f4 100644
--- a/etc/simplescreenrecorder.profile
+++ b/etc/profile-m-z/simplescreenrecorder.profile
diff --git a/etc/simutrans.profile b/etc/profile-m-z/simutrans.profile
index c6f5f70b0..1b81f2ea1 100644
--- a/etc/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.simutrans
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -17,10 +18,11 @@ include disable-programs.inc
 mkdir ${HOME}/.simutrans
 whitelist ${HOME}/.simutrans
 include whitelist-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -35,3 +37,6 @@ shell none
 # private-bin simutrans
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/skanlite.profile b/etc/profile-m-z/skanlite.profile
index 6f9bfd201..093a61398 100644
--- a/etc/skanlite.profile
+++ b/etc/profile-m-z/skanlite.profile
@@ -17,7 +17,6 @@ include disable-xdg.inc
 
 caps.drop all
 netfilter
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -33,3 +32,6 @@ shell none
 # private-bin kbuildsycoca4,kdeinit4,skanlite
 # private-dev
 # private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
index 341c25a95..341c25a95 100644
--- a/etc/skypeforlinux.profile
+++ b/etc/profile-m-z/skypeforlinux.profile
diff --git a/etc/slack.profile b/etc/profile-m-z/slack.profile
index 54069f657..8ab3edd63 100644
--- a/etc/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -12,6 +12,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
@@ -19,16 +20,12 @@ whitelist ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
 
-caps.drop all
+caps.keep sys_admin,sys_chroot
 netfilter
 nodvd
 nogroups
-nonewprivs
-noroot
 notv
 nou2f
-protocol unix,inet,inet6,netlink
-seccomp
 shell none
 
 disable-mnt
@@ -36,4 +33,3 @@ private-bin locale,slack
 private-cache
 private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
-private-tmp
diff --git a/etc/slashem.profile b/etc/profile-m-z/slashem.profile
index 8c84180d7..ca0516e65 100644
--- a/etc/slashem.profile
+++ b/etc/profile-m-z/slashem.profile
@@ -23,7 +23,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 #nonewprivs
@@ -42,4 +41,7 @@ private-dev
 private-tmp
 writable-var
 
+dbus-user none
+dbus-system none
+
 #memory-deny-write-execute
diff --git a/etc/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 395888c8a..3fb6fc349 100644
--- a/etc/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -23,6 +23,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/smplayer
@@ -32,7 +33,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-# nodbus - problems with KDE
 # nogroups
 nonewprivs
 noroot
@@ -45,3 +45,6 @@ private-bin env,mplayer,mpv,python*,smplayer,smtube,youtube-dl
 private-dev
 private-tmp
 
+# problems with KDE
+# dbus-user none
+# dbus-system none
diff --git a/etc/smtube.profile b/etc/profile-m-z/smtube.profile
index 98e0229ce..79bc02979 100644
--- a/etc/smtube.profile
+++ b/etc/profile-m-z/smtube.profile
@@ -28,6 +28,7 @@ whitelist /usr/share/smtube
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/snox.profile b/etc/profile-m-z/snox.profile
index 3b3fd1ae1..3b3fd1ae1 100644
--- a/etc/snox.profile
+++ b/etc/profile-m-z/snox.profile
diff --git a/etc/soffice.profile b/etc/profile-m-z/soffice.profile
index 8348a57fe..8348a57fe 100644
--- a/etc/soffice.profile
+++ b/etc/profile-m-z/soffice.profile
diff --git a/etc/sol.profile b/etc/profile-m-z/sol.profile
index ea1620b31..44fb8cfe2 100644
--- a/etc/sol.profile
+++ b/etc/profile-m-z/sol.profile
@@ -11,17 +11,18 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 # all necessary files in $HOME are in whitelist-common.inc
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 net none
 # no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -40,4 +41,7 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 # memory-deny-write-execute
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
new file mode 100644
index 000000000..b9f3768be
--- /dev/null
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -0,0 +1,43 @@
+# Firejail profile for mpv
+# Description: Graphical audio CD ripper and encoder
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sound-juicer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/sound-juicer
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+nou2f
+notv
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+private-tmp
+
+# dbus-user none
+# dbus-system none
diff --git a/etc/soundconverter.profile b/etc/profile-m-z/soundconverter.profile
index bdd6eb7f5..bdd6eb7f5 100644
--- a/etc/soundconverter.profile
+++ b/etc/profile-m-z/soundconverter.profile
diff --git a/etc/spectre-meltdown-checker.profile b/etc/profile-m-z/spectre-meltdown-checker.profile
index e27df4cc8..a0b99abcf 100644
--- a/etc/spectre-meltdown-checker.profile
+++ b/etc/profile-m-z/spectre-meltdown-checker.profile
@@ -31,7 +31,6 @@ caps.keep sys_rawio
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,4 +48,7 @@ private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,ech
 private-cache
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/spotify.profile b/etc/profile-m-z/spotify.profile
index 59692f1d6..1a34cb86d 100644
--- a/etc/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -29,7 +29,6 @@ include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-#nodbus - dbus needed for MPRIS
 nodvd
 nogroups
 nonewprivs
@@ -50,3 +49,6 @@ private-opt spotify
 private-srv none
 private-tmp
 
+# dbus needed for MPRIS
+# dbus-user none
+# dbus-system none
diff --git a/etc/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index 94bb4d3f2..cdb20b4e0 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
@@ -24,7 +25,6 @@ apparmor
 caps.drop all
 ipc-namespace
 netfilter
-# nodbus - breaks proxy creation
 nodvd
 nogroups
 nonewprivs
@@ -43,4 +43,8 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
 private-tmp
 
+# breaks proxy creation
+# dbus-user none
+# dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index cf509852a..01b63d3ce 100644
--- a/etc/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -22,7 +22,6 @@ include whitelist-usr-share-common.inc
 caps.drop all
 netfilter
 no3d
-nodbus
 nodvd
 nonewprivs
 noroot
@@ -34,3 +33,6 @@ shell none
 tracelog
 
 writable-run-user
+
+dbus-user none
+dbus-system none
diff --git a/etc/ssh.profile b/etc/profile-m-z/ssh.profile
index 1551c3fb6..5d3458c29 100644
--- a/etc/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -12,19 +12,22 @@ noblacklist /tmp/ssh-*
 noblacklist ${HOME}/.ssh
 # nc can be used as ProxyCommand, e.g. when using tor
 noblacklist ${PATH}/nc
+noblacklist ${PATH}/ncat
 
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+whitelist ${RUNUSER}/keyring/ssh
+whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
 include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
 
 caps.drop all
 ipc-namespace
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -43,4 +46,7 @@ private-dev
 # private-tmp # Breaks when exiting
 writable-run-user
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index a402aca5a..1292b806b 100644
--- a/etc/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -25,7 +25,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,3 +40,5 @@ private-dev
 private-tmp
 private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg
 
+dbus-user none
+dbus-system none
diff --git a/etc/start-tor-browser.desktop.profile b/etc/profile-m-z/start-tor-browser.desktop.profile
index 2f73c9fee..2f73c9fee 100644
--- a/etc/start-tor-browser.desktop.profile
+++ b/etc/profile-m-z/start-tor-browser.desktop.profile
diff --git a/etc/start-tor-browser.profile b/etc/profile-m-z/start-tor-browser.profile
index f9daf8f09..b62b19101 100644
--- a/etc/start-tor-browser.profile
+++ b/etc/profile-m-z/start-tor-browser.profile
@@ -19,7 +19,6 @@ include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,3 +37,6 @@ private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/steam-native.profile b/etc/profile-m-z/steam-native.profile
index 47608ad28..47608ad28 100644
--- a/etc/steam-native.profile
+++ b/etc/profile-m-z/steam-native.profile
diff --git a/etc/profile-m-z/steam-runtime.profile b/etc/profile-m-z/steam-runtime.profile
new file mode 100644
index 000000000..47608ad28
--- /dev/null
+++ b/etc/profile-m-z/steam-runtime.profile
@@ -0,0 +1,5 @@
+# Firejail profile alias for steam
+# This file is overwritten after every install/update
+
+# Redirect
+include steam.profile
diff --git a/etc/steam.profile b/etc/profile-m-z/steam.profile
index bc90af837..7292f189c 100644
--- a/etc/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -10,12 +10,17 @@ noblacklist ${HOME}/.killingfloor
 noblacklist ${HOME}/.local/share/3909/PapersPlease
 noblacklist ${HOME}/.local/share/aspyr-media
 noblacklist ${HOME}/.local/share/cdprojektred
+noblacklist ${HOME}/.local/share/FasterThanLight
 noblacklist ${HOME}/.local/share/feral-interactive
+noblacklist ${HOME}/.local/share/IntoTheBreach
+noblacklist ${HOME}/.local/share/Paradox Interactive
 noblacklist ${HOME}/.local/share/Steam
 noblacklist ${HOME}/.local/share/SuperHexagon
 noblacklist ${HOME}/.local/share/Terraria
 noblacklist ${HOME}/.local/share/vpltd
 noblacklist ${HOME}/.local/share/vulkan
+noblacklist ${HOME}/.mbwarband
+noblacklist ${HOME}/.paradoxinteractive
 noblacklist ${HOME}/.steam
 noblacklist ${HOME}/.steampath
 noblacklist ${HOME}/.steampid
@@ -27,8 +32,8 @@ noblacklist /usr/sbin
 include allow-java.inc
 
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
+include allow-python2.inc
+include allow-python3.inc
 
 include disable-common.inc
 include disable-devel.inc
@@ -36,16 +41,52 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+mkdir ${HOME}/.config/unity3d
+mkdir ${HOME}/.killingfloor
+mkdir ${HOME}/.local/share/3909/PapersPlease
+mkdir ${HOME}/.local/share/aspyr-media
+mkdir ${HOME}/.local/share/cdprojektred
+mkdir ${HOME}/.local/share/FasterThanLight
+mkdir ${HOME}/.local/share/feral-interactive
+mkdir ${HOME}/.local/share/IntoTheBreach
+mkdir ${HOME}/.local/share/Paradox Interactive
+mkdir ${HOME}/.local/share/Steam
+mkdir ${HOME}/.local/share/SuperHexagon
+mkdir ${HOME}/.local/share/Terraria
+mkdir ${HOME}/.local/share/vpltd
+mkdir ${HOME}/.local/share/vulkan
+mkdir ${HOME}/.mbwarband
+mkdir ${HOME}/.paradoxinteractive
+mkdir ${HOME}/.steam
+mkfile ${HOME}/.steampath
+mkfile ${HOME}/.steampid
+whitelist ${HOME}/.config/unity3d
+whitelist ${HOME}/.killingfloor
+whitelist ${HOME}/.local/share/3909/PapersPlease
+whitelist ${HOME}/.local/share/aspyr-media
+whitelist ${HOME}/.local/share/cdprojektred
+whitelist ${HOME}/.local/share/FasterThanLight
+whitelist ${HOME}/.local/share/feral-interactive
+whitelist ${HOME}/.local/share/IntoTheBreach
+whitelist ${HOME}/.local/share/Paradox Interactive
+whitelist ${HOME}/.local/share/Steam
+whitelist ${HOME}/.local/share/SuperHexagon
+whitelist ${HOME}/.local/share/Terraria
+whitelist ${HOME}/.local/share/vpltd
+whitelist ${HOME}/.local/share/vulkan
+whitelist ${HOME}/.mbwarband
+whitelist ${HOME}/.paradoxinteractive
+whitelist ${HOME}/.steam
+whitelist ${HOME}/.steampath
+whitelist ${HOME}/.steampid
+include whitelist-common.inc
 include whitelist-var-common.inc
 
-# allow-debuggers needed for running some games with proton
-allow-debuggers
 caps.drop all
 #ipc-namespace
 netfilter
-# nodbus disabled as it breaks appindicator support
-#nodbus
 nodvd
+# nVidia users may need to comment / ignore nogroups and noroot
 nogroups
 nonewprivs
 noroot
@@ -54,11 +95,11 @@ nou2f
 # novideo should be commented for VR
 novideo
 protocol unix,inet,inet6,netlink
-# seccomp cause sometimes issues (see #2860, #2951),
+# seccomp sometimes causes issues (see #2951, #3267),
 # comment it or add 'ignore seccomp' to steam.local if so.
-seccomp
+seccomp !ptrace
 shell none
-# tracelog disabled as it breaks integrated browser
+# tracelog breaks integrated browser
 #tracelog
 
 # private-bin is disabled while in testing, but has been tested working with multiple games
@@ -71,5 +112,9 @@ shell none
 # private-dev should be commented for controllers
 private-dev
 # private-etc breaks a small selection of games on some systems, comment to support those
-private-etc alternatives,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
+private-etc alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl
 private-tmp
+
+# breaks appindicator support
+# dbus-user none
+# dbus-system none
diff --git a/etc/stellarium.profile b/etc/profile-m-z/stellarium.profile
index d6df2e0ad..3f93fe591 100644
--- a/etc/stellarium.profile
+++ b/etc/profile-m-z/stellarium.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/stellarium
 mkdir ${HOME}/.stellarium
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
new file mode 100644
index 000000000..cd36c0d41
--- /dev/null
+++ b/etc/profile-m-z/strawberry.profile
@@ -0,0 +1,49 @@
+# Firejail profile for strawberry
+# Description: A music player and music collection organizer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include strawberry.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/strawberry
+noblacklist ${HOME}/.config/strawberry
+noblacklist ${HOME}/.local/share/strawberry
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc 
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+# blacklisting of ioprio_set system calls breaks strawberry
+seccomp !ioprio_set
+shell none
+tracelog
+
+disable-mnt
+private-bin strawberry,strawberry-tagreader
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+dbus-system none
diff --git a/etc/strings.profile b/etc/profile-m-z/strings.profile
index 7dc453b1f..426b2dc1c 100644
--- a/etc/strings.profile
+++ b/etc/profile-m-z/strings.profile
@@ -8,6 +8,7 @@ include strings.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 #include disable-common.inc
 include disable-devel.inc
@@ -15,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 #include disable-programs.inc
+include disable-shell.inc
 #include disable-xdg.inc
 
 #include whitelist-usr-share-common.inc
@@ -26,7 +28,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,5 +50,8 @@ private-dev
 #private-lib libfakeroot
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
 read-only ${HOME}
diff --git a/etc/studio.sh.profile b/etc/profile-m-z/studio.sh.profile
index 79e879f36..79e879f36 100644
--- a/etc/studio.sh.profile
+++ b/etc/profile-m-z/studio.sh.profile
diff --git a/etc/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index f6165f139..428af3737 100644
--- a/etc/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -30,7 +30,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,4 +47,7 @@ private-dev
 private-etc alternatives,fonts
 private-tmp
 
+dbus-user none
+dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 4c64ee766..ceaae8fbf 100644
--- a/etc/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -10,18 +10,23 @@ noblacklist ${HOME}/.local/share/supertux2
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/supertux2
 whitelist ${HOME}/.local/share/supertux2
+whitelist /usr/share/supertux2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -32,8 +37,12 @@ novideo
 protocol unix,netlink
 seccomp
 shell none
+tracelog
 
 disable-mnt
 # private-bin supertux2
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 2975a61ed..ce69c8b4b 100644
--- a/etc/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -13,10 +13,11 @@ noblacklist ${HOME}/.local/share/supertuxkart
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
-include disable-interpreters.inc
 
 mkdir ${HOME}/.config/supertuxkart
 mkdir ${HOME}/.cache/supertuxkart
@@ -32,7 +33,6 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -54,3 +54,5 @@ private-tmp
 private-opt none
 private-srv none
 
+dbus-user none
+dbus-system none
diff --git a/etc/surf.profile b/etc/profile-m-z/surf.profile
index d4c6d9afc..5ad82601d 100644
--- a/etc/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -34,6 +34,6 @@ tracelog
 disable-mnt
 private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
 private-tmp
 
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile
new file mode 100644
index 000000000..68abd8c94
--- /dev/null
+++ b/etc/profile-m-z/sushi.profile
@@ -0,0 +1,48 @@
+# Firejail profile for sushi
+# Description: A quick previewer for Nautilus
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sushi.local
+# Persistent global definitions
+include globals.local
+
+# Allow gjs (blacklisted by disable-interpreters.inc)
+include allow-gjs.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-runuser-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin gjs,sushi
+private-dev
+private-tmp
+
+dbus-system none
+
+read-only /
+read-only /mnt
+read-only /media
+read-only /run/mount
+read-only /run/media
+read-only ${HOME}
diff --git a/etc/profile-m-z/swell-foop.profile b/etc/profile-m-z/swell-foop.profile
new file mode 100644
index 000000000..9efae815d
--- /dev/null
+++ b/etc/profile-m-z/swell-foop.profile
@@ -0,0 +1,21 @@
+# Firejail profile for swell-foop
+# Description: GNOME colored tiles puzzle game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include swell-foop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/swell-foop
+
+mkdir ${HOME}/.local/share/swell-foop
+whitelist ${HOME}/.local/share/swell-foop
+
+whitelist /usr/share/swell-foop
+
+private-bin swell-foop
+
+dbus-user.own org.gnome.SwellFoop
+
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 4344fe73a..4344fe73a 100644
--- a/etc/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
diff --git a/etc/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile
index 30b0ad762..a83080cc3 100644
--- a/etc/synfigstudio.profile
+++ b/etc/profile-m-z/synfigstudio.profile
@@ -18,7 +18,6 @@ include disable-programs.inc
 
 caps.drop all
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,3 +35,5 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/sysprof-cli.profile b/etc/profile-m-z/sysprof-cli.profile
index 935c7e9ca..8f4de130b 100644
--- a/etc/sysprof-cli.profile
+++ b/etc/profile-m-z/sysprof-cli.profile
@@ -7,12 +7,13 @@ include sysprof-cli.local
 # added by included profile
 #include globals.local
 
-nodbus
-
 # There is no GUI help menu to break in the CLI version
 private-bin sysprof-cli
 private-lib
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
 
 # Redirect
diff --git a/etc/sysprof.profile b/etc/profile-m-z/sysprof.profile
index 9761629d2..ad3346285 100644
--- a/etc/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -23,7 +23,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -46,4 +45,8 @@ private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
 
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
 # memory-deny-write-execute - Breaks GUI on Arch
diff --git a/etc/tar.profile b/etc/profile-m-z/tar.profile
index 0858dcb26..3a7405305 100644
--- a/etc/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -26,7 +26,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +49,7 @@ private-lib libfakeroot
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/tb-starter-wrapper.profile b/etc/profile-m-z/tb-starter-wrapper.profile
index ffe9605b6..ffe9605b6 100644
--- a/etc/tb-starter-wrapper.profile
+++ b/etc/profile-m-z/tb-starter-wrapper.profile
diff --git a/etc/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
index 3c46dfdcb..881fbf49e 100644
--- a/etc/tcpdump.profile
+++ b/etc/profile-m-z/tcpdump.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 
 include whitelist-common.inc
 
+apparmor
 caps.keep net_raw
 ipc-namespace
 #net tun0
diff --git a/etc/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index 882d8d0f3..a13c92bc3 100644
--- a/etc/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -7,7 +7,8 @@ include teams-for-linux.local
 # added by included profile
 #include globals.local
 
-ignore nodbus
+ignore dbus-user none
+ignore dbus-system none
 
 noblacklist ${HOME}/.config/teams-for-linux
 
diff --git a/etc/teams.profile b/etc/profile-m-z/teams.profile
index 8b60a941e..bd7faa80a 100644
--- a/etc/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -1,14 +1,17 @@
 # Firejail profile for teams
 # Description: Official Microsoft Teams client for Linux using Electron.
 # This file is overwritten after every install/update
-# Known issues:
-#  * if Teams crashes on startup try using "ignore apparmor" in your local config
 # Persistent local customizations
 include teams.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
 
+# see #3404
+ignore apparmor
+ignore dbus-user none
+ignore dbus-system none
+
 noblacklist ${HOME}/.config/teams
 noblacklist ${HOME}/.config/Microsoft
 
@@ -30,7 +33,6 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-tmp
 
 # Redirect
 include electron.profile
diff --git a/etc/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index c1c666f58..c1c666f58 100644
--- a/etc/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
diff --git a/etc/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index 782f337d3..c0d62bec2 100644
--- a/etc/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.teeworlds
@@ -24,7 +25,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +42,6 @@ private-bin teeworlds
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile
index 0cfa7114b..0cfa7114b 100644
--- a/etc/telegram-desktop.profile
+++ b/etc/profile-m-z/telegram-desktop.profile
diff --git a/etc/telegram.profile b/etc/profile-m-z/telegram.profile
index e3af5600a..8e0741458 100644
--- a/etc/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -25,5 +25,5 @@ seccomp
 
 disable-mnt
 private-cache
+private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
-
diff --git a/etc/terasology.profile b/etc/profile-m-z/terasology.profile
index 9a8426435..36ce6d469 100644
--- a/etc/terasology.profile
+++ b/etc/profile-m-z/terasology.profile
@@ -28,8 +28,6 @@ include whitelist-common.inc
 caps.drop all
 ipc-namespace
 net none
-netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,3 +43,6 @@ disable-mnt
 private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-7-openjdk,java-8-openjdk,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/tex.profile b/etc/profile-m-z/tex.profile
index f56c3038e..f56c3038e 100644
--- a/etc/tex.profile
+++ b/etc/profile-m-z/tex.profile
diff --git a/etc/textmaker18.profile b/etc/profile-m-z/textmaker18.profile
index 8284df791..d28947394 100644
--- a/etc/textmaker18.profile
+++ b/etc/profile-m-z/textmaker18.profile
@@ -7,4 +7,5 @@ include textmaker18.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
+
diff --git a/etc/textmaker18free.profile b/etc/profile-m-z/textmaker18free.profile
index ad945ca55..7b4fd5b08 100644
--- a/etc/textmaker18free.profile
+++ b/etc/profile-m-z/textmaker18free.profile
@@ -7,4 +7,5 @@ include textmaker18free.local
 include globals.local
 
 # Redirect
-include softmaker-common.profile
+include softmaker-common.inc
+
diff --git a/etc/thunar.profile b/etc/profile-m-z/thunar.profile
index 19993016a..19993016a 100644
--- a/etc/thunar.profile
+++ b/etc/profile-m-z/thunar.profile
diff --git a/etc/thunderbird-beta.profile b/etc/profile-m-z/thunderbird-beta.profile
index 6450e40d6..6450e40d6 100644
--- a/etc/thunderbird-beta.profile
+++ b/etc/profile-m-z/thunderbird-beta.profile
diff --git a/etc/thunderbird-wayland.profile b/etc/profile-m-z/thunderbird-wayland.profile
index 9fbb80d29..9fbb80d29 100644
--- a/etc/thunderbird-wayland.profile
+++ b/etc/profile-m-z/thunderbird-wayland.profile
diff --git a/etc/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 6e888c163..6e4bb50d4 100644
--- a/etc/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -7,22 +7,22 @@ include thunderbird.local
 include globals.local
 
 # writable-run-user and dbus are needed by enigmail
-ignore nodbus
+ignore dbus-user none
+ignore dbus-system none
 writable-run-user
 
-# If you want to read local mail stored in /var/mail, add the following to thunderbird.local:
+# If you want to read local mail stored in /var/mail edit /etc/apparmor.d/firejail-default accordingly
+# and add the following to thunderbird.local:
 #noblacklist /var/mail
 #noblacklist /var/spool/mail
 #whitelist /var/mail
 #whitelist /var/spool/mail
 #writable-var
 
-# Uncomment the next 4 lines or put them in your thunderbird.local to
-# allow Firefox to load your profile when clicking a link in an email
-#noblacklist ${HOME}/.cache/mozilla
-#noblacklist ${HOME}/.mozilla
-#whitelist ${HOME}/.cache/mozilla/firefox
-#whitelist ${HOME}/.mozilla
+# These lines are needed to allow Firefox to load your profile when clicking a link in an email
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 noblacklist ${HOME}/.cache/thunderbird
 noblacklist ${HOME}/.gnupg
@@ -47,6 +47,7 @@ whitelist ${HOME}/.thunderbird
 
 whitelist /usr/share/gnupg
 whitelist /usr/share/mozilla
+whitelist /usr/share/thunderbird
 whitelist /usr/share/webext
 include whitelist-usr-share-common.inc
 
diff --git a/etc/tilp.profile b/etc/profile-m-z/tilp.profile
index 4d38d5184..dd4a372c4 100644
--- a/etc/tilp.profile
+++ b/etc/profile-m-z/tilp.profile
@@ -13,6 +13,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 caps.drop all
 net none
diff --git a/etc/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile
index 612b2d01b..612b2d01b 100644
--- a/etc/tor-browser-ar.profile
+++ b/etc/profile-m-z/tor-browser-ar.profile
diff --git a/etc/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile
index db70a7109..db70a7109 100644
--- a/etc/tor-browser-ca.profile
+++ b/etc/profile-m-z/tor-browser-ca.profile
diff --git a/etc/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile
index 77b271b68..77b271b68 100644
--- a/etc/tor-browser-cs.profile
+++ b/etc/profile-m-z/tor-browser-cs.profile
diff --git a/etc/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile
index 3b9fff9a4..3b9fff9a4 100644
--- a/etc/tor-browser-da.profile
+++ b/etc/profile-m-z/tor-browser-da.profile
diff --git a/etc/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile
index 3b4f7f94f..3b4f7f94f 100644
--- a/etc/tor-browser-de.profile
+++ b/etc/profile-m-z/tor-browser-de.profile
diff --git a/etc/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile
index b978b6042..b978b6042 100644
--- a/etc/tor-browser-el.profile
+++ b/etc/profile-m-z/tor-browser-el.profile
diff --git a/etc/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile
index db56dda1b..db56dda1b 100644
--- a/etc/tor-browser-en-us.profile
+++ b/etc/profile-m-z/tor-browser-en-us.profile
diff --git a/etc/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile
index ad4110c0e..ad4110c0e 100644
--- a/etc/tor-browser-en.profile
+++ b/etc/profile-m-z/tor-browser-en.profile
diff --git a/etc/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile
index 1aa586658..1aa586658 100644
--- a/etc/tor-browser-es-es.profile
+++ b/etc/profile-m-z/tor-browser-es-es.profile
diff --git a/etc/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile
index a386e3387..a386e3387 100644
--- a/etc/tor-browser-es.profile
+++ b/etc/profile-m-z/tor-browser-es.profile
diff --git a/etc/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile
index 7f847a7c2..7f847a7c2 100644
--- a/etc/tor-browser-fa.profile
+++ b/etc/profile-m-z/tor-browser-fa.profile
diff --git a/etc/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile
index bce470ec8..bce470ec8 100644
--- a/etc/tor-browser-fr.profile
+++ b/etc/profile-m-z/tor-browser-fr.profile
diff --git a/etc/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile
index 994897a87..994897a87 100644
--- a/etc/tor-browser-ga-ie.profile
+++ b/etc/profile-m-z/tor-browser-ga-ie.profile
diff --git a/etc/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile
index 6367b4c0a..6367b4c0a 100644
--- a/etc/tor-browser-he.profile
+++ b/etc/profile-m-z/tor-browser-he.profile
diff --git a/etc/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile
index 68e79833e..68e79833e 100644
--- a/etc/tor-browser-hu.profile
+++ b/etc/profile-m-z/tor-browser-hu.profile
diff --git a/etc/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile
index 85b455ba2..85b455ba2 100644
--- a/etc/tor-browser-id.profile
+++ b/etc/profile-m-z/tor-browser-id.profile
diff --git a/etc/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile
index 48e88db71..48e88db71 100644
--- a/etc/tor-browser-is.profile
+++ b/etc/profile-m-z/tor-browser-is.profile
diff --git a/etc/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile
index 3c239ca29..3c239ca29 100644
--- a/etc/tor-browser-it.profile
+++ b/etc/profile-m-z/tor-browser-it.profile
diff --git a/etc/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile
index c52e0f64e..c52e0f64e 100644
--- a/etc/tor-browser-ja.profile
+++ b/etc/profile-m-z/tor-browser-ja.profile
diff --git a/etc/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile
index 173b85e5c..173b85e5c 100644
--- a/etc/tor-browser-ka.profile
+++ b/etc/profile-m-z/tor-browser-ka.profile
diff --git a/etc/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile
index 8faa5afa1..8faa5afa1 100644
--- a/etc/tor-browser-ko.profile
+++ b/etc/profile-m-z/tor-browser-ko.profile
diff --git a/etc/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile
index d1352dd80..d1352dd80 100644
--- a/etc/tor-browser-nb.profile
+++ b/etc/profile-m-z/tor-browser-nb.profile
diff --git a/etc/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile
index d4443cca2..d4443cca2 100644
--- a/etc/tor-browser-nl.profile
+++ b/etc/profile-m-z/tor-browser-nl.profile
diff --git a/etc/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile
index 08ddd4ae7..08ddd4ae7 100644
--- a/etc/tor-browser-pl.profile
+++ b/etc/profile-m-z/tor-browser-pl.profile
diff --git a/etc/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile
index 9942a3fe8..9942a3fe8 100644
--- a/etc/tor-browser-pt-br.profile
+++ b/etc/profile-m-z/tor-browser-pt-br.profile
diff --git a/etc/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile
index 6294f8ca0..6294f8ca0 100644
--- a/etc/tor-browser-ru.profile
+++ b/etc/profile-m-z/tor-browser-ru.profile
diff --git a/etc/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile
index c8544262f..c8544262f 100644
--- a/etc/tor-browser-sv-se.profile
+++ b/etc/profile-m-z/tor-browser-sv-se.profile
diff --git a/etc/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile
index 2343fa8de..2343fa8de 100644
--- a/etc/tor-browser-tr.profile
+++ b/etc/profile-m-z/tor-browser-tr.profile
diff --git a/etc/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile
index 734c38698..734c38698 100644
--- a/etc/tor-browser-vi.profile
+++ b/etc/profile-m-z/tor-browser-vi.profile
diff --git a/etc/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile
index 21e813e45..21e813e45 100644
--- a/etc/tor-browser-zh-cn.profile
+++ b/etc/profile-m-z/tor-browser-zh-cn.profile
diff --git a/etc/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile
index 6fe09c6c1..6fe09c6c1 100644
--- a/etc/tor-browser-zh-tw.profile
+++ b/etc/profile-m-z/tor-browser-zh-tw.profile
diff --git a/etc/tor-browser.profile b/etc/profile-m-z/tor-browser.profile
index 0cd84abf5..0cd84abf5 100644
--- a/etc/tor-browser.profile
+++ b/etc/profile-m-z/tor-browser.profile
diff --git a/etc/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile
index 1e1f5ce35..1e1f5ce35 100644
--- a/etc/tor-browser_ar.profile
+++ b/etc/profile-m-z/tor-browser_ar.profile
diff --git a/etc/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile
index e114b6051..e114b6051 100644
--- a/etc/tor-browser_ca.profile
+++ b/etc/profile-m-z/tor-browser_ca.profile
diff --git a/etc/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile
index 498068bc6..498068bc6 100644
--- a/etc/tor-browser_cs.profile
+++ b/etc/profile-m-z/tor-browser_cs.profile
diff --git a/etc/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile
index 5c25c03c8..5c25c03c8 100644
--- a/etc/tor-browser_da.profile
+++ b/etc/profile-m-z/tor-browser_da.profile
diff --git a/etc/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile
index d530e7dbe..d530e7dbe 100644
--- a/etc/tor-browser_de.profile
+++ b/etc/profile-m-z/tor-browser_de.profile
diff --git a/etc/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile
index 67d5ab440..67d5ab440 100644
--- a/etc/tor-browser_el.profile
+++ b/etc/profile-m-z/tor-browser_el.profile
diff --git a/etc/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile
index b298ab2b8..b298ab2b8 100644
--- a/etc/tor-browser_en-US.profile
+++ b/etc/profile-m-z/tor-browser_en-US.profile
diff --git a/etc/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile
index 6bb0616b1..6bb0616b1 100644
--- a/etc/tor-browser_en.profile
+++ b/etc/profile-m-z/tor-browser_en.profile
diff --git a/etc/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile
index 78f57ffe5..78f57ffe5 100644
--- a/etc/tor-browser_es-ES.profile
+++ b/etc/profile-m-z/tor-browser_es-ES.profile
diff --git a/etc/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile
index ea34a07c9..ea34a07c9 100644
--- a/etc/tor-browser_es.profile
+++ b/etc/profile-m-z/tor-browser_es.profile
diff --git a/etc/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile
index fbc416ce5..fbc416ce5 100644
--- a/etc/tor-browser_fa.profile
+++ b/etc/profile-m-z/tor-browser_fa.profile
diff --git a/etc/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile
index caea6db5b..caea6db5b 100644
--- a/etc/tor-browser_fr.profile
+++ b/etc/profile-m-z/tor-browser_fr.profile
diff --git a/etc/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile
index 6342daebf..6342daebf 100644
--- a/etc/tor-browser_ga-IE.profile
+++ b/etc/profile-m-z/tor-browser_ga-IE.profile
diff --git a/etc/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile
index cc4150620..cc4150620 100644
--- a/etc/tor-browser_he.profile
+++ b/etc/profile-m-z/tor-browser_he.profile
diff --git a/etc/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile
index 952a0b68a..952a0b68a 100644
--- a/etc/tor-browser_hu.profile
+++ b/etc/profile-m-z/tor-browser_hu.profile
diff --git a/etc/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile
index a006b27c0..a006b27c0 100644
--- a/etc/tor-browser_id.profile
+++ b/etc/profile-m-z/tor-browser_id.profile
diff --git a/etc/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile
index 038e0fabb..038e0fabb 100644
--- a/etc/tor-browser_is.profile
+++ b/etc/profile-m-z/tor-browser_is.profile
diff --git a/etc/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile
index 3d2566994..3d2566994 100644
--- a/etc/tor-browser_it.profile
+++ b/etc/profile-m-z/tor-browser_it.profile
diff --git a/etc/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile
index 08c942bcd..08c942bcd 100644
--- a/etc/tor-browser_ja.profile
+++ b/etc/profile-m-z/tor-browser_ja.profile
diff --git a/etc/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile
index 97664be4d..97664be4d 100644
--- a/etc/tor-browser_ka.profile
+++ b/etc/profile-m-z/tor-browser_ka.profile
diff --git a/etc/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile
index 98cf1e3e1..98cf1e3e1 100644
--- a/etc/tor-browser_ko.profile
+++ b/etc/profile-m-z/tor-browser_ko.profile
diff --git a/etc/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile
index 6df840573..6df840573 100644
--- a/etc/tor-browser_nb.profile
+++ b/etc/profile-m-z/tor-browser_nb.profile
diff --git a/etc/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile
index 3f545f888..3f545f888 100644
--- a/etc/tor-browser_nl.profile
+++ b/etc/profile-m-z/tor-browser_nl.profile
diff --git a/etc/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile
index 4e04dc027..4e04dc027 100644
--- a/etc/tor-browser_pl.profile
+++ b/etc/profile-m-z/tor-browser_pl.profile
diff --git a/etc/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile
index 7f864886c..7f864886c 100644
--- a/etc/tor-browser_pt-BR.profile
+++ b/etc/profile-m-z/tor-browser_pt-BR.profile
diff --git a/etc/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile
index 2fae6fbe7..2fae6fbe7 100644
--- a/etc/tor-browser_ru.profile
+++ b/etc/profile-m-z/tor-browser_ru.profile
diff --git a/etc/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile
index 2157f8d2b..2157f8d2b 100644
--- a/etc/tor-browser_sv-SE.profile
+++ b/etc/profile-m-z/tor-browser_sv-SE.profile
diff --git a/etc/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile
index 20ac246ca..20ac246ca 100644
--- a/etc/tor-browser_tr.profile
+++ b/etc/profile-m-z/tor-browser_tr.profile
diff --git a/etc/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile
index 4faa06ff6..4faa06ff6 100644
--- a/etc/tor-browser_vi.profile
+++ b/etc/profile-m-z/tor-browser_vi.profile
diff --git a/etc/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile
index e4d8215e6..e4d8215e6 100644
--- a/etc/tor-browser_zh-CN.profile
+++ b/etc/profile-m-z/tor-browser_zh-CN.profile
diff --git a/etc/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile
index 8a28015a6..8a28015a6 100644
--- a/etc/tor-browser_zh-TW.profile
+++ b/etc/profile-m-z/tor-browser_zh-TW.profile
diff --git a/etc/tor.profile b/etc/profile-m-z/tor.profile
index 13d071635..13d071635 100644
--- a/etc/tor.profile
+++ b/etc/profile-m-z/tor.profile
diff --git a/etc/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 72bdf9fa1..6bcc51f4d 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -12,8 +12,8 @@ noblacklist ${HOME}/.config/torbrowser
 noblacklist ${HOME}/.local/share/torbrowser
 
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
+include allow-python2.inc
+include allow-python3.inc
 
 include disable-common.inc
 include disable-devel.inc
@@ -33,7 +33,6 @@ include whitelist-var-common.inc
 
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -52,3 +51,6 @@ private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/torcs.profile b/etc/profile-m-z/torcs.profile
index d9c59b276..1ed78934e 100644
--- a/etc/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -18,13 +18,15 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.torcs
 whitelist ${HOME}/.torcs
+whitelist /usr/share/games/torcs
+whitelist /var/games/torcs
 include whitelist-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -38,6 +40,10 @@ shell none
 tracelog
 
 disable-mnt
+private-bin bash,chmod,cp,mkdir,rm,torcs
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/totem.profile b/etc/profile-m-z/totem.profile
index 5b74709e3..b8f4ca765 100644
--- a/etc/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -9,9 +9,13 @@ include globals.local
 # Allow lua (required for youtube video)
 include allow-lua.inc
 
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
 noblacklist ${HOME}/.config/totem
 noblacklist ${HOME}/.local/share/totem
 noblacklist ${MUSIC}
+noblacklist ${PICTURES}
 noblacklist ${VIDEOS}
 
 include disable-common.inc
@@ -20,6 +24,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
@@ -27,7 +32,6 @@ include whitelist-var-common.inc
 # apparmor - makes settings immutable
 caps.drop all
 netfilter
-# nodbus - makes settings immutable
 nogroups
 nonewprivs
 noroot
@@ -35,6 +39,7 @@ nou2f
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
 private-bin totem
 # totem needs access to ~/.cache/tracker or it exits
@@ -43,3 +48,6 @@ private-dev
 # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 private-tmp
 
+# makes settings immutable
+# dbus-user none
+# dbus-system none
diff --git a/etc/tracker.profile b/etc/profile-m-z/tracker.profile
index d47185b1d..87c5de076 100644
--- a/etc/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -16,6 +16,9 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+
+include whitelist-runuser-common.inc
 
 caps.drop all
 netfilter
diff --git a/etc/transgui.profile b/etc/profile-m-z/transgui.profile
index 567e2ab30..c31055cdc 100644
--- a/etc/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/transgui
@@ -28,7 +29,6 @@ caps.drop all
 ipc-namespace
 machine-id
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,4 +49,7 @@ private-etc alternatives,fonts
 private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile
index 486be5fe6..486be5fe6 100644
--- a/etc/transmission-cli.profile
+++ b/etc/profile-m-z/transmission-cli.profile
diff --git a/etc/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index b9f49c4a4..9d2e8e990 100644
--- a/etc/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -30,7 +30,6 @@ apparmor
 caps.drop all
 machine-id
 netfilter
-nodbus
 nodvd
 nonewprivs
 noroot
@@ -48,4 +47,7 @@ private-dev
 private-lib
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/transmission-create.profile b/etc/profile-m-z/transmission-create.profile
index 8220b7887..8220b7887 100644
--- a/etc/transmission-create.profile
+++ b/etc/profile-m-z/transmission-create.profile
diff --git a/etc/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 1841b8ed0..363c685e0 100644
--- a/etc/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -7,6 +7,8 @@ include transmission-daemon.local
 # Persistent global definitions
 include globals.local
 
+ignore caps.drop all
+
 mkdir ${HOME}/.config/transmission-daemon
 whitelist ${HOME}/.config/transmission-daemon
 whitelist /var/lib/transmission
diff --git a/etc/transmission-edit.profile b/etc/profile-m-z/transmission-edit.profile
index df381b5cd..df381b5cd 100644
--- a/etc/transmission-edit.profile
+++ b/etc/profile-m-z/transmission-edit.profile
diff --git a/etc/transmission-gtk.profile b/etc/profile-m-z/transmission-gtk.profile
index 01bdeb4ef..03111ec56 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/profile-m-z/transmission-gtk.profile
@@ -7,7 +7,10 @@ include transmission-gtk.local
 # Persistent global definitions
 include globals.local
 
+include whitelist-runuser-common.inc
+
 private-bin transmission-gtk
+private-cache
 
 ignore memory-deny-write-execute
 
diff --git a/etc/transmission-qt.profile b/etc/profile-m-z/transmission-qt.profile
index 94f3c3a20..94f3c3a20 100644
--- a/etc/transmission-qt.profile
+++ b/etc/profile-m-z/transmission-qt.profile
diff --git a/etc/transmission-remote-cli.profile b/etc/profile-m-z/transmission-remote-cli.profile
index 8b3a966c1..7b9285e66 100644
--- a/etc/transmission-remote-cli.profile
+++ b/etc/profile-m-z/transmission-remote-cli.profile
@@ -8,8 +8,8 @@ include transmission-remote-cli.local
 include globals.local
 
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
+include allow-python2.inc
+include allow-python3.inc
 
 private-bin python*,transmission-remote-cli
 
diff --git a/etc/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
index a6400e2c0..a6400e2c0 100644
--- a/etc/transmission-remote-gtk.profile
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
diff --git a/etc/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile
index fee4999e6..fee4999e6 100644
--- a/etc/transmission-remote.profile
+++ b/etc/profile-m-z/transmission-remote.profile
diff --git a/etc/transmission-show.profile b/etc/profile-m-z/transmission-show.profile
index 5a3c83f58..5a3c83f58 100644
--- a/etc/transmission-show.profile
+++ b/etc/profile-m-z/transmission-show.profile
diff --git a/etc/tremulous.profile b/etc/profile-m-z/tremulous.profile
index e148298ae..67463a999 100644
--- a/etc/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -14,17 +14,20 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.tremulous
 whitelist ${HOME}/.tremulous
+whitelist /usr/share/tremulous
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +45,6 @@ private-bin tremded,tremulous,tremulous-wrapper
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/truecraft.profile b/etc/profile-m-z/truecraft.profile
index e76d52219..e76d52219 100644
--- a/etc/truecraft.profile
+++ b/etc/profile-m-z/truecraft.profile
diff --git a/etc/profile-m-z/ts3client_runscript.sh.profile b/etc/profile-m-z/ts3client_runscript.sh.profile
new file mode 100644
index 000000000..8d4675454
--- /dev/null
+++ b/etc/profile-m-z/ts3client_runscript.sh.profile
@@ -0,0 +1,19 @@
+# Firejail profile alias for teamspeak3
+# Description: TeamSpeak is software for quality voice communication via the Internet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ts3client_runscript.sh.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${HOME}/TeamSpeak3-Client-linux_x86
+noblacklist ${HOME}/TeamSpeak3-Client-linux_amd64
+
+whitelist ${HOME}/TeamSpeak3-Client-linux_x86
+whitelist ${HOME}/TeamSpeak3-Client-linux_amd64
+
+# Redirect
+include teamspeak3.profile
diff --git a/etc/tshark.profile b/etc/profile-m-z/tshark.profile
index 22ced5d8a..684a9491d 100644
--- a/etc/tshark.profile
+++ b/etc/profile-m-z/tshark.profile
@@ -16,9 +16,11 @@ include disable-xdg.inc
 
 whitelist /usr/share/wireshark
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 #caps.keep net_raw
 caps.keep dac_override,net_admin,net_raw
 ipc-namespace
diff --git a/etc/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile
index ae868a022..d2b13d9ee 100644
--- a/etc/tuxguitar.profile
+++ b/etc/profile-m-z/tuxguitar.profile
@@ -15,6 +15,7 @@ include allow-java.inc
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -22,6 +23,7 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
index 6e028b086..d3dcbfe53 100644
--- a/etc/tvbrowser.profile
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -32,7 +32,6 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -49,3 +48,6 @@ disable-mnt
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/udiskie.profile b/etc/profile-m-z/udiskie.profile
index 265f6429d..265f6429d 100644
--- a/etc/udiskie.profile
+++ b/etc/profile-m-z/udiskie.profile
diff --git a/etc/uefitool.profile b/etc/profile-m-z/uefitool.profile
index 8ab0e9a26..8807b0b2c 100644
--- a/etc/uefitool.profile
+++ b/etc/profile-m-z/uefitool.profile
@@ -19,7 +19,6 @@ caps.drop all
 ipc-namespace
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -36,3 +35,5 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/uget-gtk.profile b/etc/profile-m-z/uget-gtk.profile
index 8a2e83a1a..c8f28444f 100644
--- a/etc/uget-gtk.profile
+++ b/etc/profile-m-z/uget-gtk.profile
@@ -11,6 +11,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.config/uGet
 whitelist ${DOWNLOADS}
diff --git a/etc/unbound.profile b/etc/profile-m-z/unbound.profile
index 36533a762..714a3f2f4 100644
--- a/etc/unbound.profile
+++ b/etc/profile-m-z/unbound.profile
@@ -30,7 +30,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nonewprivs
 nosound
@@ -46,5 +45,8 @@ private-dev
 private-tmp
 writable-var
 
+dbus-user none
+dbus-system none
+
 # mdwe can break modules/plugins
 memory-deny-write-execute
diff --git a/etc/uncompress.profile b/etc/profile-m-z/uncompress.profile
index f659d8e87..f659d8e87 100644
--- a/etc/uncompress.profile
+++ b/etc/profile-m-z/uncompress.profile
diff --git a/etc/unf.profile b/etc/profile-m-z/unf.profile
index b8eccf4dc..bcd256ba3 100644
--- a/etc/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist ${DOWNLOADS}
@@ -29,7 +30,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -53,4 +53,7 @@ private-etc alternatives
 private-lib gcc/*/*/libgcc_s.so.*
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
index 7223ea2e1..7dc13e284 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -9,13 +9,19 @@ include globals.local
 noblacklist ${HOME}/.unknown-horizons
 
 include disable-common.inc
+include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.unknown-horizons
 whitelist ${HOME}/.unknown-horizons
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+whitelist /usr/share/unknown-horizons
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 nodvd
 nogroups
@@ -28,7 +34,11 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
+disable-mnt
 # private-bin unknown-horizons
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
+
+# doesn't work - maybe all Tcl/Tk programs have this problem
+# memory-deny-write-execute
diff --git a/etc/unlzma.profile b/etc/profile-m-z/unlzma.profile
index f7410b928..d9c72407f 100644
--- a/etc/unlzma.profile
+++ b/etc/profile-m-z/unlzma.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/unrar.profile b/etc/profile-m-z/unrar.profile
index bf28746b0..e07a6fc93 100644
--- a/etc/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 caps.drop all
 hostname unrar
@@ -22,7 +23,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 #nogroups
 nonewprivs
@@ -41,3 +41,6 @@ private-bin unrar
 private-dev
 private-etc alternatives,group,localtime,passwd
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/unxz.profile b/etc/profile-m-z/unxz.profile
index f7410b928..d9c72407f 100644
--- a/etc/unxz.profile
+++ b/etc/profile-m-z/unxz.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/unzip.profile b/etc/profile-m-z/unzip.profile
index 7882f2b63..e08511c12 100644
--- a/etc/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 caps.drop all
 hostname unzip
@@ -25,7 +26,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 #nogroups
 nonewprivs
@@ -43,3 +43,6 @@ x11 none
 private-bin unzip
 private-dev
 private-etc alternatives,group,localtime,passwd
+
+dbus-user none
+dbus-system none
diff --git a/etc/unzstd.profile b/etc/profile-m-z/unzstd.profile
index ce9af3286..ce9af3286 100644
--- a/etc/unzstd.profile
+++ b/etc/profile-m-z/unzstd.profile
diff --git a/etc/utox.profile b/etc/profile-m-z/utox.profile
index 9877ea889..cd4374004 100644
--- a/etc/utox.profile
+++ b/etc/profile-m-z/utox.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/tox
diff --git a/etc/uudeview.profile b/etc/profile-m-z/uudeview.profile
index bd2ee01d5..f60c134e0 100644
--- a/etc/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -15,6 +15,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 include whitelist-usr-share-common.inc
 
@@ -23,7 +24,6 @@ hostname uudeview
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 #nogroups
 nonewprivs
@@ -42,3 +42,6 @@ private-bin uudeview
 private-cache
 private-dev
 private-etc alternatives,ld.so.preload
+
+dbus-user none
+dbus-system none
diff --git a/etc/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile
index d4e54235b..41487a8f2 100644
--- a/etc/uzbl-browser.profile
+++ b/etc/profile-m-z/uzbl-browser.profile
@@ -10,8 +10,8 @@ noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/uzbl
 
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
+include allow-python2.inc
+include allow-python3.inc
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/viewnior.profile b/etc/profile-m-z/viewnior.profile
index 9f57b2971..83727d42b 100644
--- a/etc/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -26,7 +27,6 @@ apparmor
 caps.drop all
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -46,4 +46,7 @@ private-dev
 private-etc alternatives,fonts,machine-id
 private-tmp
 
+dbus-user none
+dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808)
diff --git a/etc/viking.profile b/etc/profile-m-z/viking.profile
index 5b6228a94..5b6228a94 100644
--- a/etc/viking.profile
+++ b/etc/profile-m-z/viking.profile
diff --git a/etc/vim.profile b/etc/profile-m-z/vim.profile
index d27a9a633..e9a474239 100644
--- a/etc/vim.profile
+++ b/etc/profile-m-z/vim.profile
@@ -17,6 +17,8 @@ include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/vimcat.profile b/etc/profile-m-z/vimcat.profile
index 73b76b5ab..73b76b5ab 100644
--- a/etc/vimcat.profile
+++ b/etc/profile-m-z/vimcat.profile
diff --git a/etc/vimdiff.profile b/etc/profile-m-z/vimdiff.profile
index f09faf1d6..f09faf1d6 100644
--- a/etc/vimdiff.profile
+++ b/etc/profile-m-z/vimdiff.profile
diff --git a/etc/vimpager.profile b/etc/profile-m-z/vimpager.profile
index af7703752..af7703752 100644
--- a/etc/vimpager.profile
+++ b/etc/profile-m-z/vimpager.profile
diff --git a/etc/vimtutor.profile b/etc/profile-m-z/vimtutor.profile
index b9584cc49..b9584cc49 100644
--- a/etc/vimtutor.profile
+++ b/etc/profile-m-z/vimtutor.profile
diff --git a/etc/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index c0dbc9116..12bef5d1f 100644
--- a/etc/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -14,9 +14,12 @@ noblacklist /usr/lib/virtualbox
 noblacklist /usr/lib64/virtualbox
 
 include disable-common.inc
+include disable-devel.inc
 include disable-exec.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.config/VirtualBox
 mkdir ${HOME}/VirtualBox VMs
@@ -24,9 +27,23 @@ whitelist ${HOME}/.config/VirtualBox
 whitelist ${HOME}/VirtualBox VMs
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-caps.keep net_raw,sys_admin,sys_nice
+# For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
+
+caps.keep net_raw,sys_nice
 netfilter
 nodvd
+#nogroups
 notv
+shell none
+tracelog
+
+#disable-mnt
+private-cache
+private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+
+dbus-user none
+dbus-system none
diff --git a/etc/vivaldi-beta.profile b/etc/profile-m-z/vivaldi-beta.profile
index 5de5682a3..5de5682a3 100644
--- a/etc/vivaldi-beta.profile
+++ b/etc/profile-m-z/vivaldi-beta.profile
diff --git a/etc/vivaldi-snapshot.profile b/etc/profile-m-z/vivaldi-snapshot.profile
index ea4a4009f..ea4a4009f 100644
--- a/etc/vivaldi-snapshot.profile
+++ b/etc/profile-m-z/vivaldi-snapshot.profile
diff --git a/etc/vivaldi-stable.profile b/etc/profile-m-z/vivaldi-stable.profile
index 5de5682a3..5de5682a3 100644
--- a/etc/vivaldi-stable.profile
+++ b/etc/profile-m-z/vivaldi-stable.profile
diff --git a/etc/vivaldi.profile b/etc/profile-m-z/vivaldi.profile
index 2185b90ec..096ce8a72 100644
--- a/etc/vivaldi.profile
+++ b/etc/profile-m-z/vivaldi.profile
@@ -23,8 +23,9 @@ whitelist ${HOME}/.cache/vivaldi
 whitelist ${HOME}/.config/vivaldi
 whitelist ${HOME}/.local/lib/vivaldi
 
-# nodbus breaks vivaldi sync
-ignore nodbus
+# breaks vivaldi sync
+ignore dbus-user none
+ignore dbus-system none
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/vlc.profile b/etc/profile-m-z/vlc.profile
index 572758f28..0069ebeae 100644
--- a/etc/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -25,7 +25,6 @@ include whitelist-var-common.inc
 #apparmor - on Ubuntu 18.04 it refuses to start without dbus access
 caps.drop all
 netfilter
-#nodbus - dbus needed for MPRIS
 nogroups
 nonewprivs
 noroot
@@ -38,5 +37,9 @@ private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
 private-dev
 private-tmp
 
+# dbus needed for MPRIS
+# dbus-user none
+# dbus-system none
+
 # mdwe is disabled due to breaking hardware accelerated decoding
 #memory-deny-write-execute
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
new file mode 100644
index 000000000..720b69773
--- /dev/null
+++ b/etc/profile-m-z/vmware.profile
@@ -0,0 +1,39 @@
+# Firejail profile for vmware
+# Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include vmware.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/vmware
+noblacklist ${HOME}/.vmware
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/vmware
+mkdir ${HOME}/.vmware
+whitelist ${HOME}/.cache/vmware
+whitelist ${HOME}/.vmware
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.keep chown,net_raw,sys_nice,sys_rawio
+netfilter
+nogroups
+notv
+shell none
+tracelog
+
+#disable-mnt
+private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+dbus-user none
+dbus-system none
diff --git a/etc/vscodium.profile b/etc/profile-m-z/vscodium.profile
index b4728fb72..b4728fb72 100644
--- a/etc/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
diff --git a/etc/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile
index 2e9078a7b..2e9078a7b 100644
--- a/etc/vulturesclaw.profile
+++ b/etc/profile-m-z/vulturesclaw.profile
diff --git a/etc/vultureseye.profile b/etc/profile-m-z/vultureseye.profile
index 44c263cfc..44c263cfc 100644
--- a/etc/vultureseye.profile
+++ b/etc/profile-m-z/vultureseye.profile
diff --git a/etc/vym.profile b/etc/profile-m-z/vym.profile
index fbb53943c..fbb53943c 100644
--- a/etc/vym.profile
+++ b/etc/profile-m-z/vym.profile
diff --git a/etc/w3m.profile b/etc/profile-m-z/w3m.profile
index 97465baa1..bd33edd6a 100644
--- a/etc/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -1,6 +1,7 @@
 # Firejail profile for w3m
 # Description: WWW browsable pager with excellent tables/frames support
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include w3m.local
 # Persistent global definitions
@@ -20,6 +21,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
new file mode 100644
index 000000000..aaef652fd
--- /dev/null
+++ b/etc/profile-m-z/warmux.profile
@@ -0,0 +1,56 @@
+# Firejail profile for warmux
+# Description: a convivial mass murder game
+# This file is overwritten after every install/update
+# Persistent local customizations
+include warmux.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/wormux
+noblacklist ${HOME}/.local/share/wormux
+noblacklist ${HOME}/.wormux
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/wormux
+mkdir ${HOME}/.local/share/wormux
+mkdir ${HOME}/.wormux
+whitelist ${HOME}/.config/wormux
+whitelist ${HOME}/.local/share/wormux
+whitelist ${HOME}/.wormux
+whitelist /usr/share/warmux
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin warmux
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/warsow.profile b/etc/profile-m-z/warsow.profile
index e884ab07a..d8cd5557e 100644
--- a/etc/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/warsow-2.1
@@ -29,7 +30,6 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,3 +47,6 @@ private-bin warsow
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index e65e0a0c3..369c9cc1d 100644
--- a/etc/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -14,14 +14,19 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 # mkdir ${HOME}/.warzone2100-3.1
 # mkdir ${HOME}/.warzone2100-3.2
 whitelist ${HOME}/.warzone2100-3.1
 whitelist ${HOME}/.warzone2100-3.2
+whitelist /usr/share/games
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/waterfox-classic.profile b/etc/profile-m-z/waterfox-classic.profile
index 6c7e18a46..6c7e18a46 100644
--- a/etc/waterfox-classic.profile
+++ b/etc/profile-m-z/waterfox-classic.profile
diff --git a/etc/waterfox-current.profile b/etc/profile-m-z/waterfox-current.profile
index 5e12a6fe3..5e12a6fe3 100644
--- a/etc/waterfox-current.profile
+++ b/etc/profile-m-z/waterfox-current.profile
diff --git a/etc/waterfox.profile b/etc/profile-m-z/waterfox.profile
index c6c940fa3..c6c940fa3 100644
--- a/etc/waterfox.profile
+++ b/etc/profile-m-z/waterfox.profile
diff --git a/etc/webstorm.profile b/etc/profile-m-z/webstorm.profile
index fc4e8e571..fc4e8e571 100644
--- a/etc/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
diff --git a/etc/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile
index 0cd1e05ab..8928f8116 100644
--- a/etc/webui-aria2.profile
+++ b/etc/profile-m-z/webui-aria2.profile
@@ -18,7 +18,6 @@ include disable-xdg.inc
 
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -35,3 +34,5 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/weechat-curses.profile b/etc/profile-m-z/weechat-curses.profile
index 4719b9788..4719b9788 100644
--- a/etc/weechat-curses.profile
+++ b/etc/profile-m-z/weechat-curses.profile
diff --git a/etc/weechat.profile b/etc/profile-m-z/weechat.profile
index 800724054..800724054 100644
--- a/etc/weechat.profile
+++ b/etc/profile-m-z/weechat.profile
diff --git a/etc/wesnoth.profile b/etc/profile-m-z/wesnoth.profile
index 934edfce9..934edfce9 100644
--- a/etc/wesnoth.profile
+++ b/etc/profile-m-z/wesnoth.profile
diff --git a/etc/wget.profile b/etc/profile-m-z/wget.profile
index 401926e2d..cdb8f0b93 100644
--- a/etc/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.wgetrc
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,16 +21,17 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 # depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local
 #include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
-nodbus
 netfilter
 no3d
 nodvd
@@ -52,4 +54,7 @@ private-dev
 #private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc
 #private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 2e24dd8e0..187c49ed8 100644
--- a/etc/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -7,7 +7,8 @@ include whalebird.local
 # added by included profile
 #include globals.local
 
-ignore nodbus
+ignore dbus-user none
+ignore dbus-system none
 
 noblacklist ${HOME}/.config/Whalebird
 
diff --git a/etc/whois.profile b/etc/profile-m-z/whois.profile
index 0e60e18ab..2af1379e0 100644
--- a/etc/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -9,6 +9,7 @@ include globals.local
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,13 +22,13 @@ include disable-xdg.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 hostname whois
 ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -50,4 +51,7 @@ private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf
 private-lib gconv
 private-tmp
 
+dbus-user none
+dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/widelands.profile b/etc/profile-m-z/widelands.profile
index c6b5f27da..f18878554 100644
--- a/etc/widelands.profile
+++ b/etc/profile-m-z/widelands.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.widelands
@@ -21,10 +22,10 @@ whitelist ${HOME}/.widelands
 include whitelist-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -42,3 +43,6 @@ private-bin widelands
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/wine.profile b/etc/profile-m-z/wine.profile
index 901340052..901340052 100644
--- a/etc/wine.profile
+++ b/etc/profile-m-z/wine.profile
diff --git a/etc/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index 3c783322b..8f6014dc3 100644
--- a/etc/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -9,8 +9,8 @@ include wire-desktop.local
 
 # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
 
-ignore caps.drop all
-ignore nodbus
+ignore dbus-user none
+ignore dbus-system none
 
 noblacklist ${HOME}/.config/Wire
 
@@ -21,12 +21,13 @@ mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
 include whitelist-common.inc
 
-caps.keep sys_admin,sys_chroot
 nou2f
+ignore seccomp
+seccomp !chroot
 shell none
 
 disable-mnt
-private-bin bash,electron,electron4,env,sh,wire-desktop
+private-bin bash,electron,electron4,electron6,env,sh,wire-desktop
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/wireshark-gtk.profile b/etc/profile-m-z/wireshark-gtk.profile
index 3e2e1807e..3e2e1807e 100644
--- a/etc/wireshark-gtk.profile
+++ b/etc/profile-m-z/wireshark-gtk.profile
diff --git a/etc/wireshark-qt.profile b/etc/profile-m-z/wireshark-qt.profile
index 3e2e1807e..3e2e1807e 100644
--- a/etc/wireshark-qt.profile
+++ b/etc/profile-m-z/wireshark-qt.profile
diff --git a/etc/wireshark.profile b/etc/profile-m-z/wireshark.profile
index d73e2e279..a30cb43d5 100644
--- a/etc/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -47,4 +47,3 @@ tracelog
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl
 private-tmp
-
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
new file mode 100644
index 000000000..da1210bb8
--- /dev/null
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -0,0 +1,52 @@
+# Firejail profile for wordwarvi
+# Description: Old school '80's style side scrolling space shoot'em up game.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include wordwarvi.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.wordwarvi
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.wordwarvi
+whitelist ${HOME}/.wordwarvi
+whitelist /usr/share/wordwarvi
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin wordwarvi
+private-cache
+private-dev
+private-etc alsa,asound.conf,machine-id,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/wpp.profile b/etc/profile-m-z/wpp.profile
index a219397a9..a219397a9 100644
--- a/etc/wpp.profile
+++ b/etc/profile-m-z/wpp.profile
diff --git a/etc/wps.profile b/etc/profile-m-z/wps.profile
index 47bba2dda..6e4a313e3 100644
--- a/etc/wps.profile
+++ b/etc/profile-m-z/wps.profile
@@ -27,7 +27,6 @@ machine-id
 #net none
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -45,3 +44,6 @@ tracelog
 private-cache
 private-dev
 private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/wpspdf.profile b/etc/profile-m-z/wpspdf.profile
index 82080acbc..82080acbc 100644
--- a/etc/wpspdf.profile
+++ b/etc/profile-m-z/wpspdf.profile
diff --git a/etc/x-terminal-emulator.profile b/etc/profile-m-z/x-terminal-emulator.profile
index e21b74030..fe0781336 100644
--- a/etc/x-terminal-emulator.profile
+++ b/etc/profile-m-z/x-terminal-emulator.profile
@@ -8,8 +8,6 @@ include globals.local
 caps.drop all
 ipc-namespace
 net none
-netfilter
-nodbus
 nogroups
 noroot
 nou2f
@@ -18,4 +16,7 @@ seccomp
 
 private-dev
 
+dbus-user none
+dbus-system none
+
 noexec /tmp
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile
new file mode 100644
index 000000000..bc9603835
--- /dev/null
+++ b/etc/profile-m-z/x2goclient.profile
@@ -0,0 +1,49 @@
+# Firejail profile for x2goclient
+# Description: Graphical client for X2Go remote desktop system
+# This file is overwritten after every install/update
+# Persistent local customizations
+include x2goclient.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.x2go
+noblacklist ${HOME}/.x2goclient
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+#no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+#private-bin nxproxy,x2goclient
+private-cache
+private-dev
+#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,X11,xdg
+#private-lib
+private-opt none
+private-srv none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#memory-deny-write-execute
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
new file mode 100644
index 000000000..cdfebfb29
--- /dev/null
+++ b/etc/profile-m-z/xbill.profile
@@ -0,0 +1,54 @@
+# Firejail profile for xbill
+# Description: save your computers from Wingdows [TM] virus
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xbill.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/xbill
+whitelist /var/games/xbill/scores
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin xbill
+private-cache
+private-dev
+private-etc none
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/xcalc.profile b/etc/profile-m-z/xcalc.profile
index 0ad423d30..56ce01498 100644
--- a/etc/xcalc.profile
+++ b/etc/profile-m-z/xcalc.profile
@@ -11,15 +11,15 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 net none
-netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +39,5 @@ private-dev
 private-lib
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/xchat.profile b/etc/profile-m-z/xchat.profile
index a94444aab..a94444aab 100644
--- a/etc/xchat.profile
+++ b/etc/profile-m-z/xchat.profile
diff --git a/etc/xed.profile b/etc/profile-m-z/xed.profile
index a67230e51..b114f9ab5 100644
--- a/etc/xed.profile
+++ b/etc/profile-m-z/xed.profile
@@ -11,8 +11,8 @@ noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
 
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
+include allow-python2.inc
+include allow-python3.inc
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,6 +20,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 include whitelist-var-common.inc
 
@@ -28,7 +29,6 @@ caps.drop all
 machine-id
 # net none - makes settings immutable
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -46,5 +46,9 @@ private-bin xed
 private-dev
 private-tmp
 
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
 # xed uses python plugins, memory-deny-write-execute breaks python
 # memory-deny-write-execute
diff --git a/etc/xfburn.profile b/etc/profile-m-z/xfburn.profile
index cd9561e74..cd9561e74 100644
--- a/etc/xfburn.profile
+++ b/etc/profile-m-z/xfburn.profile
diff --git a/etc/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile
index bc499bd30..a3e0c4633 100644
--- a/etc/xfce4-dict.profile
+++ b/etc/profile-m-z/xfce4-dict.profile
@@ -15,6 +15,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 6ef85f318..6ff4a1103 100644
--- a/etc/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
@@ -29,7 +30,6 @@ caps.drop all
 ipc-namespace
 netfilter
 no3d
-# nodbus
 nodvd
 nogroups
 nonewprivs
@@ -48,4 +48,7 @@ private-dev
 private-etc alternatives,asound.conf,fonts,machine-id,pulse
 private-tmp
 
+# dbus-user none
+# dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile
index 4dad1bf7a..c3d0930ff 100644
--- a/etc/xfce4-notes.profile
+++ b/etc/profile-m-z/xfce4-notes.profile
@@ -17,6 +17,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
 netfilter
 no3d
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
new file mode 100644
index 000000000..b760b44dd
--- /dev/null
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -0,0 +1,51 @@
+# Firejail profile for xfce4-screenshooter
+# Description: Xfce screenshot tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xfce4-screenshooter.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/xfce4
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin xfce4-screenshooter,xfconf-query
+private-dev
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/xiphos.profile b/etc/profile-m-z/xiphos.profile
index 7114f0469..188589df3 100644
--- a/etc/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 mkdir ${HOME}/.sword
 mkdir ${HOME}/.xiphos
diff --git a/etc/xlinks.profile b/etc/profile-m-z/xlinks.profile
index 7987af280..7987af280 100644
--- a/etc/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
diff --git a/etc/xmms.profile b/etc/profile-m-z/xmms.profile
index 7a11e1244..9391f68de 100644
--- a/etc/xmms.profile
+++ b/etc/profile-m-z/xmms.profile
@@ -13,6 +13,7 @@ include disable-devel.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 caps.drop all
diff --git a/etc/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index c6ba9bd9d..3278e295d 100644
--- a/etc/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -13,6 +13,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.xmr-stak
diff --git a/etc/xonotic-glx.profile b/etc/profile-m-z/xonotic-glx.profile
index abb91e1ec..abb91e1ec 100644
--- a/etc/xonotic-glx.profile
+++ b/etc/profile-m-z/xonotic-glx.profile
diff --git a/etc/profile-m-z/xonotic-sdl-wrapper.profile b/etc/profile-m-z/xonotic-sdl-wrapper.profile
new file mode 100644
index 000000000..6f0c7cf4c
--- /dev/null
+++ b/etc/profile-m-z/xonotic-sdl-wrapper.profile
@@ -0,0 +1,6 @@
+# Firejail profile alias for xonotic
+# This file is overwritten after every install/update
+include xonotic-sdl-wrapper.local
+
+# Redirect
+include xonotic.profile
diff --git a/etc/xonotic-sdl.profile b/etc/profile-m-z/xonotic-sdl.profile
index abb91e1ec..abb91e1ec 100644
--- a/etc/xonotic-sdl.profile
+++ b/etc/profile-m-z/xonotic-sdl.profile
diff --git a/etc/xonotic.profile b/etc/profile-m-z/xonotic.profile
index f4f828eda..aa8cc7d0e 100644
--- a/etc/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -14,15 +14,19 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.xonotic
 whitelist ${HOME}/.xonotic
+whitelist /usr/share/xonotic
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -33,10 +37,17 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
 disable-mnt
-private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl
+private-cache
+private-bin basename,bash,blind-id,cut,darkplaces-glx,darkplaces-sdl,dirname,glxinfo,grep,head,ldd,netstat,ps,readlink,sed,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl,xonotic-sdl-wrapper,zenity
 private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-tmp
 
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.xonotic
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
new file mode 100644
index 000000000..b842b5307
--- /dev/null
+++ b/etc/profile-m-z/xournal.profile
@@ -0,0 +1,50 @@
+# Firejail profile for xournal
+# Description: Note taking and PDF editing
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xournal.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${DOCUMENTS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/xournal
+whitelist /usr/share/poppler
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin xournal
+private-cache
+private-dev
+private-etc alternatives,fonts,group,machine-id,passwd
+# TODO should use private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/xpdf.profile b/etc/profile-m-z/xpdf.profile
index 8c405ba1d..cdffe4eb7 100644
--- a/etc/xpdf.profile
+++ b/etc/profile-m-z/xpdf.profile
@@ -19,11 +19,11 @@ include disable-xdg.inc
 
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -39,3 +39,7 @@ shell none
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/xplayer-audio-preview.profile b/etc/profile-m-z/xplayer-audio-preview.profile
index 0559b8183..0559b8183 100644
--- a/etc/xplayer-audio-preview.profile
+++ b/etc/profile-m-z/xplayer-audio-preview.profile
diff --git a/etc/xplayer-video-thumbnailer.profile b/etc/profile-m-z/xplayer-video-thumbnailer.profile
index 6b2878476..6b2878476 100644
--- a/etc/xplayer-video-thumbnailer.profile
+++ b/etc/profile-m-z/xplayer-video-thumbnailer.profile
diff --git a/etc/xplayer.profile b/etc/profile-m-z/xplayer.profile
index 325ce7627..28df73ea5 100644
--- a/etc/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -11,8 +11,8 @@ noblacklist ${MUSIC}
 noblacklist ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
+include allow-python2.inc
+include allow-python3.inc
 
 include disable-common.inc
 include disable-devel.inc
@@ -27,7 +27,6 @@ include whitelist-var-common.inc
 # apparmor - makes settings immutable
 caps.drop all
 netfilter
-# nodbus - makes settings immutable
 nogroups
 nonewprivs
 noroot
@@ -42,3 +41,6 @@ private-dev
 # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 private-tmp
 
+# makes settings immutable
+# dbus-user none
+# dbus-system none
diff --git a/etc/xpra.profile b/etc/profile-m-z/xpra.profile
index 1033a7471..1033a7471 100644
--- a/etc/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
diff --git a/etc/xreader-previewer.profile b/etc/profile-m-z/xreader-previewer.profile
index 6e1dcb5d2..6e1dcb5d2 100644
--- a/etc/xreader-previewer.profile
+++ b/etc/profile-m-z/xreader-previewer.profile
diff --git a/etc/xreader-thumbnailer.profile b/etc/profile-m-z/xreader-thumbnailer.profile
index a6925fcde..a6925fcde 100644
--- a/etc/xreader-thumbnailer.profile
+++ b/etc/profile-m-z/xreader-thumbnailer.profile
diff --git a/etc/xreader.profile b/etc/profile-m-z/xreader.profile
index 643c5a317..643c5a317 100644
--- a/etc/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
diff --git a/etc/xviewer.profile b/etc/profile-m-z/xviewer.profile
index b09bf8ab1..0ac0f665e 100644
--- a/etc/xviewer.profile
+++ b/etc/profile-m-z/xviewer.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 
 include whitelist-var-common.inc
 
@@ -23,7 +24,6 @@ include whitelist-var-common.inc
 caps.drop all
 # net none - makes settings immutable
 no3d
-# nodbus - makes settings immutable
 nodvd
 nogroups
 nonewprivs
@@ -42,4 +42,8 @@ private-dev
 private-lib
 private-tmp
 
+# makes settings immutable
+# dbus-user none
+# dbus-system none
+
 memory-deny-write-execute
diff --git a/etc/xxd.profile b/etc/profile-m-z/xxd.profile
index 569f194d3..864e8ce9c 100644
--- a/etc/xxd.profile
+++ b/etc/profile-m-z/xxd.profile
@@ -1,6 +1,7 @@
 # Firejail profile for xxd
 # Description: Tool to make (or reverse) a hex dump
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include xxd.local
 # Persistent global definitions
@@ -8,4 +9,4 @@ include xxd.local
 #include globals.local
 
 # Redirect
-include vim.profile
+include cpio.profile
diff --git a/etc/xz.profile b/etc/profile-m-z/xz.profile
index f7410b928..d9c72407f 100644
--- a/etc/xz.profile
+++ b/etc/profile-m-z/xz.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/xzcat.profile b/etc/profile-m-z/xzcat.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzcat.profile
+++ b/etc/profile-m-z/xzcat.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/xzcmp.profile b/etc/profile-m-z/xzcmp.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzcmp.profile
+++ b/etc/profile-m-z/xzcmp.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/xzdec.profile b/etc/profile-m-z/xzdec.profile
index ca6aaf1d5..542363b57 100644
--- a/etc/xzdec.profile
+++ b/etc/profile-m-z/xzdec.profile
@@ -21,7 +21,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 #nogroups
 nonewprivs
@@ -37,3 +36,6 @@ tracelog
 x11 none
 
 private-dev
+
+dbus-user none
+dbus-system none
diff --git a/etc/xzdiff.profile b/etc/profile-m-z/xzdiff.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzdiff.profile
+++ b/etc/profile-m-z/xzdiff.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/xzegrep.profile b/etc/profile-m-z/xzegrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzegrep.profile
+++ b/etc/profile-m-z/xzegrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/xzfgrep.profile b/etc/profile-m-z/xzfgrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzfgrep.profile
+++ b/etc/profile-m-z/xzfgrep.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/xzgrep.profile b/etc/profile-m-z/xzgrep.profile
index f7410b928..f7410b928 100644
--- a/etc/xzgrep.profile
+++ b/etc/profile-m-z/xzgrep.profile
diff --git a/etc/xzless.profile b/etc/profile-m-z/xzless.profile
index f7410b928..f7410b928 100644
--- a/etc/xzless.profile
+++ b/etc/profile-m-z/xzless.profile
diff --git a/etc/xzmore.profile b/etc/profile-m-z/xzmore.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzmore.profile
+++ b/etc/profile-m-z/xzmore.profile
@@ -1,6 +1,7 @@
 # Firejail profile alias for cpio
 # Description: Library and command line tools for XZ and LZMA compressed files
 # This file is overwritten after every install/update
+quiet
 
 # Redirect
 include cpio.profile
diff --git a/etc/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile
index 680bef677..680bef677 100644
--- a/etc/yandex-browser.profile
+++ b/etc/profile-m-z/yandex-browser.profile
diff --git a/etc/yelp.profile b/etc/profile-m-z/yelp.profile
index acd483209..fd95ceb04 100644
--- a/etc/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/yelp
@@ -21,8 +22,10 @@ whitelist ${HOME}/.config/yelp
 whitelist /usr/share/doc
 whitelist /usr/share/help
 whitelist /usr/share/yelp
+whitelist /usr/share/yelp-tools
 whitelist /usr/share/yelp-xsl
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -48,6 +51,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
 private-tmp
 
+dbus-system none
+
 # read-only ${HOME} breaks some not necesarry featrues, comment it if
 # you need them or put 'ignore read-only ${HOME}' into your yelp.local.
 # broken features:
diff --git a/etc/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 19effef47..db3535f78 100644
--- a/etc/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -22,6 +22,7 @@ include allow-python3.inc
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
@@ -29,6 +30,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
@@ -40,7 +42,6 @@ ipc-namespace
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -60,4 +61,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
 private-tmp
 
+dbus-user none
+dbus-system none
+
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
new file mode 100644
index 000000000..513cb0f6e
--- /dev/null
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -0,0 +1,57 @@
+# Firejail profile for youtube-viewer
+# Description: Trizen's CLI Youtube viewer with login support
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include youtube-viewer.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+noblacklist ${HOME}/.config/youtube-viewer
+
+include allow-perl.inc
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/youtube-viewer
+whitelist ${HOME}/.config/youtube-viewer
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
\ No newline at end of file
diff --git a/etc/zaproxy.profile b/etc/profile-m-z/zaproxy.profile
index 6228ff3bd..6228ff3bd 100644
--- a/etc/zaproxy.profile
+++ b/etc/profile-m-z/zaproxy.profile
diff --git a/etc/zart.profile b/etc/profile-m-z/zart.profile
index 347bed8b6..ca35e3b51 100644
--- a/etc/zart.profile
+++ b/etc/profile-m-z/zart.profile
@@ -15,12 +15,12 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 caps.drop all
 ipc-namespace
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -34,3 +34,5 @@ shell none
 private-bin ffmpeg,ffplay,ffprobe,melt,zart
 private-dev
 
+dbus-user none
+dbus-system none
diff --git a/etc/zathura.profile b/etc/profile-m-z/zathura.profile
index 703c8edd4..5274e5b42 100644
--- a/etc/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/zathura
@@ -25,11 +26,11 @@ whitelist /usr/share/zathura
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 ipc-namespace
 machine-id
 net none
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -47,9 +48,13 @@ private-bin zathura
 private-cache
 private-dev
 private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id
-private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura
+# private-lib has problems on Debian 10
+#private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura
 private-tmp
 
+dbus-user none
+dbus-system none
+
 read-only ${HOME}
 read-write ${HOME}/.config/zathura
 read-write ${HOME}/.local/share/zathura
diff --git a/etc/zcat.profile b/etc/profile-m-z/zcat.profile
index 12932ea92..bbac50712 100644
--- a/etc/zcat.profile
+++ b/etc/profile-m-z/zcat.profile
@@ -7,5 +7,8 @@ include zcat.local
 # added by included profile
 #include globals.local
 
+# Allow running kernel config check
+noblacklist /proc/config.gz
+
 # Redirect
 include gzip.profile
diff --git a/etc/zcmp.profile b/etc/profile-m-z/zcmp.profile
index 795cdae2a..795cdae2a 100644
--- a/etc/zcmp.profile
+++ b/etc/profile-m-z/zcmp.profile
diff --git a/etc/zdiff.profile b/etc/profile-m-z/zdiff.profile
index 1e75e38fe..1e75e38fe 100644
--- a/etc/zdiff.profile
+++ b/etc/profile-m-z/zdiff.profile
diff --git a/etc/zeal.profile b/etc/profile-m-z/zeal.profile
index f0fa29aa3..2d0d944fd 100644
--- a/etc/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -1,5 +1,5 @@
 # Firejail profile for zeal
-# Description: Offline documentation browser
+# Description: Offline API documentation browser
 # This file is overwritten after every install/update
 # Persistent local customizations
 include zeal.local
@@ -16,13 +16,15 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
-mkdir ${HOME}/.config/Zeal
 mkdir ${HOME}/.cache/Zeal
+mkdir ${HOME}/.config/qt5ct
+mkdir ${HOME}/.config/Zeal
 mkdir ${HOME}/.local/share/Zeal
-whitelist ${HOME}/.config/Zeal
 whitelist ${HOME}/.cache/Zeal
+whitelist ${HOME}/.config/Zeal
 whitelist ${HOME}/.local/share/Zeal
 include whitelist-common.inc
 include whitelist-var-common.inc
@@ -32,7 +34,6 @@ caps.drop all
 machine-id
 netfilter
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
@@ -41,7 +42,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
@@ -53,4 +54,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
 private-tmp
 
-memory-deny-write-execute
+dbus-user none
+dbus-system none
+
+# memory-deny-write-execute - breaks on Arch
diff --git a/etc/zegrep.profile b/etc/profile-m-z/zegrep.profile
index 54dc6b2a0..54dc6b2a0 100644
--- a/etc/zegrep.profile
+++ b/etc/profile-m-z/zegrep.profile
diff --git a/etc/zfgrep.profile b/etc/profile-m-z/zfgrep.profile
index 73b22f2e8..73b22f2e8 100644
--- a/etc/zfgrep.profile
+++ b/etc/profile-m-z/zfgrep.profile
diff --git a/etc/zforce.profile b/etc/profile-m-z/zforce.profile
index d62e57065..d62e57065 100644
--- a/etc/zforce.profile
+++ b/etc/profile-m-z/zforce.profile
diff --git a/etc/zgrep.profile b/etc/profile-m-z/zgrep.profile
index b39a58420..0e7151400 100644
--- a/etc/zgrep.profile
+++ b/etc/profile-m-z/zgrep.profile
@@ -7,5 +7,8 @@ include zgrep.local
 # added by included profile
 #include globals.local
 
+# Allow running kernel config check
+noblacklist /proc/config.gz
+
 # Redirect
 include gzip.profile
diff --git a/etc/zless.profile b/etc/profile-m-z/zless.profile
index 0a26cda1f..0a26cda1f 100644
--- a/etc/zless.profile
+++ b/etc/profile-m-z/zless.profile
diff --git a/etc/zmore.profile b/etc/profile-m-z/zmore.profile
index 3a8f63562..3a8f63562 100644
--- a/etc/zmore.profile
+++ b/etc/profile-m-z/zmore.profile
diff --git a/etc/znew.profile b/etc/profile-m-z/znew.profile
index a8593e58e..a8593e58e 100644
--- a/etc/znew.profile
+++ b/etc/profile-m-z/znew.profile
diff --git a/etc/zoom.profile b/etc/profile-m-z/zoom.profile
index 6d312aff6..b3125ee50 100644
--- a/etc/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -10,8 +10,11 @@ noblacklist ${HOME}/.zoom
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
+include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/zoom
 mkfile ${HOME}/.config/zoomus.conf
@@ -20,14 +23,25 @@ whitelist ${HOME}/.cache/zoom
 whitelist ${HOME}/.config/zoomus.conf
 whitelist ${HOME}/.zoom
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
 netfilter
 nodvd
+nogroups
 nonewprivs
 noroot
 notv
-protocol unix,inet,inet6
-seccomp
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+tracelog
 
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/zpaq.profile b/etc/profile-m-z/zpaq.profile
index 80329ecfd..80329ecfd 100644
--- a/etc/zpaq.profile
+++ b/etc/profile-m-z/zpaq.profile
diff --git a/etc/zstd.profile b/etc/profile-m-z/zstd.profile
index 93b849568..be27c10e1 100644
--- a/etc/zstd.profile
+++ b/etc/profile-m-z/zstd.profile
@@ -23,7 +23,6 @@ ipc-namespace
 machine-id
 net none
 no3d
-nodbus
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/zstdcat.profile b/etc/profile-m-z/zstdcat.profile
index ce9af3286..ce9af3286 100644
--- a/etc/zstdcat.profile
+++ b/etc/profile-m-z/zstdcat.profile
diff --git a/etc/zstdgrep.profile b/etc/profile-m-z/zstdgrep.profile
index ce9af3286..ce9af3286 100644
--- a/etc/zstdgrep.profile
+++ b/etc/profile-m-z/zstdgrep.profile
diff --git a/etc/zstdless.profile b/etc/profile-m-z/zstdless.profile
index ce9af3286..ce9af3286 100644
--- a/etc/zstdless.profile
+++ b/etc/profile-m-z/zstdless.profile
diff --git a/etc/zstdmt.profile b/etc/profile-m-z/zstdmt.profile
index ce9af3286..ce9af3286 100644
--- a/etc/zstdmt.profile
+++ b/etc/profile-m-z/zstdmt.profile
diff --git a/etc/zulip.profile b/etc/profile-m-z/zulip.profile
index 999c2f77a..993f2a64b 100644
--- a/etc/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/Zulip
diff --git a/etc/ranger.profile b/etc/ranger.profile
deleted file mode 100644
index bcf39095b..000000000
--- a/etc/ranger.profile
+++ /dev/null
@@ -1,42 +0,0 @@
-# Firejail profile for ranger
-# Description: File manager with an ncurses frontend written in Python
-# This file is overwritten after every install/update
-# Persistent local customizations
-include ranger.local
-# Persistent global definitions
-include globals.local
-
-noblacklist ${HOME}/.config/nano
-noblacklist ${HOME}/.config/ranger
-noblacklist ${HOME}/.nanorc
-
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-
-# Allow perl
-include allow-perl.inc
-
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-
-allusers
-caps.drop all
-net none
-nodbus
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-#x11 none
-
-private-dev
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 0362b82af..02d9fa076 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -27,11 +27,13 @@
 #   ALLOW INCLUDES
 #   BLACKLISTS
 #   DISABLE INCLUDES
+#   NOWHITELISTS
 #   MKDIRS
 #   WHITELISTS
 #   WHITELIST INCLUDES
 #   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
 #   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
+#   DBUS FILTER
 #   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
 #   REDIRECT INCLUDES
 #
@@ -62,6 +64,8 @@ include globals.local
 #blacklist /tmp/.X11-unix
 # Disable Wayland
 #blacklist ${RUNUSER}/wayland-*
+# Disable RUNUSER (cli only)
+#blacklist ${RUNUSER}
 
 # It is common practice to add files/dirs containing program-specific configuration
 # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
@@ -105,6 +109,7 @@ include globals.local
 #include disable-interpreters.inc
 #include disable-passwdmgr.inc
 #include disable-programs.inc
+#include disable-shell.inc
 #include disable-xdg.inc
 
 # This section often mirrors noblacklist section above. The idea is
@@ -116,6 +121,7 @@ include globals.local
 ##mkfile PATH
 #whitelist PATH
 #include whitelist-common.inc
+#include whitelist-runuser-common.inc
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
 
@@ -132,7 +138,7 @@ include globals.local
 #net none
 #netfilter
 #no3d
-#nodbus
+##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
 #nodvd
 #nogroups
 #nonewprivs
@@ -182,6 +188,22 @@ include globals.local
 ##writable-var
 ##writable-var-log
 
+# Since 0.9.63 also a more granular regulation of dbus is supported.
+# To get the dbus-addresses to which an application needs access to.
+# You can look at flatpak if the application is also distriputed via flatpak:
+#    flatpak remote-info --show-metadata flathub <APP-ID>
+# Notes:
+#  - flatpak implicitly allows an app to own <APP-ID> on the session bus
+#  - In order to make dconf work (if it is used by the app) you need to allow
+#    'ca.desrt.dconf' even if it is not allowed by flatpak.
+# Notes and Policiy about addresses can be found at
+# <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
+#dbus-user filter
+#dbus-user.own com.github.netblue30.firejail
+#dbus-user.talk ca.desrt.dconf
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-system none
+
 ##env VAR=VALUE
 #memory-deny-write-execute
 ##noexec PATH
diff --git a/mkdeb-apparmor.sh b/mkdeb-apparmor.sh
deleted file mode 100755
index 3c560179c..000000000
--- a/mkdeb-apparmor.sh
+++ /dev/null
@@ -1,56 +0,0 @@
-#!/bin/sh
-# This file is part of Firejail project
-# Copyright (C) 2014-2020 Firejail Authors
-# License GPL v2
-
-# based on http://tldp.org/HOWTO/html_single/Debian-Binary-Package-Building-HOWTO/
-# a code archive should already be available
-
-set -e
-
-TOP=`pwd`
-CODE_ARCHIVE="$1-$2.tar.xz"
-CODE_DIR="$1-$2"
-INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian"
-DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN"
-
-echo "*****************************************"
-echo "code archive: $CODE_ARCHIVE"
-echo "code directory: $CODE_DIR"
-echo "install directory: $INSTALL_DIR"
-echo "debian control directory: $DEBIAN_CTRL_DIR"
-echo "*****************************************"
-
-tar -xJvf $CODE_ARCHIVE
-#mkdir -p $INSTALL_DIR
-cd $CODE_DIR
-./configure --prefix=/usr --enable-apparmor
-make -j2
-mkdir debian
-DESTDIR=debian make install-strip
-
-cd ..
-echo "*****************************************"
-SIZE=`du -s $INSTALL_DIR`
-echo "install size $SIZE"
-echo "*****************************************"
-
-mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
-gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
-rm $INSTALL_DIR/usr/share/doc/firejail/COPYING
-install -m644 platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
-mkdir -p $DEBIAN_CTRL_DIR
-sed "s/FIREJAILVER/$2/g"  platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
-
-mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/
-install -m644 platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
-
-find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles
-chmod 644 $DEBIAN_CTRL_DIR/conffiles
-find $INSTALL_DIR  -type d | xargs chmod 755
-cd $CODE_DIR
-fakeroot dpkg-deb --build debian
-lintian debian.deb
-mv debian.deb ../firejail-apparmor_$2_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb
-cd ..
-rm -fr $CODE_DIR
diff --git a/mkdeb.sh b/mkdeb.sh.in
index dd784eb8a..a19dee620 100755
--- a/mkdeb.sh
+++ b/mkdeb.sh.in
@@ -7,10 +7,24 @@
 # a code archive should already be available
 
 set -e
+NAME=@PACKAGE_NAME@
+VERSION=@PACKAGE_VERSION@
+PACKAGE_TARNAME=@PACKAGE_TARNAME@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_SELINUX=@HAVE_SELINUX@
+EXTRA_VERSION=$1
+
+CONFIG_ARGS="--prefix=/usr"
+if [ -n "$HAVE_APPARMOR" ]; then
+    CONFIG_ARGS="$CONFIG_ARGS --enable-apparmor"
+fi
+if [ -n "$HAVE_SELINUX" ]; then
+    CONFIG_ARGS="$CONFIG_ARGS --enable-selinux"
+fi
 
 TOP=`pwd`
-CODE_ARCHIVE="$1-$2.tar.xz"
-CODE_DIR="$1-$2"
+CODE_ARCHIVE="$NAME-$VERSION.tar.xz"
+CODE_DIR="$NAME-$VERSION"
 INSTALL_DIR="${INSTALL_DIR}${CODE_DIR}/debian"
 DEBIAN_CTRL_DIR="${DEBIAN_CTRL_DIR}${CODE_DIR}/debian/DEBIAN"
 
@@ -24,7 +38,7 @@ echo "*****************************************"
 tar -xJvf $CODE_ARCHIVE
 #mkdir -p $INSTALL_DIR
 cd $CODE_DIR
-./configure --prefix=/usr
+./configure $CONFIG_ARGS
 make -j2
 mkdir debian
 DESTDIR=debian make install-strip
@@ -38,12 +52,12 @@ echo "*****************************************"
 mv $INSTALL_DIR/usr/share/doc/firejail/RELNOTES $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
 gzip -9 -n $INSTALL_DIR/usr/share/doc/firejail/changelog.Debian
 rm $INSTALL_DIR/usr/share/doc/firejail/COPYING
-install -m644 platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
+install -m644 $CODE_DIR/platform/debian/copyright $INSTALL_DIR/usr/share/doc/firejail/.
 mkdir -p $DEBIAN_CTRL_DIR
-sed "s/FIREJAILVER/$2/g"  platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
+sed "s/FIREJAILVER/$VERSION/g"  $CODE_DIR/platform/debian/control.$(dpkg-architecture -qDEB_HOST_ARCH) > $DEBIAN_CTRL_DIR/control
 
 mkdir -p $INSTALL_DIR/usr/share/lintian/overrides/
-install -m644 platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
+install -m644 $CODE_DIR/platform/debian/firejail.lintian-overrides $INSTALL_DIR/usr/share/lintian/overrides/firejail
 
 find $INSTALL_DIR/etc -type f | sed "s,^$INSTALL_DIR,," | LC_ALL=C sort > $DEBIAN_CTRL_DIR/conffiles
 chmod 644 $DEBIAN_CTRL_DIR/conffiles
@@ -51,6 +65,6 @@ find $INSTALL_DIR  -type d | xargs chmod 755
 cd $CODE_DIR
 fakeroot dpkg-deb --build debian
 lintian debian.deb
-mv debian.deb ../firejail_$2_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb
+mv debian.deb ../firejail_${VERSION}${EXTRA_VERSION}_1_$(dpkg-architecture -qDEB_HOST_ARCH).deb
 cd ..
 rm -fr $CODE_DIR
diff --git a/mketc.sh b/mketc.sh
index 8dbc72915..8102f58b8 100755
--- a/mketc.sh
+++ b/mketc.sh
@@ -3,25 +3,15 @@
 # Copyright (C) 2014-2020 Firejail Authors
 # License GPL v2
 
-rm -fr .etc
-mkdir .etc
-
-for file in etc/*.profile etc/*.inc etc/*.net;
-do
-        sed "s;/etc/firejail;$1/firejail;g" $file > .$file
-done
-
-if [ "x$2" = "xyes" ]
-then
 sed -i -e '
 1i# Workaround for systems where common UNIX utilities are symlinks to busybox.\
 # If this is not your case you can remove --enable-busybox-workaround from\
 # ./configure options, for added security.\
+noblacklist \${PATH}/busybox\
+noblacklist \${PATH}/crontab\
 noblacklist \${PATH}/mount\
-noblacklist \${PATH}/umount\
+noblacklist \${PATH}/nc\
 noblacklist \${PATH}/su\
 noblacklist \${PATH}/sudo\
-noblacklist \${PATH}/nc\
-noblacklist \${PATH}/crontab\
-' .etc/disable-common.inc
-fi
+noblacklist \${PATH}/umount\
+' "$1"
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index b32407c7d..da91f5a4f 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -1,7 +1,7 @@
 Name: __NAME__
 Version: __VERSION__
 Release: 1
-Summary: Linux namepaces sandbox program
+Summary: Linux namespaces sandbox program
 
 License: GPLv2+
 Group: Development/Tools
@@ -19,7 +19,7 @@ using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
 %setup -q
 
 %build
-%configure --disable-userns --disable-contrib-install
+%configure __CONFIG_OPT__
 make %{?_smp_mflags}
 
 %install
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh
index 348bea7f2..2bdead7a8 100755
--- a/platform/rpm/mkrpm.sh
+++ b/platform/rpm/mkrpm.sh
@@ -3,7 +3,7 @@
 # Copyright (C) 2014-2020 Firejail Authors
 # License GPL v2
 #
-# Usage: ./platform/rpm/mkrpm.sh firejail <version>
+# Usage: ./platform/rpm/mkrpm.sh firejail <version> "<config options>"
 #
 # Builds rpms in a temporary directory then places the result in the
 # current working directory.
@@ -11,6 +11,7 @@
 name=$1
 # Strip any trailing prefix from the version like -rc1 etc
 version=$(echo "$2" | sed 's/\-.*//g')
+config_opt=$3
 
 if [[ ! -f platform/rpm/${name}.spec ]]; then
     echo error: spec file not found for name \"${name}\"
@@ -22,6 +23,10 @@ if [[ -z "${version}" ]]; then
     exit 1
 fi
 
+if [[ -z "${config_opt}" ]]; then
+    config_opt="--disable-userns --disable-contrib-install"
+fi
+
 # Make a temporary directory and arrange to clean up on exit
 tmpdir=$(mktemp -d)
 mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
@@ -32,7 +37,10 @@ trap cleanup EXIT
 
 # Create the spec file
 tmp_spec_file=${tmpdir}/SPECS/${name}.spec
-sed -e "s/__NAME__/${name}/g" -e "s/__VERSION__/${version}/g" platform/rpm/${name}.spec >${tmp_spec_file}
+sed -e "s/__NAME__/${name}/g" \
+    -e "s/__VERSION__/${version}/g" \
+    -e "s/__CONFIG_OPT__/${config_opt}/g" \
+    platform/rpm/${name}.spec >${tmp_spec_file}
 # FIXME: We could parse RELNOTES and create a %changelog section here
 
 # Copy the source to build into a tarball
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion
index 09798f505..0a1b34d7d 100644
--- a/src/bash_completion/firejail.bash_completion
+++ b/src/bash_completion/firejail.bash_completion
@@ -16,7 +16,7 @@ _firejail()
     _init_completion -s || return
 
     case $prev in
-        --help|--version|-debug-caps|--debug-syscalls|--list|--tree|--top|--join|--shutdown)
+        --help|--version|-debug-caps|--debug-syscalls|--debug-syscalls32|--list|--tree|--top|--join|--shutdown)
             return 0
             ;;
         --profile)
diff --git a/src/common.mk.in b/src/common.mk.in
index 945815a40..8104bc258 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -31,6 +31,7 @@ C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
 
+CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
 CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
index 8c26c5271..beaa5ac46 100644
--- a/src/faudit/dbus.c
+++ b/src/faudit/dbus.c
@@ -18,6 +18,8 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "faudit.h"
+#include "../include/rundefs.h"
+#include <stdarg.h>
 #include <sys/socket.h>
 #include <sys/un.h>
 
@@ -46,9 +48,10 @@ int check_unix(const char *sockfile) {
         return rv;
 }
 
-void dbus_test(void) {
+static char *test_dbus_env(char *env_var_name) {
         // check the session bus
-        char *str = getenv("DBUS_SESSION_BUS_ADDRESS");
+        char *str = getenv(env_var_name);
+        char *found = NULL;
         if (str) {
                 int rv = 0;
                 char *bus = strdup(str);
@@ -74,19 +77,55 @@ void dbus_test(void) {
                         if (ptr)
                                 *ptr = '\0';
                         rv = check_unix(sockfile);
-                        if (rv == 0)
-                                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
+                        if (rv == 0) {
+                                if (strcmp(RUN_DBUS_USER_SOCKET, sockfile) == 0 ||
+                                        strcmp(RUN_DBUS_SYSTEM_SOCKET, sockfile) == 0) {
+                                        printf("GOOD: D-Bus filtering is active on %s\n", sockfile);
+                                } else {
+                                        printf("MAYBE: D-Bus socket %s is available\n", sockfile);
+                                }
+                        }
                         else if (rv == -1)
                                 printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
+                        found = strdup(sockfile);
+                        if (!found)
+                                errExit("strdup");
                 }
                 else if ((sockfile = strstr(bus, "tcp:host=")) != NULL)
-                        printf("UGLY: session bus configured for TCP communication.\n");
+                        printf("UGLY: %s bus configured for TCP communication.\n", env_var_name);
                 else
-                        printf("GOOD: cannot find a D-Bus socket\n");
-
-
+                        printf("GOOD: cannot find a %s D-Bus socket\n", env_var_name);
                 free(bus);
         }
         else
-                printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured.");
+                printf("MAYBE: %s environment variable not configured.\n", env_var_name);
+        return found;
+}
+
+static void test_default_socket(const char *found, const char *format, ...) {
+        va_list ap;
+        va_start(ap, format);
+        char *sockfile;
+        if (vasprintf(&sockfile, format, ap) == -1)
+                errExit("vasprintf");
+        va_end(ap);
+        if (found != NULL && strcmp(found, sockfile) == 0)
+                goto end;
+        int rv = check_unix(sockfile);
+        if (rv == 0)
+                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
+end:
+        free(sockfile);
+}
+
+void dbus_test(void) {
+        char *found_user = test_dbus_env("DBUS_SESSION_BUS_ADDRESS");
+        test_default_socket(found_user, "/run/user/%d/bus", (int) getuid());
+        test_default_socket(found_user, "/run/user/%d/dbus/user_bus_socket", (int) getuid());
+        if (found_user != NULL)
+                free(found_user);
+        char *found_system = test_dbus_env("DBUS_SYSTEM_BUS_ADDRESS");
+        test_default_socket(found_system, "/run/dbus/system_bus_socket");
+        if (found_system != NULL)
+                free(found_system);
 }
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
index a45b6e31a..0a277ddc2 100644
--- a/src/faudit/pid.c
+++ b/src/faudit/pid.c
@@ -20,7 +20,7 @@
 #include "faudit.h"
 
 void pid_test(void) {
-        char *kern_proc[] = {
+        static char *kern_proc[] = {
                 "kthreadd",
                 "ksoftirqd",
                 "kworker",
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
index a44546699..c6f84dfbc 100644
--- a/src/fbuilder/build_bin.c
+++ b/src/fbuilder/build_bin.c
@@ -71,7 +71,7 @@ static void process_bin(const char *fname) {
                 else if (strncmp(ptr, "/usr/local/sbin/", 16) == 0)
                         ptr += 16;
                 else if (strncmp(ptr, "/usr/games/", 11) == 0)
-                        ptr += 12;
+                        ptr += 11;
                 else if (strncmp(ptr, "/usr/local/games/", 17) == 0)
                         ptr += 17;
                 else
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index b08afb939..1b8231033 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -165,10 +165,12 @@ void build_var(const char *fname, FILE *fp) {
 
         process_files(fname, "/var", var_callback);
 
-        if (var_out == NULL)
+        if (var_out == NULL) {
                 fprintf(fp, "blacklist /var\n");
-        else
+        } else {
                 filedb_print(var_out, "whitelist ", fp);
+                fprintf(fp, "include whitelist-var-common.inc\n");
+        }
 }
 
 
@@ -202,10 +204,12 @@ void build_share(const char *fname, FILE *fp) {
 
         process_files(fname, "/usr/share", share_callback);
 
-        if (share_out == NULL)
+        if (share_out == NULL) {
                 fprintf(fp, "blacklist /usr/share\n");
-        else
+        } else {
                 filedb_print(share_out, "whitelist ", fp);
+                fprintf(fp, "include whitelist-usr-share-common.inc\n");
+        }
 }
 
 //*******************************************
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index 8db17a942..fca3396c4 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -32,9 +32,9 @@ static void load_whitelist_common(void) {
 
         char buf[MAX_BUF];
         while (fgets(buf, MAX_BUF, fp)) {
-                if (strncmp(buf, "whitelist ~/", 12) != 0)
+                if (strncmp(buf, "whitelist ${HOME}/", 18) != 0)
                         continue;
-                char *fn = buf + 12;
+                char *fn = buf + 18;
                 char *ptr = strchr(buf, '\n');
                 if (!ptr)
                         continue;
@@ -190,8 +190,8 @@ void build_home(const char *fname, FILE *fp) {
 
         // print the out list if any
         if (db_out) {
-                filedb_print(db_out, "whitelist ~/", fp);
-                fprintf(fp, "include /etc/firejail/whitelist-common.inc\n");
+                filedb_print(db_out, "whitelist ${HOME}/", fp);
+                fprintf(fp, "include whitelist-common.inc\n");
         }
         else
                 fprintf(fp, "private\n");
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index ea9e9a4a0..adc00e67b 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -131,18 +131,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
         if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
                 if (fp == stdout)
                         printf("--- Built profile beings after this line ---\n");
-                fprintf(fp, "############################################\n");
-                fprintf(fp, "# %s profile\n", argv[index]);
-                fprintf(fp, "############################################\n");
+                fprintf(fp, "# Firejail profile for %s\n", argv[index]);
+                fprintf(fp, "# Persistent local customizations\n");
+                fprintf(fp, "#include %s.local\n", argv[index]);
                 fprintf(fp, "# Persistent global definitions\n");
-                fprintf(fp, "# include /etc/firejail/globals.local\n");
+                fprintf(fp, "#include globals.local\n");
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### basic blacklisting\n");
-                fprintf(fp, "include /etc/firejail/disable-common.inc\n");
-                fprintf(fp, "# include /etc/firejail/disable-devel.inc\n");
-                fprintf(fp, "include /etc/firejail/disable-passwdmgr.inc\n");
-                fprintf(fp, "# include /etc/firejail/disable-programs.inc\n");
+                fprintf(fp, "include disable-common.inc\n");
+                fprintf(fp, "# include disable-devel.inc\n");
+                fprintf(fp, "# include disable-exec.inc\n");
+                fprintf(fp, "# include disable-interpreters.inc\n");
+                fprintf(fp, "include disable-passwdmgr.inc\n");
+                fprintf(fp, "# include disable-programs.inc\n");
+                fprintf(fp, "# include disable-xdg.inc\n");
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### home directory whitelisting\n");
@@ -150,12 +153,19 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### filesystem\n");
-                build_tmp(trace_output, fp);
-                build_dev(trace_output, fp);
-                build_etc(trace_output, fp);
+                fprintf(fp, "# /usr/share:\n");
+                build_share(trace_output, fp);
+                fprintf(fp, "# /var:\n");
                 build_var(trace_output, fp);
+                fprintf(fp, "\n");
+                fprintf(fp, "# $PATH:\n");
                 build_bin(trace_output, fp);
-                build_share(trace_output, fp);
+                fprintf(fp, "# /dev:\n");
+                build_dev(trace_output, fp);
+                fprintf(fp, "# /etc:\n");
+                build_etc(trace_output, fp);
+                fprintf(fp, "# /tmp:\n");
+                build_tmp(trace_output, fp);
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### security filters\n");
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index adf66f008..0574daae6 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -23,11 +23,14 @@ Natron
 PPSSPPQt
 QMediathekView
 QOwnNotes
+Screenshot
 Telegram
 Viber
 VirtualBox
 XMind
 Xephyr
+ZeGrapher
+abiword
 abrowser
 akonadi_control
 akregator
@@ -36,6 +39,7 @@ amule
 amuled
 android-studio
 anydesk
+apostrophe
 apktool
 # ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 arch-audit
@@ -71,6 +75,7 @@ barrier
 basilisk
 beaker
 bibletime
+bijiben
 bitcoin-qt
 bitlbee
 bitwarden
@@ -78,6 +83,7 @@ bleachbit
 blender
 blender-2.8
 bless
+blobwars
 bluefish
 bnox
 brackets
@@ -105,6 +111,7 @@ calligrawords
 cameramonitor
 cantata
 catfish
+cawbird
 celluloid
 checkbashisms
 cheese
@@ -128,7 +135,9 @@ clocks
 cmus
 code
 code-oss
+com.github.dahenson.agenda
 com.github.johnfactotum.Foliate
+com.gitlab.newsflash
 conkeror
 conky
 conplay
@@ -148,9 +157,11 @@ desktopeditors
 devhelp
 dex2jar
 dia
+dig
 digikam
 dillo
 dino
+dino-im
 discord
 discord-canary
 display
@@ -169,6 +180,7 @@ easystroke
 ebook-viewer
 electron-mail
 electrum
+element-desktop
 elinks
 empathy
 enchant
@@ -194,6 +206,7 @@ falkon
 fbreader
 feedreader
 feh
+ferdi
 ffmpeg
 ffmpegthumbnailer
 ffplay
@@ -207,6 +220,7 @@ firefox-esr
 firefox-nightly
 firefox-wayland
 firefox-x11
+five-or-more
 flacsplt
 flameshot
 flashpeak-slimjet
@@ -214,6 +228,7 @@ flowblade
 font-manager
 fontforge
 fossamail
+four-in-a-row
 franz
 freecad
 freecadcmd
@@ -225,11 +240,14 @@ freemind
 freeoffice-planmaker
 freeoffice-presentations
 freeoffice-textmaker
+freetube
 freshclam
+frogatto
 frozen-bubble
 gajim
 gajim-history-manager
 galculator
+gapplication
 gcalccmd
 gcloud
 gconf-editor
@@ -247,15 +265,17 @@ gimp-2.8
 gist
 gist-paste
 gitg
+git-cola
 github-desktop
 gitter
-gjs
+# gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102
 globaltime
 gmpc
 gnome-2048
 gnome-books
 gnome-builder
 gnome-calculator
+gnome-calendar
 gnome-character-map
 gnome-characters
 gnome-chess
@@ -264,20 +284,33 @@ gnome-contacts
 gnome-documents
 gnome-font-viewer
 gnome-hexgl
+gnome-klotski
 gnome-latex
 gnome-logs
+gnome-mahjongg
 gnome-maps
+gnome-mines
 gnome-mplayer
 gnome-mpv
 gnome-music
 gnome-nettool
+gnome-nibbles
 gnome-passwordsafe
 gnome-photos
+gnome-pomodoro
 gnome-recipes
+gnome-robots
 gnome-schedule
+gnome-screenshot
+gnome-sudoku
 gnome-system-log
+gnome-taquin
+gnome-tetravex
+gnome-todo
 gnome-twitch
 gnome-weather
+gnote
+gnubik
 godot
 goobox
 google-chrome
@@ -292,7 +325,11 @@ gpicview
 gpredict
 gradio
 gramps
+gravity-beams-and-evaporating-stars
 gthumb
+gtk-youtube-viewer
+gtk2-youtube-viewer
+gtk3-youtube-viewer
 guayadeque
 gucharmap
 gummi
@@ -303,7 +340,12 @@ hashcat
 hedgewars
 hexchat
 highlight
+hitori
+homebank
+host
 hugin
+hyperrogue
+iagno
 icecat
 icedove
 iceweasel
@@ -322,6 +364,9 @@ jd-gui
 jdownloader
 jerry
 jitsi
+jitsi-meet-desktop
+jumpnbump
+jumpnbump-menu
 k3b
 kaffeine
 kalgebra
@@ -349,6 +394,7 @@ klatexformula
 klatexformula_cmdl
 klavaro
 kmail
+kmplayer
 knotes
 kodi
 konversation
@@ -360,9 +406,10 @@ ktouch
 # kwin_x11
 kwrite
 leafpad
-less
+# less - breaks man
 libreoffice
 liferea
+lightsoff
 lincity-ng
 links
 linphone
@@ -387,7 +434,9 @@ luminance-hdr
 lximage-qt
 lxmusic
 lynx
+lyx
 macrofusion
+magicor
 manaplus
 masterpdfeditor
 masterpdfeditor4
@@ -397,6 +446,7 @@ mate-calculator
 mate-color-select
 mate-dictionary
 mathematica
+mattermost-desktop
 mcabber
 mediainfo
 mediathekview
@@ -408,7 +458,12 @@ mendeleydesktop
 meteo-qt
 midori
 min
+mindless
+minecraft-launcher
 minetest
+minitube
+mirrormagic
+mocp
 mousepad
 mp3splt
 mp3splt-gtk
@@ -428,6 +483,7 @@ mpg123-strip
 mplayer
 mpsyt
 mpv
+mrrescue
 ms-excel
 ms-office
 ms-onenote
@@ -435,6 +491,7 @@ ms-outlook
 ms-powerpoint
 ms-skype
 ms-word
+mtpaint
 multimc
 multimc5
 mumble
@@ -459,13 +516,17 @@ neverball
 neverputt
 newsbeuter
 newsboat
+newsflash
 nheko
+nicotine
 nitroshare
 nitroshare-cli
 nitroshare-nmh
 nitroshare-send
 nitroshare-ui
 nomacs
+nslookup
+nuclear
 nylas
 nyx
 obs
@@ -478,7 +539,9 @@ ooffice
 ooviewdoc
 open-invaders
 openarena
+openarena_ded
 opencity
+openclonk
 openoffice.org
 openshot
 openshot-qt
@@ -487,9 +550,10 @@ opera
 opera-beta
 orage
 ostrichriders
+otter-browser
 out123
 palemoon
-pandoc
+#pandoc
 parole
 patch
 pavucontrol
@@ -499,6 +563,7 @@ pdfmod
 pdfsam
 pdftotext
 peek
+penguin-command
 picard
 pidgin
 #ping - disabled until we fix  #1912
@@ -512,6 +577,7 @@ planmaker18
 planmaker18free
 playonlinux
 pluma
+plv
 pngquant
 polari
 ppsspp
@@ -532,6 +598,7 @@ qmmp
 qpdfview
 qt-faststart
 qtox
+quadrapassel
 quassel
 quiterss
 qupzilla
@@ -546,6 +613,7 @@ rhythmbox-client
 ricochet
 riot-desktop
 riot-web
+ripperx
 ristretto
 rocketchat
 rtorrent
@@ -553,15 +621,19 @@ runenpass.sh
 sayonara
 scallion
 scorched3d
+scorched3d-wrapper
+scorchwentbonkers
 scribus
 sdat2img
 seahorse
+seahorse-adventures
 seahorse-daemon
 seahorse-tool
 seamonkey
 seamonkey-bin
 secret-tool
 shellcheck
+shortwave
 shotcut
 signal-cli
 signal-desktop
@@ -578,6 +650,7 @@ smtube
 snox
 soffice
 sol
+sound-juicer
 soundconverter
 spotify
 sqlitebrowser
@@ -587,13 +660,17 @@ standardnotes-desktop
 start-tor-browser
 steam
 steam-native
+steam-runtime
 stellarium
+strawberry
 strings
 studio.sh
 subdownloader
 supertux2
 supertuxkart
 surf
+sushi
+swell-foop
 sylpheed
 synfigstudio
 sysprof
@@ -682,11 +759,13 @@ vivaldi-beta
 vivaldi-snapshot
 vivaldi-stable
 vlc
+vmware
 vscodium
 vulturesclaw
 vultureseye
 vym
 w3m
+warmux
 warsow
 warzone2100
 waterfox
@@ -708,6 +787,9 @@ wireshark-qt
 wpp
 wps
 wpspdf
+wordwarvi
+x2goclient
+xbill
 xcalc
 xchat
 xed
@@ -715,6 +797,7 @@ xfburn
 xfce4-dict
 xfce4-mixer
 xfce4-notes
+xfce4-screenshooter
 xiphos
 xlinks
 xmms
@@ -722,6 +805,8 @@ xmr-stak
 xonotic
 xonotic-glx
 xonotic-sdl
+xonotic-sdl-wrapper
+xournal
 xpdf
 xplayer
 xplayer-audio-preview
@@ -734,6 +819,7 @@ xviewer
 yandex-browser
 yelp
 youtube-dl
+youtube-viewer
 zaproxy
 zart
 zathura
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 1e49a2fc7..0e520b0f1 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -486,8 +486,9 @@ int main(int argc, char **argv) {
         if (arg_debug)
                 printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid());
 
-        // fix .desktop files in ~/.local/share/applications directory
-        fix_desktop_files(home);
+        // if runs as regular user, fix .desktop files in ~/.local/share/applications directory
+        if (getuid() != 0)
+                fix_desktop_files(home);
 
         return 0;
 }
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index e2d02788d..b9bf13b9c 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -2,11 +2,11 @@ all: firejail
 
 include ../common.mk
 
-%.o : %.c $(H_FILE_LIST) ../include/rundefs.h ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h ../include/firejail_user.h
+%.o : %.c $(H_FILE_LIST) ../include/rundefs.h ../include/common.h ../include/ldd_utils.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall_i386.h ../include/syscall_x86_64.h ../include/firejail_user.h
         $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o $(LIBS) $(EXTRA_LDFLAGS)
+firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o firejail *.gcov *.gcda *.gcno *.plist
 
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index 3714af9a3..f88d0a1dd 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -239,9 +239,7 @@ int arp_check(const char *dev, uint32_t destaddr) {
                 }
         }
 
-        // it will never get here!
-        close(sock);
-        return -1;
+        __builtin_unreachable();
 }
 
 // assign a random IP address and check it
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index fbe150b34..f6b3b3252 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -18,6 +18,8 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/seccomp.h"
+#include "../include/syscall.h"
 #include <sys/stat.h>
 #include <linux/loop.h>
 
@@ -32,6 +34,7 @@ char *xvfb_screen = "800x600x24";
 char *xvfb_extra_params = "";
 char *netfilter_default = NULL;
 unsigned long join_timeout = 5000000; // microseconds
+char *config_seccomp_error_action_str = "EPERM";
 
 int checkcfg(int val) {
         assert(val < CFG_MAX);
@@ -51,6 +54,8 @@ int checkcfg(int val) {
                 cfg_val[CFG_DISABLE_MNT] = 0;
                 cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES;
                 cfg_val[CFG_XPRA_ATTACH] = 0;
+                cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1;
+                cfg_val[CFG_BROWSER_ALLOW_DRM] = 0;
 
                 // open configuration file
                 const char *fname = SYSCONFDIR "/firejail.config";
@@ -219,6 +224,26 @@ int checkcfg(int val) {
                         else if (strncmp(ptr, "join-timeout ", 13) == 0)
                                 join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds
 
+                        // seccomp error action
+                        else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
+#ifdef HAVE_SECCOMP
+                                if (strcmp(ptr + 21, "kill") == 0)
+                                        cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL;
+                                else if (strcmp(ptr + 21, "log") == 0)
+                                        cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_LOG;
+                                else {
+                                        cfg_val[CFG_SECCOMP_ERROR_ACTION] = errno_find_name(ptr + 21);
+                                        if (cfg_val[CFG_SECCOMP_ERROR_ACTION] == -1)
+                                                errExit("seccomp-error-action: unknown errno");
+                                }
+                                config_seccomp_error_action_str = strdup(ptr + 21);
+                                if (!config_seccomp_error_action_str)
+                                        errExit("strdup");
+#else
+                                warning_feature_disabled("seccomp");
+#endif
+                        }
+
                         else
                                 goto errout;
 
@@ -330,6 +355,14 @@ void print_compiletime_support(void) {
 #endif
                 );
 
+        printf("\t- SELinux support is %s\n",
+#ifdef HAVE_SELINUX
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+
         printf("\t- user namespace support is %s\n",
 #ifdef HAVE_USERNS
                 "enabled"
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index cae52e20b..5fc6c8298 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -165,7 +165,8 @@ void fs_chroot(const char *rootdir) {
         close(fd);
 
         // x11
-        if (getenv("FIREJAIL_X11")) {
+        // if users want this mount, they should set FIREJAIL_CHROOT_X11
+        if (getenv("FIREJAIL_X11") || getenv("FIREJAIL_CHROOT_X11")) {
                 if (arg_debug)
                         printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n");
                 check_subdir(parentfd, "tmp/.X11-unix", 0);
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index 7acbd338c..6609e48bd 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -18,41 +18,531 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <errno.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <string.h>
 
-void dbus_disable(void) {
-        if (!checkcfg(CFG_DBUS)) {
-                fwarning("D-Bus handling is disabled in Firejail configuration file\n");
-                return;
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+#define DBUS_SOCKET_PATH_PREFIX "unix:path="
+#define DBUS_USER_SOCKET_FORMAT "/run/user/%d/bus"
+#define DBUS_USER_SOCKET_FORMAT2 "/run/user/%d/dbus/user_bus_socket"
+#define DBUS_SYSTEM_SOCKET "/run/dbus/system_bus_socket"
+#define DBUS_SESSION_BUS_ADDRESS_ENV "DBUS_SESSION_BUS_ADDRESS"
+#define DBUS_SYSTEM_BUS_ADDRESS_ENV "DBUS_SYSTEM_BUS_ADDRESS"
+#define DBUS_USER_DIR_FORMAT RUN_FIREJAIL_DBUS_DIR "/%d"
+#define DBUS_USER_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-user"
+#define DBUS_SYSTEM_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-system"
+#define DBUS_MAX_NAME_LENGTH 255
+#define XDG_DBUS_PROXY_PATH "/usr/bin/xdg-dbus-proxy"
+
+static pid_t dbus_proxy_pid = 0;
+static int dbus_proxy_status_fd = -1;
+static char *dbus_user_proxy_socket = NULL;
+static char *dbus_system_proxy_socket = NULL;
+
+static int check_bus_or_interface_name(const char *name, int hyphens_allowed) {
+        unsigned long length = strlen(name);
+        if (length == 0 || length > DBUS_MAX_NAME_LENGTH)
+                return 0;
+        const char *p = name;
+        int segments = 1;
+        int in_segment = 0;
+        while (*p) {
+                int alpha = (*p >= 'a' && *p <= 'z') || (*p >= 'A' && *p <= 'Z');
+                int digit = *p >= '0' && *p <= '9';
+                if (in_segment) {
+                        if (*p == '.') {
+                                ++segments;
+                                in_segment = 0;
+                        } else if (!alpha && !digit && *p != '_' && (!hyphens_allowed || *p != '-')) {
+                                return 0;
+                        }
+                }
+                else {
+                        if (*p == '*') {
+                                return *(p + 1) == '\0';
+                        } else if (!alpha && *p != '_' && (!hyphens_allowed || *p != '-')) {
+                                return 0;
+                        }
+                        in_segment = 1;
+                }
+                ++p;
+        }
+        return in_segment && segments >= 2;
+}
+
+static int check_object_path(const char *path) {
+        unsigned long length = strlen(path);
+        if (length == 0 || path[0] != '/')
+                return 0;
+        // The root path "/" is the only path allowed to have a trailing slash.
+        if (length == 1)
+                return 1;
+        const char *p = path + 1;
+        int segments = 1;
+        int in_segment = 0;
+        while (*p) {
+                int alpha = (*p >= 'a' && *p <= 'z') || (*p >= 'A' && *p <= 'Z');
+                int digit = *p >= '0' && *p <= '9';
+                if (in_segment) {
+                        if (*p == '/') {
+                                ++segments;
+                                in_segment = 0;
+                        } else if (!alpha && !digit && *p != '_') {
+                                return 0;
+                        }
+                }
+                else {
+                        if (*p == '*') {
+                                return *(p + 1) == '\0';
+                        } else if (!alpha && *p != '_') {
+                                return 0;
+                        }
+                        in_segment = 1;
+                }
+                ++p;
         }
+        return in_segment && segments >= 2;
+}
+
+int dbus_check_name(const char *name) {
+        return check_bus_or_interface_name(name, 1);
+}
+
+int dbus_check_call_rule(const char *rule) {
+        char buf[DBUS_MAX_NAME_LENGTH + 1];
+        char *name_end = strchr(rule, '=');
+        if (name_end == NULL)
+                return 0;
+        size_t name_length = (size_t) (name_end - rule);
+        if (name_length > DBUS_MAX_NAME_LENGTH)
+                return 0;
+        strncpy(buf, rule, (size_t) name_length);
+        buf[name_length] = '\0';
+        if (!dbus_check_name(buf))
+                return 0;
+        ++name_end;
+        char *interface_end = strchr(name_end, '@');
+        if (interface_end == NULL)
+                return check_bus_or_interface_name(name_end, 0);
+        size_t interface_length = (size_t) (interface_end - name_end);
+        if (interface_length > DBUS_MAX_NAME_LENGTH)
+                return 0;
+        if (interface_length > 0) {
+                strncpy(buf, name_end, interface_length);
+                buf[interface_length] = '\0';
+                if (!check_bus_or_interface_name(buf, 0))
+                        return 0;
+        }
+        return check_object_path(interface_end + 1);
+}
+
+static void dbus_check_bus_profile(char const *prefix, DbusPolicy *policy) {
+        if (*policy == DBUS_POLICY_FILTER) {
+                struct stat s;
+                if (stat(XDG_DBUS_PROXY_PATH, &s) == -1) {
+                        if (errno == ENOENT) {
+                                fprintf(stderr,
+                                                "Warning: " XDG_DBUS_PROXY_PATH
+                                                " was not found, downgrading %s policy to allow.\n"
+                                                "To enable DBus filtering, install the xdg-dbus-proxy "
+                                                "program.\n", prefix);
+                                *policy = DBUS_POLICY_ALLOW;
+                        } else {
+                                errExit("stat");
+                        }
+                } else {
+                        // No need to warn on profile entries.
+                        return;
+                }
+        }
+
+        size_t prefix_length = strlen(prefix);
+        ProfileEntry *it = cfg.profile;
+        int num_matches = 0;
+        const char *first_match = NULL;
+        while (it) {
+                char *data = it->data;
+                it = it->next;
+                if (strncmp(prefix, data, prefix_length) == 0) {
+                        ++num_matches;
+                        if (first_match == NULL)
+                                first_match = data;
+                }
+        }
+
+        if (num_matches > 0) {
+                assert(first_match != NULL);
+                if (num_matches == 1) {
+                        fprintf(stderr, "Ignoring \"%s\".\n", first_match);
+                } else if (num_matches == 2) {
+                        fprintf(stderr, "Ignoring \"%s\" and 1 other %s filter rule.\n",
+                                        first_match, prefix);
+                } else {
+                        fprintf(stderr, "Ignoring \"%s\" and %d other %s filter rules.\n",
+                                        first_match, num_matches - 1, prefix);
+                }
+        }
+}
 
+void dbus_check_profile(void) {
+        dbus_check_bus_profile("dbus-user", &arg_dbus_user);
+        dbus_check_bus_profile("dbus-system", &arg_dbus_system);
+}
+
+static void write_arg(int fd, char const *format, ...) {
+        va_list ap;
+        va_start(ap, format);
+        char *arg;
+        int length = vasprintf(&arg, format, ap);
+        va_end(ap);
+        if (length == -1)
+                errExit("vasprintf");
+        length++;
+        if (arg_debug)
+                printf("xdg-dbus-proxy arg: %s\n", arg);
+        if (write(fd, arg, (size_t) length) != (ssize_t) length)
+                errExit("write");
+        free(arg);
+}
+
+static void write_profile(int fd, char const *prefix) {
+        size_t prefix_length = strlen(prefix);
+        ProfileEntry *it = cfg.profile;
+        while (it) {
+                char *data = it->data;
+                it = it->next;
+                if (strncmp(prefix, data, prefix_length) != 0)
+                        continue;
+                data += prefix_length;
+                int arg_length = 0;
+                while (data[arg_length] != '\0' && data[arg_length] != ' ')
+                        arg_length++;
+                if (data[arg_length] != ' ')
+                        continue;
+                write_arg(fd, "--%.*s=%s", arg_length, data, &data[arg_length + 1]);
+        }
+}
+
+static void dbus_create_user_dir(void) {
         char *path;
-        if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1)
+        if (asprintf(&path, DBUS_USER_DIR_FORMAT, (int) getuid()) == -1)
+                errExit("asprintf");
+        struct stat s;
+        mode_t mode = 0700;
+        uid_t uid = getuid();
+        gid_t gid = getgid();
+        if (stat(path, &s)) {
+                if (arg_debug)
+                        printf("Creating %s directory for DBus proxy sockets\n", path);
+                if (mkdir(path, mode) == -1 && errno != EEXIST)
+                        errExit("mkdir");
+                if (set_perms(path, uid, gid, mode))
+                        errExit("set_perms");
+                ASSERT_PERMS(path, uid, gid, mode);
+        }
+        free(path);
+}
+
+static char *find_user_socket_by_format(char *format) {
+        char *dbus_user_socket;
+        if (asprintf(&dbus_user_socket, format, (int) getuid()) == -1)
                 errExit("asprintf");
-        char *env_var;
-        if (asprintf(&env_var, "unix:path=%s", path) == -1)
+        struct stat s;
+        if (stat(dbus_user_socket, &s) == -1) {
+                if (errno == ENOENT)
+                        goto fail;
+                return NULL;
+                errExit("stat");
+        }
+        if (!S_ISSOCK(s.st_mode))
+                goto fail;
+        return dbus_user_socket;
+ fail:
+        free(dbus_user_socket);
+        return NULL;
+}
+
+static char *find_user_socket(void) {
+        char *socket1 = find_user_socket_by_format(DBUS_USER_SOCKET_FORMAT);
+        if (socket1 != NULL)
+                return socket1;
+        char *socket2 = find_user_socket_by_format(DBUS_USER_SOCKET_FORMAT2);
+        if (socket2 != NULL)
+                return socket2;
+        fprintf(stderr, "DBus user socket was not found.\n");
+        exit(1);
+}
+
+void dbus_proxy_start(void) {
+        dbus_create_user_dir();
+
+        EUID_USER();
+
+        int status_pipe[2];
+        if (pipe(status_pipe) == -1)
+                errExit("pipe");
+        dbus_proxy_status_fd = status_pipe[0];
+
+        int args_pipe[2];
+        if (pipe(args_pipe) == -1)
+                errExit("pipe");
+
+        dbus_proxy_pid = fork();
+        if (dbus_proxy_pid == -1)
+                errExit("fork");
+        if (dbus_proxy_pid == 0) {
+                int i;
+                for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) {
+                        if (i != status_pipe[1] && i != args_pipe[0])
+                                close(i); // close open files
+                }
+                if (arg_dbus_log_file != NULL) {
+                        int output_fd = creat(arg_dbus_log_file, 0666);
+                        if (output_fd < 0)
+                                errExit("creat");
+                        if (output_fd != STDOUT_FILENO) {
+                                if (dup2(output_fd, STDOUT_FILENO) != STDOUT_FILENO)
+                                        errExit("dup2");
+                                close(output_fd);
+                        }
+                }
+                close(STDIN_FILENO);
+                char *args[4] = {XDG_DBUS_PROXY_PATH, NULL, NULL, NULL};
+                if (asprintf(&args[1], "--fd=%d", status_pipe[1]) == -1
+                        || asprintf(&args[2], "--args=%d", args_pipe[0]) == -1)
+                        errExit("asprintf");
+                if (arg_debug)
+                        printf("starting xdg-dbus-proxy\n");
+                sbox_exec_v(SBOX_USER | SBOX_SECCOMP | SBOX_CAPS_NONE | SBOX_KEEP_FDS, args);
+        } else {
+                if (close(status_pipe[1]) == -1 || close(args_pipe[0]) == -1)
+                        errExit("close");
+
+                if (arg_dbus_user == DBUS_POLICY_FILTER) {
+                        char *user_env = getenv(DBUS_SESSION_BUS_ADDRESS_ENV);
+                        if (user_env == NULL) {
+                                char *dbus_user_socket = find_user_socket();
+                                write_arg(args_pipe[1], DBUS_SOCKET_PATH_PREFIX "%s",
+                                                  dbus_user_socket);
+                                free(dbus_user_socket);
+                        } else {
+                                write_arg(args_pipe[1], "%s", user_env);
+                        }
+                        if (asprintf(&dbus_user_proxy_socket, DBUS_USER_PROXY_SOCKET_FORMAT,
+                                                 (int) getuid(), (int) getpid()) == -1)
+                                errExit("asprintf");
+                        write_arg(args_pipe[1], "%s", dbus_user_proxy_socket);
+                        if (arg_dbus_log_user) {
+                                write_arg(args_pipe[1], "--log");
+                        }
+                        write_arg(args_pipe[1], "--filter");
+                        write_profile(args_pipe[1], "dbus-user.");
+                }
+
+                if (arg_dbus_system == DBUS_POLICY_FILTER) {
+                        char *system_env = getenv(DBUS_SYSTEM_BUS_ADDRESS_ENV);
+                        if (system_env == NULL) {
+                                write_arg(args_pipe[1],
+                                                  DBUS_SOCKET_PATH_PREFIX DBUS_SYSTEM_SOCKET);
+                        } else {
+                                write_arg(args_pipe[1], "%s", system_env);
+                        }
+                        if (asprintf(&dbus_system_proxy_socket, DBUS_SYSTEM_PROXY_SOCKET_FORMAT,
+                                                 (int) getuid(), (int) getpid()) == -1)
+                                errExit("asprintf");
+                        write_arg(args_pipe[1], "%s", dbus_system_proxy_socket);
+                        if (arg_dbus_log_system) {
+                                write_arg(args_pipe[1], "--log");
+                        }
+                        write_arg(args_pipe[1], "--filter");
+                        write_profile(args_pipe[1], "dbus-system.");
+                }
+
+                if (close(args_pipe[1]) == -1)
+                        errExit("close");
+                char buf[1];
+                ssize_t read_bytes = read(status_pipe[0], buf, 1);
+                switch (read_bytes) {
+                case -1:
+                        errExit("read");
+                        break;
+                case 0:
+                        fprintf(stderr, "xdg-dbus-proxy closed pipe unexpectedly\n");
+                        // Wait for the subordinate process to write any errors to stderr and exit.
+                        waitpid(dbus_proxy_pid, NULL, 0);
+                        exit(-1);
+                        break;
+                case 1:
+                        if (arg_debug)
+                                printf("xdg-dbus-proxy initialized\n");
+                        break;
+                default:
+                        assert(0);
+                }
+        }
+}
+
+void dbus_proxy_stop(void) {
+        if (dbus_proxy_pid == 0)
+                return;
+        assert(dbus_proxy_status_fd >= 0);
+        if (close(dbus_proxy_status_fd) == -1)
+                errExit("close");
+        int status;
+        if (waitpid(dbus_proxy_pid, &status, 0) == -1)
+                errExit("waitpid");
+        if (WIFEXITED(status) && WEXITSTATUS(status) != 0)
+                fwarning("xdg-dbus-proxy returned %s\n", WEXITSTATUS(status));
+        dbus_proxy_pid = 0;
+        dbus_proxy_status_fd = -1;
+        if (dbus_user_proxy_socket != NULL) {
+                free(dbus_user_proxy_socket);
+                dbus_user_proxy_socket = NULL;
+        }
+        if (dbus_system_proxy_socket != NULL) {
+                free(dbus_system_proxy_socket);
+                dbus_system_proxy_socket = NULL;
+        }
+}
+
+static void socket_overlay(char *socket_path, char *proxy_path) {
+        int fd = safe_fd(proxy_path, O_PATH | O_NOFOLLOW | O_CLOEXEC);
+        if (fd == -1)
+                errExit("opening DBus proxy socket");
+        struct stat s;
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
+        if (!S_ISSOCK(s.st_mode)) {
+                errno = ENOTSOCK;
+                errExit("mounting DBus proxy socket");
+        }
+        char *proxy_fd_path;
+        if (asprintf(&proxy_fd_path, "/proc/self/fd/%d", fd) == -1)
                 errExit("asprintf");
+        if (mount(proxy_path, socket_path, NULL, MS_BIND | MS_REC, NULL) == -1)
+                errExit("mount bind");
+        free(proxy_fd_path);
+        close(fd);
+}
 
-        // set a new environment variable: DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/<UID>/bus
-        if (setenv("DBUS_SESSION_BUS_ADDRESS", env_var, 1) == -1) {
-                fprintf(stderr, "Error: cannot modify DBUS_SESSION_BUS_ADDRESS required by --nodbus\n");
+static char *get_socket_env(const char *name) {
+        char *value = getenv(name);
+        if (value == NULL)
+                return NULL;
+        if (strncmp(value, DBUS_SOCKET_PATH_PREFIX,
+                                strlen(DBUS_SOCKET_PATH_PREFIX)) == 0)
+                return value + strlen(DBUS_SOCKET_PATH_PREFIX);
+        return NULL;
+}
+
+void dbus_set_session_bus_env(void) {
+        if (setenv(DBUS_SESSION_BUS_ADDRESS_ENV,
+                        DBUS_SOCKET_PATH_PREFIX RUN_DBUS_USER_SOCKET, 1) == -1) {
+                fprintf(stderr, "Error: cannot modify " DBUS_SESSION_BUS_ADDRESS_ENV
+                                                " required by --dbus-user\n");
                 exit(1);
         }
+}
 
-        // blacklist the path
-        disable_file_or_dir(path);
-        free(path);
-        free(env_var);
+void dbus_set_system_bus_env(void) {
+        if (setenv(DBUS_SYSTEM_BUS_ADDRESS_ENV,
+                        DBUS_SOCKET_PATH_PREFIX RUN_DBUS_SYSTEM_SOCKET, 1) == -1) {
+                fprintf(stderr, "Error: cannot modify " DBUS_SYSTEM_BUS_ADDRESS_ENV
+                                                " required by --dbus-system\n");
+                exit(1);
+        }
+}
 
+static void disable_socket_dir(void) {
+        struct stat s;
+        if (stat(RUN_FIREJAIL_DBUS_DIR, &s) == 0)
+                disable_file_or_dir(RUN_FIREJAIL_DBUS_DIR);
+}
 
-        // blacklist the dbus-launch user directory
-        if (asprintf(&path, "%s/.dbus", cfg.homedir) == -1)
-                errExit("asprintf");
-        disable_file_or_dir(path);
-        free(path);
+void dbus_apply_policy(void) {
+        EUID_ROOT();
 
-        // blacklist also system D-Bus socket
-        disable_file_or_dir("/run/dbus/system_bus_socket");
+        if (arg_dbus_user == DBUS_POLICY_ALLOW && arg_dbus_system == DBUS_POLICY_ALLOW) {
+                disable_socket_dir();
+                return;
+        }
+
+        if (!checkcfg(CFG_DBUS)) {
+                disable_socket_dir();
+                fwarning("D-Bus handling is disabled in Firejail configuration file\n");
+                return;
+        }
+
+        create_empty_dir_as_root(RUN_DBUS_DIR, 0755);
+
+        if (arg_dbus_user != DBUS_POLICY_ALLOW) {
+                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0700);
+
+                if (arg_dbus_user == DBUS_POLICY_FILTER) {
+                        assert(dbus_user_proxy_socket != NULL);
+                        socket_overlay(RUN_DBUS_USER_SOCKET, dbus_user_proxy_socket);
+                        free(dbus_user_proxy_socket);
+                }
+
+                char *dbus_user_socket;
+                if (asprintf(&dbus_user_socket, DBUS_USER_SOCKET_FORMAT,
+                                         (int) getuid()) == -1)
+                        errExit("asprintf");
+                disable_file_or_dir(dbus_user_socket);
+
+                char *dbus_user_socket2;
+                if (asprintf(&dbus_user_socket2, DBUS_USER_SOCKET_FORMAT2,
+                                         (int) getuid()) == -1)
+                        errExit("asprintf");
+                disable_file_or_dir(dbus_user_socket2);
+
+                char *user_env = get_socket_env(DBUS_SESSION_BUS_ADDRESS_ENV);
+                if (user_env != NULL && strcmp(user_env, dbus_user_socket) != 0 &&
+                        strcmp(user_env, dbus_user_socket2) != 0)
+                        disable_file_or_dir(user_env);
+
+                free(dbus_user_socket);
+                free(dbus_user_socket2);
+
+                dbus_set_session_bus_env();
+
+                // blacklist the dbus-launch user directory
+                char *path;
+                if (asprintf(&path, "%s/.dbus", cfg.homedir) == -1)
+                        errExit("asprintf");
+                disable_file_or_dir(path);
+                free(path);
+        }
+
+        if (arg_dbus_system != DBUS_POLICY_ALLOW) {
+                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0700);
+
+                if (arg_dbus_system == DBUS_POLICY_FILTER) {
+                        assert(dbus_system_proxy_socket != NULL);
+                        socket_overlay(RUN_DBUS_SYSTEM_SOCKET, dbus_system_proxy_socket);
+                        free(dbus_system_proxy_socket);
+                }
+
+                disable_file_or_dir(DBUS_SYSTEM_SOCKET);
+
+                char *system_env = get_socket_env(DBUS_SYSTEM_BUS_ADDRESS_ENV);
+                if (system_env != NULL && strcmp(system_env, DBUS_SYSTEM_SOCKET) != 0)
+                        disable_file_or_dir(system_env);
+
+                dbus_set_system_bus_env();
+        }
 
+        // Only disable access to /run/firejail/dbus here, when the sockets have been bind-mounted.
+        disable_socket_dir();
 
         // look for a possible abstract unix socket
 
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 66328a55e..c98f80d13 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -182,10 +182,11 @@ typedef struct config_t {
         char *dns4;
 
         // seccomp
-        char *seccomp_list;//  optional seccomp list on top of default filter
-        char *seccomp_list_drop;        // seccomp drop list
-        char *seccomp_list_keep;        // seccomp keep list
+        char *seccomp_list, *seccomp_list32;            // optional seccomp list on top of default filter
+        char *seccomp_list_drop, *seccomp_list_drop32;  // seccomp drop list
+        char *seccomp_list_keep, *seccomp_list_keep32;  // seccomp keep list
         char *protocol;                 // protocol list
+        char *seccomp_error_action;                     // error action: kill, log or errno
 
         // rlimits
         long long unsigned rlimit_cpu;
@@ -270,6 +271,7 @@ extern int arg_overlay_keep;	// place overlay diff in a known directory
 extern int arg_overlay_reuse;   // allow the reuse of overlays
 
 extern int arg_seccomp; // enable default seccomp filter
+extern int arg_seccomp32;       // enable default seccomp filter for 32 bit arch
 extern int arg_seccomp_postexec;        // need postexec ld.preload library?
 extern int arg_seccomp_block_secondary; // block any secondary architectures
 
@@ -338,9 +340,19 @@ extern int arg_memory_deny_write_execute;	// block writable and executable memor
 extern int arg_notv;    // --notv
 extern int arg_nodvd;   // --nodvd
 extern int arg_nou2f;   // --nou2f
-extern int arg_nodbus; // -nodbus
 extern int arg_deterministic_exit_code; // always exit with first child's exit status
 
+typedef enum {
+        DBUS_POLICY_ALLOW,      // Allow unrestricted access to the bus
+        DBUS_POLICY_FILTER, // Filter with xdg-dbus-proxy
+        DBUS_POLICY_BLOCK   // Block access
+} DbusPolicy;
+extern DbusPolicy arg_dbus_user; // --dbus-user
+extern DbusPolicy arg_dbus_system; // --dbus-system
+extern int arg_dbus_log_user;
+extern int arg_dbus_log_system;
+extern const char *arg_dbus_log_file;
+
 extern int login_shell;
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
@@ -349,6 +361,7 @@ extern mode_t orig_umask;
 extern unsigned long long start_timestamp;
 
 #define MAX_ARGS 128            // maximum number of command arguments (argc)
+#define MAX_ARG_LEN (PATH_MAX + 32) // --foobar=PATH
 extern char *fullargv[MAX_ARGS];
 extern int fullargc;
 
@@ -358,13 +371,14 @@ char *guess_shell(void);
 
 // sandbox.c
 int sandbox(void* sandbox_arg);
-void start_application(int no_sandbox, FILE *fp);
+void start_application(int no_sandbox, FILE *fp) __attribute__((noreturn));
+void set_apparmor(void);
 
 // network_main.c
 void net_configure_sandbox_ip(Bridge *br);
 void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child);
 void net_check_cfg(void);
-void net_dns_print(pid_t pid);
+void net_dns_print(pid_t pid) __attribute__((noreturn));
 void network_main(pid_t child);
 void net_print(pid_t pid);
 
@@ -394,6 +408,7 @@ typedef enum {
         MOUNT_TMPFS,
         MOUNT_NOEXEC,
         MOUNT_RDWR,
+        MOUNT_RDWR_NOCHECK, // no check of ownership
         OPERATION_MAX
 } OPERATION;
 
@@ -402,8 +417,7 @@ void fs_blacklist(void);
 // mount a writable tmpfs
 void fs_tmpfs(const char *dir, unsigned check_owner);
 // remount noexec/nodev/nosuid or read-only or read-write
-void fs_remount(const char *dir, OPERATION op, unsigned check_mnt);
-void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt);
+void fs_remount(const char *dir, OPERATION op, int rec);
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void);
 // blacklist firejail configuration and runtime directories
@@ -439,13 +453,12 @@ void profile_add_ignore(const char *str);
 void list(void);
 void tree(void);
 void top(void);
-void netstats(void);
 
 // usage.c
 void usage(void);
 
 // join.c
-void join(pid_t pid, int argc, char **argv, int index);
+void join(pid_t pid, int argc, char **argv, int index) __attribute__((noreturn));
 bool is_ready_for_join(const pid_t pid);
 void check_join_permission(pid_t pid);
 pid_t switch_to_child(pid_t pid);
@@ -472,7 +485,7 @@ int macro_id(const char *name);
 
 
 // util.c
-void errLogExit(char* fmt, ...);
+void errLogExit(char* fmt, ...) __attribute__((noreturn));
 void fwarning(char* fmt, ...);
 void fmessage(char* fmt, ...);
 void drop_privs(int nogroups);
@@ -567,9 +580,10 @@ void fs_private_home_list(void);
 char *seccomp_check_list(const char *str);
 int seccomp_install_filters(void);
 int seccomp_load(const char *fname);
-int seccomp_filter_drop(void);
-int seccomp_filter_keep(void);
-void seccomp_print_filter(pid_t pid);
+int seccomp_filter_drop(bool native);
+int seccomp_filter_keep(bool native);
+int seccomp_filter_mdwx(bool native);
+void seccomp_print_filter(pid_t pid) __attribute__((noreturn));
 
 // caps.c
 void seccomp_load_file_list(void);
@@ -580,7 +594,7 @@ void caps_set(uint64_t caps);
 void caps_check_list(const char *clist, void (*callback)(int));
 void caps_drop_list(const char *clist);
 void caps_keep_list(const char *clist);
-void caps_print_filter(pid_t pid);
+void caps_print_filter(pid_t pid) __attribute__((noreturn));
 void caps_drop_dac_override(void);
 
 // fs_trace.c
@@ -603,7 +617,7 @@ void read_cpu_list(const char *str);
 void set_cpu_affinity(void);
 void load_cpu(const char *fname);
 void save_cpu(void);
-void cpu_print_filter(pid_t pid);
+void cpu_print_filter(pid_t pid) __attribute__((noreturn));
 
 // cgroup.c
 void save_cgroup(void);
@@ -625,7 +639,7 @@ void netns(const char *nsname);
 void netns_mounts(const char *nsname);
 
 // bandwidth.c
-void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up);
+void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) __attribute__((noreturn));
 void network_set_run_file(pid_t pid);
 
 // fs_etc.c
@@ -635,8 +649,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
 // no_sandbox.c
 int check_namespace_virt(void);
 int check_kernel_procs(void);
-void run_no_sandbox(int argc, char **argv);
+void run_no_sandbox(int argc, char **argv) __attribute__((noreturn));
 
+#define MAX_ENVS 256                    // some sane maximum number of environment variables
+#define MAX_ENV_LEN (PATH_MAX + 32)     // FOOBAR=SOME_PATH
 // env.c
 typedef enum {
         SETENV = 0,
@@ -664,7 +680,7 @@ void fs_private_lib(void);
 // protocol.c
 void protocol_filter_save(void);
 void protocol_filter_load(const char *fname);
-void protocol_print_filter(pid_t pid);
+void protocol_print_filter(pid_t pid) __attribute__((noreturn));
 
 // restrict_users.c
 void restrict_users(void);
@@ -676,7 +692,7 @@ void fs_logger2int(const char *msg1, int d);
 void fs_logger3(const char *msg1, const char *msg2, const char *msg3);
 void fs_logger_print(void);
 void fs_logger_change_owner(void);
-void fs_logger_print_log(pid_t pid);
+void fs_logger_print_log(pid_t pid) __attribute__((noreturn));
 
 // run_symlink.c
 void run_symlink(int argc, char **argv, int run_as_is);
@@ -702,11 +718,11 @@ void fs_mkfile(const char *name);
 
 void fs_x11(void);
 int x11_display(void);
-void x11_start(int argc, char **argv);
-void x11_start_xpra(int argc, char **argv);
-void x11_start_xephyr(int argc, char **argv);
+void x11_start(int argc, char **argv) __attribute__((noreturn));
+void x11_start_xpra(int argc, char **argv) __attribute__((noreturn));
+void x11_start_xephyr(int argc, char **argv) __attribute__((noreturn));
 void x11_block(void);
-void x11_start_xvfb(int argc, char **argv);
+void x11_start_xvfb(int argc, char **argv) __attribute__((noreturn));
 void x11_xorg(void);
 
 // ls.c
@@ -716,7 +732,7 @@ enum {
         SANDBOX_FS_PUT,
         SANDBOX_FS_MAX // this should always be the last entry
 };
-void sandboxfs(int op, pid_t pid, const char *path1, const char *path2);
+void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) __attribute__((noreturn));
 
 // checkcfg.c
 #define DEFAULT_ARP_PROBES 2
@@ -749,6 +765,7 @@ enum {
         CFG_PRIVATE_CACHE,
         CFG_CGROUP,
         CFG_NAME_CHANGE,
+        CFG_SECCOMP_ERROR_ACTION,
         // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
         CFG_MAX // this should always be the last entry
 };
@@ -759,6 +776,8 @@ extern char *xvfb_screen;
 extern char *xvfb_extra_params;
 extern char *netfilter_default;
 extern unsigned long join_timeout;
+extern char *config_seccomp_error_action_str;
+
 int checkcfg(int val);
 void print_compiletime_support(void);
 
@@ -813,10 +832,13 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 #define SBOX_STDIN_FROM_FILE (1 << 6)   // open file and redirect it to stdin
 #define SBOX_CAPS_HIDEPID (1 << 7)      // hidepid caps filter for running firemon
 #define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services
+#define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open
+#define FIREJAIL_MAX_FD 20 // getdtablesize() is overkill for a firejail process
 
 // run sbox
 int sbox_run(unsigned filter, int num, ...);
 int sbox_run_v(unsigned filter, char * const arg[]);
+void sbox_exec_v(unsigned filter, char * const arg[]) __attribute__((noreturn));
 
 // run_files.c
 void delete_run_files(pid_t pid);
@@ -826,7 +848,14 @@ void set_x11_run_file(pid_t pid, int display);
 void set_profile_run_file(pid_t pid, const char *fname);
 
 // dbus.c
-void dbus_disable(void);
+int dbus_check_name(const char *name);
+int dbus_check_call_rule(const char *name);
+void dbus_check_profile(void);
+void dbus_proxy_start(void);
+void dbus_proxy_stop(void);
+void dbus_set_session_bus_env(void);
+void dbus_set_system_bus_env(void);
+void dbus_apply_policy(void);
 
 // dhcp.c
 extern pid_t dhclient4_pid;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index c7dd91b06..2000ffc62 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -28,10 +28,9 @@
 #include <dirent.h>
 #include <errno.h>
 
-
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 
 #define MAX_BUF 4096
@@ -43,6 +42,8 @@
 //***********************************************
 // process profile file
 //***********************************************
+static void fs_remount_rec(const char *dir, OPERATION op);
+
 static char *opstr[] = {
         [BLACKLIST_FILE] = "blacklist",
         [BLACKLIST_NOLOG] = "blacklist-nolog",
@@ -50,6 +51,7 @@ static char *opstr[] = {
         [MOUNT_TMPFS] = "tmpfs",
         [MOUNT_NOEXEC] = "noexec",
         [MOUNT_RDWR] = "read-write",
+        [MOUNT_RDWR_NOCHECK] = "read-write",
 };
 
 typedef enum {
@@ -109,6 +111,13 @@ static void disable_file(OPERATION op, const char *filename) {
                 return;
         }
 
+        // check for firejail executable
+        // we migth have a file found in ${PATH} pointing to /usr/bin/firejail
+        // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
+        //     and expects Firefox to open in the same sandbox
+        if (strcmp(BINDIR "/firejail", fname) == 0)
+                return;
+
         // modify the file
         if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) {
                 // some distros put all executables under /usr/bin and make /bin a symbolic link
@@ -148,7 +157,7 @@ static void disable_file(OPERATION op, const char *filename) {
                 }
         }
         else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) {
-                fs_remount_rec(fname, op, 1);
+                fs_remount_rec(fname, op);
                 // todo: last_disable = SUCCESSFUL;
         }
         else if (op == MOUNT_TMPFS) {
@@ -254,6 +263,7 @@ void fs_blacklist(void) {
                 // whitelist commands handled by fs_whitelist()
                 if (strncmp(entry->data, "whitelist ", 10) == 0 ||
                     strncmp(entry->data, "nowhitelist ", 12) == 0 ||
+                    strncmp(entry->data, "dbus-", 5) == 0 ||
                    *entry->data == '\0') {
                         entry = entry->next;
                         continue;
@@ -425,21 +435,11 @@ void fs_blacklist(void) {
         free(noblacklist);
 }
 
-static int get_mount_flags(const char *path, unsigned long *flags) {
-        struct statvfs buf;
-
-        if (statvfs(path, &buf) < 0)
-                return -errno;
-        *flags = buf.f_flag;
-        return 0;
-}
-
 //***********************************************
 // mount namespace
-//              - functions need fully resolved paths
 //***********************************************
 
-// mount a writable tmpfs on directory
+// mount a writable tmpfs on directory; requires a resolved path
 void fs_tmpfs(const char *dir, unsigned check_owner) {
         assert(dir);
         if (arg_debug)
@@ -480,71 +480,114 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
         close(fd);
 }
 
-void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) {
-        assert(dir);
-        // check directory exists
+// remount path, but preserve existing mount flags; requires a resolved path
+static void fs_remount_simple(const char *path, OPERATION op) {
+        assert(path);
+
+        // open path without following symbolic links
+        int fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1)
+                goto out;
+        // identify file owner
         struct stat s;
-        int rv = stat(dir, &s);
-        if (rv == 0) {
-                unsigned long flags = 0;
-                if (get_mount_flags(dir, &flags) != 0) {
-                        fwarning("cannot remount %s\n", dir);
+        if (fstat(fd, &s) == -1) {
+                // fstat can fail with EACCES if path is a FUSE mount,
+                // mounted without 'allow_root' or 'allow_other'
+                if (errno != EACCES)
+                        errExit("fstat");
+                close(fd);
+                goto out;
+        }
+        // get mount flags
+        struct statvfs buf;
+        if (fstatvfs(fd, &buf) == -1)
+                errExit("fstatvfs");
+        unsigned long flags = buf.f_flag;
+
+        // read-write option
+        if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) {
+                // nothing to do if there is no read-only flag
+                if ((flags & MS_RDONLY) == 0) {
+                        close(fd);
                         return;
                 }
-                if (op == MOUNT_RDWR) {
-                        // allow only user owned directories, except the user is root
-                        if (getuid() != 0 && s.st_uid != getuid()) {
-                                fwarning("you are not allowed to change %s to read-write\n", dir);
-                                return;
-                        }
-                        if ((flags & MS_RDONLY) == 0)
-                                return;
-                        flags &= ~MS_RDONLY;
-                }
-                else if (op == MOUNT_NOEXEC) {
-                        if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID))
-                                return;
-                        flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
+                // allow only user owned directories, except the user is root
+                if (op == MOUNT_RDWR && getuid() != 0 && s.st_uid != getuid()) {
+                        fwarning("you are not allowed to change %s to read-write\n", path);
+                        close(fd);
+                        return;
                 }
-                else if (op == MOUNT_READONLY) {
-                        if ((flags & MS_RDONLY) == MS_RDONLY)
-                                return;
-                        flags |= MS_RDONLY;
+                flags &= ~MS_RDONLY;
+        }
+        // noexec option
+        else if (op == MOUNT_NOEXEC) {
+                // nothing to do if path is mounted noexec already
+                if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) {
+                        close(fd);
+                        return;
                 }
-                else
-                        assert(0);
-
-                if (arg_debug)
-                        printf("Mounting %s %s\n", opstr[op], dir);
-                // mount --bind /bin /bin
-                // mount --bind -o remount,rw /bin
-                if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                    mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
-                        errExit("remounting");
-                // run a sanity check on /proc/self/mountinfo
-                if (check_mnt) {
-                        // confirm target of the last mount operation was dir; if there are other
-                        // mount points contained inside dir, one of those will show up as target
-                        // of the last mount operation instead
-                        MountData *mptr = get_last_mount();
-                        size_t len = strlen(dir);
-                        if ((strncmp(mptr->dir, dir, len) != 0 ||
-                           (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
-                           && strcmp(dir, "/") != 0) // support read-only=/
-                                errLogExit("invalid %s mount", opstr[op]);
+                flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
+        }
+        // read-only option
+        else if (op == MOUNT_READONLY) {
+                // nothing to do if path is mounted read-only already
+                if ((flags & MS_RDONLY) == MS_RDONLY) {
+                        close(fd);
+                        return;
                 }
-                fs_logger2(opstr[op], dir);
+                flags |= MS_RDONLY;
         }
+        else
+                assert(0);
+
+        if (arg_debug)
+                printf("Mounting %s %s\n", opstr[op], path);
+        // mount --bind /bin /bin
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(proc, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount");
+        free(proc);
+        close(fd);
+
+        // mount --bind -o remount,ro /bin
+        // we need to open path again
+        fd = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1)
+                errExit("open");
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(NULL, proc, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
+                errExit("mount");
+
+        // run a sanity check on /proc/self/mountinfo and confirm that target of the last
+        // mount operation was path; if there are other mount points contained inside path,
+        // one of those will show up as target of the last mount operation instead
+        MountData *mptr = get_last_mount();
+        size_t len = strlen(path);
+        if ((strncmp(mptr->dir, path, len) != 0 ||
+           (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
+           && strcmp(path, "/") != 0) // support read-only=/
+                errLogExit("invalid %s mount", opstr[op]);
+        fs_logger2(opstr[op], path);
+        free(proc);
+        close(fd);
+        return;
+
+out:
+        fwarning("not remounting %s\n", path);
 }
 
-void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) {
+// remount recursively; requires a resolved path
+static void fs_remount_rec(const char *dir, OPERATION op) {
         assert(dir);
         struct stat s;
         if (stat(dir, &s) != 0)
                 return;
         if (!S_ISDIR(s.st_mode)) {
                 // no need to search in /proc/self/mountinfo for submounts if not a directory
-                fs_remount(dir, op, check_mnt);
+                fs_remount_simple(dir, op);
                 return;
         }
         // get mount point of the directory
@@ -558,7 +601,7 @@ void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) {
                         fwarning("read-only, read-write and noexec options are not applied recursively\n");
                         mount_warning = 1;
                 }
-                fs_remount(dir, op, check_mnt);
+                fs_remount_simple(dir, op);
                 return;
         }
         // build array with all mount points that need to get remounted
@@ -567,12 +610,25 @@ void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) {
         // remount
         char **tmp = arr;
         while (*tmp) {
-                fs_remount(*tmp, op, check_mnt);
+                fs_remount_simple(*tmp, op);
                 free(*tmp++);
         }
         free(arr);
 }
 
+// resolve a path and remount it
+void fs_remount(const char *path, OPERATION op, int rec) {
+        assert(path);
+        char *rpath = realpath(path, NULL);
+        if (rpath) {
+                if (rec)
+                        fs_remount_rec(rpath, op);
+                else
+                        fs_remount_simple(rpath, op);
+                free(rpath);
+        }
+}
+
 // Disable /mnt, /media, /run/mount and /run/media access
 void fs_mnt(const int enforce) {
         if (enforce) {
@@ -749,22 +805,22 @@ void fs_basic_fs(void) {
         if (arg_debug)
                 printf("Basic read-only filesystem:\n");
         if (!arg_writable_etc) {
-                fs_remount("/etc", MOUNT_READONLY, 0);
+                fs_remount("/etc", MOUNT_READONLY, 1);
                 if (uid)
-                        fs_remount("/etc", MOUNT_NOEXEC, 0);
+                        fs_remount("/etc", MOUNT_NOEXEC, 1);
         }
         if (!arg_writable_var) {
-                fs_remount("/var", MOUNT_READONLY, 0);
+                fs_remount("/var", MOUNT_READONLY, 1);
                 if (uid)
-                        fs_remount("/var", MOUNT_NOEXEC, 0);
+                        fs_remount("/var", MOUNT_NOEXEC, 1);
         }
-        fs_remount("/bin", MOUNT_READONLY, 0);
-        fs_remount("/sbin", MOUNT_READONLY, 0);
-        fs_remount("/lib", MOUNT_READONLY, 0);
-        fs_remount("/lib64", MOUNT_READONLY, 0);
-        fs_remount("/lib32", MOUNT_READONLY, 0);
-        fs_remount("/libx32", MOUNT_READONLY, 0);
-        fs_remount("/usr", MOUNT_READONLY, 0);
+        fs_remount("/usr", MOUNT_READONLY, 1);
+        fs_remount("/bin", MOUNT_READONLY, 1);
+        fs_remount("/sbin", MOUNT_READONLY, 1);
+        fs_remount("/lib", MOUNT_READONLY, 1);
+        fs_remount("/lib64", MOUNT_READONLY, 1);
+        fs_remount("/lib32", MOUNT_READONLY, 1);
+        fs_remount("/libx32", MOUNT_READONLY, 1);
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
         fs_var_lock();
@@ -773,7 +829,7 @@ void fs_basic_fs(void) {
         if (!arg_writable_var_log)
                 fs_var_log();
         else
-                fs_remount("/var/log", MOUNT_RDWR, 0);
+                fs_remount("/var/log", MOUNT_RDWR_NOCHECK, 0);
 
         fs_var_lib();
         fs_var_cache();
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 500b6bf1b..00edc5f88 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -25,6 +25,7 @@
 #include <dirent.h>
 #include <fcntl.h>
 #include <pwd.h>
+#include <errno.h>
 #ifndef _BSD_SOURCE
 #define _BSD_SOURCE
 #endif
@@ -148,7 +149,7 @@ static void create_char_dev(const char *path, mode_t mode, int major, int minor)
         return;
 
 errexit:
-        fprintf(stderr, "Error: cannot create %s device\n", path);
+        fprintf(stderr, "Error: cannot create %s device: %s\n", path, strerror(errno));
         exit(1);
 }
 
@@ -157,9 +158,6 @@ static void create_link(const char *oldpath, const char *newpath) {
                 fprintf(stderr, "Error: cannot create %s device\n", newpath);
                 exit(1);
         }
-
-        if (chown(newpath, 0, 0) < 0) {;}
-
         fs_logger2("create", newpath);
         return;
 }
@@ -302,12 +300,10 @@ void fs_private_dev(void){
         fs_logger("clone /dev/pts");
 
         // stdin, stdout, stderr
-#if 0
         create_link("/proc/self/fd", "/dev/fd");
         create_link("/proc/self/fd/0", "/dev/stdin");
         create_link("/proc/self/fd/1", "/dev/stdout");
         create_link("/proc/self/fd/2", "/dev/stderr");
-#endif
 
         // symlinks for DVD/CD players
         if (stat("/dev/sr0", &s) == 0) {
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index bec22e5a6..af891d61f 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <linux/limits.h>
-#include <glob.h>
 #include <dirent.h>
 #include <errno.h>
 #include <sys/stat.h>
@@ -353,49 +352,51 @@ void fs_private(void) {
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
-        // mask /home
-        if (u == 0 && arg_allusers) // allow --allusers when starting the sandbox as root
-                ;
-        else {
-                if (arg_debug)
-                        printf("Mounting a new /home directory\n");
-                if (arg_allusers)
-                        fwarning("allusers option disabled by private or whitelist option\n");
-                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                        errExit("mounting /home directory");
-                selinux_relabel_path("/home", "/home");
-                fs_logger("tmpfs /home");
-        }
-
         // mask /root
         if (arg_debug)
                 printf("Mounting a new /root directory\n");
         if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=700,gid=0") < 0)
                 errExit("mounting /root directory");
+        selinux_relabel_path("/root", "/root");
         fs_logger("tmpfs /root");
 
-        if (u != 0) {
-                if (strncmp(homedir, "/home/", 6) == 0) {
-                        // create /home/user
-                        if (arg_debug)
-                                printf("Create a new user directory\n");
-                        if (mkdir(homedir, S_IRWXU) == -1) {
-                                if (mkpath_as_root(homedir) == -1)
-                                        errExit("mkpath");
-                                if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST)
-                                        errExit("mkdir");
-                        }
-                        if (chown(homedir, u, g) < 0)
-                                errExit("chown");
-                        selinux_relabel_path(homedir, homedir);
+        if (arg_allusers) {
+                if (u != 0)
+                        // mask user home directory
+                        // the directory should be owned by the current user
+                        fs_tmpfs(homedir, 1);
+        }
+        else { // mask /home
+                if (arg_debug)
+                        printf("Mounting a new /home directory\n");
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                        errExit("mounting /home directory");
+                selinux_relabel_path("/home", "/home");
+                fs_logger("tmpfs /home");
 
-                        fs_logger2("mkdir", homedir);
-                        fs_logger2("tmpfs", homedir);
+                if (u != 0) {
+                        if (strncmp(homedir, "/home/", 6) == 0) {
+                                // create /home/user
+                                if (arg_debug)
+                                        printf("Create a new user directory\n");
+                                if (mkdir(homedir, S_IRWXU) == -1) {
+                                        if (mkpath_as_root(homedir) == -1)
+                                                errExit("mkpath");
+                                        if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST)
+                                                errExit("mkdir");
+                                }
+                                if (chown(homedir, u, g) < 0)
+                                        errExit("chown");
+
+                                selinux_relabel_path(homedir, homedir);
+                                fs_logger2("mkdir", homedir);
+                                fs_logger2("tmpfs", homedir);
+                        }
+                        else
+                                // mask user home directory
+                                // the directory should be owned by the current user
+                                fs_tmpfs(homedir, 1);
                 }
-                else
-                        // user directory is outside /home, mask it as well
-                        // check if directory is owned by the current user
-                        fs_tmpfs(homedir, 1);
         }
 
         skel(homedir, u, g);
@@ -519,7 +520,7 @@ static void duplicate(char *name) {
                 ptr++;
                 if (asprintf(&path, "%s/%s", RUN_HOME_DIR, ptr) == -1)
                         errExit("asprintf");
-                mkdir_attr(path, 0755, getuid(), getgid());
+                create_empty_dir_as_user(path, 0755);
                 sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, path);
                 free(path);
         }
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index eb660df90..0e213f2f8 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -25,6 +25,22 @@
 #include <sys/wait.h>
 #include <string.h>
 
+
+static void check(const char *fname) {
+        // manufacture /run/user directory
+        char *runuser;
+        if (asprintf(&runuser, "/run/user/%d/", getuid()) == -1)
+                errExit("asprintf");
+
+        if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0 &&
+            strncmp(fname, "/tmp", 4) != 0 &&
+            strncmp(fname, runuser, strlen(runuser)) != 0) {
+                fprintf(stderr, "Error: only files or directories in user home, /tmp, or /run/user/<UID> are supported by mkdir\n");
+                exit(1);
+        }
+        free(runuser);
+}
+
 static void mkdir_recursive(char *path) {
         char *subdir = NULL;
         struct stat s;
@@ -61,11 +77,7 @@ void fs_mkdir(const char *name) {
         // check directory name
         invalid_filename(name, 0); // no globbing
         char *expanded = expand_macros(name);
-        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 &&
-            strncmp(expanded, "/tmp", 4) != 0) {
-                fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n");
-                exit(1);
-        }
+        check(expanded); // will exit if wrong path
 
         struct stat s;
         if (stat(expanded, &s) == 0) {
@@ -101,11 +113,7 @@ void fs_mkfile(const char *name) {
         // check file name
         invalid_filename(name, 0); // no globbing
         char *expanded = expand_macros(name);
-        if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 &&
-            strncmp(expanded, "/tmp", 4) != 0) {
-                fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n");
-                exit(1);
-        }
+        check(expanded); // will exit if wrong path
 
         struct stat s;
         if (stat(expanded, &s) == 0) {
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index c5b066b12..1d7552339 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -346,6 +346,39 @@ static void whitelist_home(int topdir) {
 }
 
 
+static void globbing(const char *pattern) {
+        assert(pattern);
+
+        // globbing
+        glob_t globbuf;
+        int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
+        if (globerr) {
+                fprintf(stderr, "Error: failed to glob private-bin pattern %s\n", pattern);
+                exit(1);
+        }
+
+        size_t i;
+        for (i = 0; i < globbuf.gl_pathc; i++) {
+                assert(globbuf.gl_pathv[i]);
+                // testing for GLOB_NOCHECK - no pattern matched returns the original pattern
+                if (strcmp(globbuf.gl_pathv[i], pattern) == 0)
+                        continue;
+
+                // build the new profile command
+                char *newcmd;
+                if (asprintf(&newcmd, "whitelist %s", globbuf.gl_pathv[i]) == -1)
+                        errExit("asprintf");
+
+                // add the new profile command at the end of the list
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Adding new profile command: %s\n", newcmd);
+                profile_add(newcmd);
+        }
+
+        globfree(&globbuf);
+}
+
+
 void fs_whitelist(void) {
         ProfileEntry *entry = cfg.profile;
         if (!entry)
@@ -444,6 +477,13 @@ void fs_whitelist(void) {
                 else
                         fname = realpath(new_name, NULL);
 
+                // if this is not a real path, let's try globbing
+                // mark this entry as EMPTY_STRING and push the new paths at the end of profile entry list
+                // the new profile entries will be processed in this loop
+                // currently there is no globbing support for nowhitelist
+                if (!fname && !nowhitelist_flag)
+                        globbing(new_name);
+
                 if (!fname) {
                         // file not found, blank the entry in the list and continue
                         if (arg_debug || arg_debug_whitelists) {
@@ -1030,7 +1070,7 @@ void fs_whitelist(void) {
                         free(proc);
                         close(fd);
 
-                        // mount a tmpfs and initialize home directory, overrides --allusers
+                        // mount a tmpfs and initialize home directory
                         fs_private();
                 }
                 else
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 531f8c06a..f202d1a9c 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -26,7 +26,11 @@
 
 #include <sys/prctl.h>
 #ifndef PR_SET_NO_NEW_PRIVS
-# define PR_SET_NO_NEW_PRIVS 38
+#define PR_SET_NO_NEW_PRIVS 38
+#endif
+
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
 #endif
 
 static int apply_caps = 0;
@@ -50,6 +54,46 @@ static void install_handler(void) {
         sigaction(SIGTERM, &sga, NULL);
 }
 
+#ifdef HAVE_APPARMOR
+static void extract_apparmor(pid_t pid) {
+        if (checkcfg(CFG_APPARMOR)) {
+                EUID_USER();
+                if (aa_is_enabled() == 1) {
+                        // get pid of next child process
+                        pid_t child;
+                        if (find_child(pid, &child) == 1)
+                                child = pid; // no child, proceed with current pid
+
+                        // get name of AppArmor profile
+                        char *fname;
+                        if (asprintf(&fname, "/proc/%d/attr/current", child) == -1)
+                                errExit("asprintf");
+                        EUID_ROOT();
+                        int fd = open(fname, O_RDONLY|O_CLOEXEC);
+                        EUID_USER();
+                        free(fname);
+                        if (fd == -1)
+                                goto errexit;
+                        char buf[BUFLEN];
+                        ssize_t rv = read(fd, buf, sizeof(buf) - 1);
+                        close(fd);
+                        if (rv < 0)
+                                goto errexit;
+                        buf[rv] = '\0';
+                        // process confined by Firejail's AppArmor policy?
+                        if (strncmp(buf, "firejail-default", 16) == 0)
+                                arg_apparmor = 1;
+                }
+                EUID_ROOT();
+        }
+        return;
+
+errexit:
+        fprintf(stderr, "Error: cannot read /proc file\n");
+        exit(1);
+}
+#endif // HAVE_APPARMOR
+
 static void extract_x11_display(pid_t pid) {
         char *fname;
         if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
@@ -388,6 +432,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 extract_cgroup(pid);
                 extract_nogroups(pid);
                 extract_user_namespace(pid);
+#ifdef HAVE_APPARMOR
+                extract_apparmor(pid);
+#endif
         }
 
         // set cgroup
@@ -501,6 +548,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 // kill the child in case the parent died
                 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
 
+#ifdef HAVE_APPARMOR
+                // add apparmor confinement after the execve
+                set_apparmor();
+#endif
+
                 extract_command(argc, argv, index);
                 if (cfg.command_line == NULL) {
                         assert(cfg.shell);
@@ -527,9 +579,16 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         free(display_str);
                 }
 
+                // set D-Bus environment variables
+                struct stat s;
+                if (stat(RUN_DBUS_USER_SOCKET, &s) == 0)
+                        dbus_set_session_bus_env();
+                if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0)
+                        dbus_set_system_bus_env();
+
                 start_application(0, NULL);
 
-                // it will never get here!!!
+                __builtin_unreachable();
         }
         EUID_USER();
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 78717ab41..b9cb43444 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -20,6 +20,8 @@
 #include "firejail.h"
 #include "../include/pid.h"
 #include "../include/firejail_user.h"
+#include "../include/syscall.h"
+#include "../include/seccomp.h"
 #define _GNU_SOURCE
 #include <sys/utsname.h>
 #include <sched.h>
@@ -72,8 +74,10 @@ int arg_overlay_keep = 0;			// place overlay diff in a known directory
 int arg_overlay_reuse = 0;                      // allow the reuse of overlays
 
 int arg_seccomp = 0;                            // enable default seccomp filter
+int arg_seccomp32 = 0;                          // enable default seccomp filter for 32 bit arch
 int arg_seccomp_postexec = 0;                   // need postexec ld.preload library?
 int arg_seccomp_block_secondary = 0;            // block any secondary architectures
+int arg_seccomp_error_action = 0;
 
 int arg_caps_default_filter = 0;                        // enable default capabilities filter
 int arg_caps_drop = 0;                          // drop list
@@ -140,9 +144,13 @@ int arg_noprofile = 0; // use default.profile if none other found/specified
 int arg_memory_deny_write_execute = 0;          // block writable and executable memory
 int arg_notv = 0;       // --notv
 int arg_nodvd = 0; // --nodvd
-int arg_nodbus = 0; // -nodbus
 int arg_nou2f = 0; // --nou2f
 int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
+DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW;   // --dbus-user
+DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system
+const char *arg_dbus_log_file = NULL;
+int arg_dbus_log_user = 0;
+int arg_dbus_log_system = 0;
 int login_shell = 0;
 
 //**********************************************************************************
@@ -176,6 +184,7 @@ static void myexit(int rv) {
 
 
         // delete sandbox files in shared memory
+        dbus_proxy_stop();
         EUID_ROOT();
         delete_run_files(sandbox_pid);
         appimage_clear();
@@ -347,6 +356,27 @@ static void init_cfg(int argc, char **argv) {
         sandbox_pid = getpid();
         time_t t = time(NULL);
         srand(t ^ sandbox_pid);
+
+        arg_seccomp_error_action = EPERM;
+        cfg.seccomp_error_action = "EPERM";
+}
+
+static void fix_single_std_fd(int fd, const char *file, int flags) {
+        struct stat s;
+        if (fstat(fd, &s) == -1 && errno == EBADF) {
+                // something is wrong with fd, probably it is not opened
+                int nfd = open(file, flags);
+                if (nfd != fd || fstat(fd, &s) != 0)
+                        _exit(1); // no further attempts to fix the situation
+        }
+}
+
+// glibc does this automatically if Firejail was started by a regular user
+// run this for root user and as a fallback
+static void fix_std_streams(void) {
+        fix_single_std_fd(0, "/dev/full", O_RDONLY|O_NOFOLLOW);
+        fix_single_std_fd(1, "/dev/null", O_WRONLY|O_NOFOLLOW);
+        fix_single_std_fd(2, "/dev/null", O_WRONLY|O_NOFOLLOW);
 }
 
 static void check_network(Bridge *br) {
@@ -548,6 +578,14 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 else
                         exit_err_feature("seccomp");
         }
+        else if (strcmp(argv[i], "--debug-syscalls32") == 0) {
+                if (checkcfg(CFG_SECCOMP)) {
+                        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls32");
+                        exit(rv);
+                }
+                else
+                        exit_err_feature("seccomp");
+        }
         else if (strcmp(argv[i], "--debug-errnos") == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-errnos");
@@ -956,11 +994,38 @@ static void run_builder(int argc, char **argv) {
         exit(1);
 }
 
+void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) fd;
+        (void) syscall;
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+}
+void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) fd;
+        (void) syscall;
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+}
+
+#ifdef HAVE_SECCOMP
+static int check_postexec(const char *list) {
+        char *prelist, *postlist;
+
+        if (list) {
+                syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true);
+                if (postlist)
+                        return 1;
+        }
+        return 0;
+}
+#endif
 
 //*******************************************
 // Main program
 //*******************************************
-int main(int argc, char **argv) {
+int main(int argc, char **argv, char **envp) {
         int i;
         int prog_index = -1;                      // index in argv where the program command starts
         int lockfd_network = -1;
@@ -968,17 +1033,48 @@ int main(int argc, char **argv) {
         int option_cgroup = 0;
         int custom_profile = 0; // custom profile loaded
         int arg_caps_cmdline = 0;       // caps requested on command line (used to break out of --chroot)
+        char **ptr;
+
+        // sanitize the umask
+        orig_umask = umask(022);
+
+        // check standard streams before printing anything
+        fix_std_streams();
 
         // drop permissions by default and rise them when required
         EUID_INIT();
         EUID_USER();
 
-        // sanitize the umask
-        orig_umask = umask(022);
-
         // argument count should be larger than 0
-        if (argc == 0) {
-                fprintf(stderr, "Error: argv[0] is NULL\n");
+        if (argc == 0 || !argv || strlen(argv[0]) == 0) {
+                fprintf(stderr, "Error: argv is invalid\n");
+                exit(1);
+        } else if (argc >= MAX_ARGS) {
+                fprintf(stderr, "Error: too many arguments\n");
+                exit(1);
+        }
+
+        // sanity check for arguments
+        for (i = 0; i < argc; i++) {
+                if (*argv[i] == 0) {
+                        fprintf(stderr, "Error: too short arguments\n");
+                        exit(1);
+                }
+                if (strlen(argv[i]) >= MAX_ARG_LEN) {
+                        fprintf(stderr, "Error: too long arguments\n");
+                        exit(1);
+                }
+        }
+
+        // sanity check for environment variables
+        for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++) {
+                if (strlen(*ptr) >= MAX_ENV_LEN) {
+                        fprintf(stderr, "Error: too long environment variables\n");
+                        exit(1);
+                }
+        }
+        if (i >= MAX_ENVS) {
+                fprintf(stderr, "Error: too many environment variables\n");
                 exit(1);
         }
 
@@ -1063,8 +1159,7 @@ int main(int argc, char **argv) {
 
                         // start the program directly without sandboxing
                         run_no_sandbox(argc, argv);
-                        // it will never get here!
-                        assert(0);
+                        __builtin_unreachable();
                 }
         }
         EUID_ASSERT();
@@ -1263,6 +1358,18 @@ int main(int argc, char **argv) {
                         else
                                 exit_err_feature("seccomp");
                 }
+                else if (strncmp(argv[i], "--seccomp.32=", 13) == 0) {
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp32) {
+                                        fprintf(stderr, "Error: seccomp.32 already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp32 = 1;
+                                cfg.seccomp_list32 = seccomp_check_list(argv[i] + 13);
+                        }
+                        else
+                                exit_err_feature("seccomp");
+                }
                 else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) {
                         if (checkcfg(CFG_SECCOMP)) {
                                 if (arg_seccomp) {
@@ -1275,6 +1382,18 @@ int main(int argc, char **argv) {
                         else
                                 exit_err_feature("seccomp");
                 }
+                else if (strncmp(argv[i], "--seccomp.32.drop=", 18) == 0) {
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp32) {
+                                        fprintf(stderr, "Error: seccomp.32 already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp32 = 1;
+                                cfg.seccomp_list_drop32 = seccomp_check_list(argv[i] + 18);
+                        }
+                        else
+                                exit_err_feature("seccomp");
+                }
                 else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) {
                         if (checkcfg(CFG_SECCOMP)) {
                                 if (arg_seccomp) {
@@ -1287,8 +1406,24 @@ int main(int argc, char **argv) {
                         else
                                 exit_err_feature("seccomp");
                 }
+                else if (strncmp(argv[i], "--seccomp.32.keep=", 18) == 0) {
+                        if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp32) {
+                                        fprintf(stderr, "Error: seccomp.32 already enabled\n");
+                                        exit(1);
+                                }
+                                arg_seccomp32 = 1;
+                                cfg.seccomp_list_keep32 = seccomp_check_list(argv[i] + 18);
+                        }
+                        else
+                                exit_err_feature("seccomp");
+                }
                 else if (strcmp(argv[i], "--seccomp.block-secondary") == 0) {
                         if (checkcfg(CFG_SECCOMP)) {
+                                if (arg_seccomp32) {
+                                        fprintf(stderr, "Error: seccomp.32 conflicts with block-secondary\n");
+                                        exit(1);
+                                }
                                 arg_seccomp_block_secondary = 1;
                         }
                         else
@@ -1300,6 +1435,28 @@ int main(int argc, char **argv) {
                         else
                                 exit_err_feature("seccomp");
                 }
+                else if (strncmp(argv[i], "--seccomp-error-action=", 23) == 0) {
+                        if (checkcfg(CFG_SECCOMP)) {
+                                int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION);
+                                if (config_seccomp_error_action == -1) {
+                                        if (strcmp(argv[i] + 23, "kill") == 0)
+                                                arg_seccomp_error_action = SECCOMP_RET_KILL;
+                                        else if (strcmp(argv[i] + 23, "log") == 0)
+                                                arg_seccomp_error_action = SECCOMP_RET_LOG;
+                                        else {
+                                                arg_seccomp_error_action = errno_find_name(argv[i] + 23);
+                                                if (arg_seccomp_error_action == -1)
+                                                        errExit("seccomp-error-action: unknown errno");
+                                        }
+                                        cfg.seccomp_error_action = strdup(argv[i] + 23);
+                                        if (!cfg.seccomp_error_action)
+                                                errExit("strdup");
+                                } else
+                                        exit_err_feature("seccomp-error-action");
+
+                        } else
+                                exit_err_feature("seccomp");
+                }
 #endif
                 else if (strcmp(argv[i], "--caps") == 0) {
                         arg_caps_default_filter = 1;
@@ -1923,8 +2080,147 @@ int main(int argc, char **argv) {
                         arg_nodvd = 1;
                 else if (strcmp(argv[i], "--nou2f") == 0)
                         arg_nou2f = 1;
-                else if (strcmp(argv[i], "--nodbus") == 0)
-                        arg_nodbus = 1;
+                else if (strcmp(argv[i], "--nodbus") == 0) {
+                        arg_dbus_user = DBUS_POLICY_BLOCK;
+                        arg_dbus_system = DBUS_POLICY_BLOCK;
+                }
+                else if (strncmp("--dbus-user=", argv[i], 12) == 0) {
+                        if (strcmp("filter", argv[i] + 12) == 0) {
+                                if (arg_dbus_user == DBUS_POLICY_BLOCK) {
+                                        fprintf(stderr, "Warning: Cannot relax --dbus-user policy, it is already set to block\n");
+                                } else {
+                                        arg_dbus_user = DBUS_POLICY_FILTER;
+                                }
+                        } else if (strcmp("none", argv[i] + 12) == 0) {
+                                if (arg_dbus_log_user) {
+                                        fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n");
+                                        exit(1);
+                                }
+                                arg_dbus_user = DBUS_POLICY_BLOCK;
+                        } else {
+                                fprintf(stderr, "Unknown dbus-user policy: %s\n", argv[i] + 12);
+                                exit(1);
+                        }
+                }
+                else if (strncmp(argv[i], "--dbus-user.see=", 16) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-user.see %s", argv[i] + 16) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-user.talk=", 17) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-user.talk %s", argv[i] + 17) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-user.own=", 16) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-user.own %s", argv[i] + 16) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-user.call=", 17) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-user.call %s", argv[i] + 17) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-user.broadcast=", 22) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-user.broadcast %s", argv[i] + 22) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp("--dbus-system=", argv[i], 14) == 0) {
+                        if (strcmp("filter", argv[i] + 14) == 0) {
+                                if (arg_dbus_system == DBUS_POLICY_BLOCK) {
+                                        fprintf(stderr, "Warning: Cannot relax --dbus-system policy, it is already set to block\n");
+                                } else {
+                                        arg_dbus_system = DBUS_POLICY_FILTER;
+                                }
+                        } else if (strcmp("none", argv[i] + 14) == 0) {
+                                if (arg_dbus_log_system) {
+                                        fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n");
+                                        exit(1);
+                                }
+                                arg_dbus_system = DBUS_POLICY_BLOCK;
+                        } else {
+                                fprintf(stderr, "Unknown dbus-system policy: %s\n", argv[i] + 14);
+                                exit(1);
+                        }
+                }
+                else if (strncmp(argv[i], "--dbus-system.see=", 18) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-system.see %s", argv[i] + 18) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-system.talk=", 19) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-system.talk %s", argv[i] + 19) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-system.own=", 18) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-system.own %s", argv[i] + 18) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-system.call=", 19) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-system.call %s", argv[i] + 19) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-system.broadcast=", 24) == 0) {
+                        char *line;
+                        if (asprintf(&line, "dbus-system.broadcast %s", argv[i] + 24) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL); // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--dbus-log=", 11) == 0) {
+                        if (arg_dbus_log_file != NULL) {
+                                fprintf(stderr, "Error: --dbus-log option already specified\n");
+                                exit(1);
+                        }
+                        arg_dbus_log_file = argv[i] + 11;
+                }
+                else if (strcmp(argv[i], "--dbus-user.log") == 0) {
+                        if (arg_dbus_user != DBUS_POLICY_FILTER) {
+                                fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n");
+                                exit(1);
+                        }
+                        arg_dbus_log_user = 1;
+                }
+                else if (strcmp(argv[i], "--dbus-system.log") == 0) {
+                        if (arg_dbus_system != DBUS_POLICY_FILTER) {
+                                fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n");
+                                exit(1);
+                        }
+                        arg_dbus_log_system = 1;
+                }
 
                 //*************************************
                 // network
@@ -2542,6 +2838,14 @@ int main(int argc, char **argv) {
         // check network configuration options - it will exit if anything went wrong
         net_check_cfg();
 
+#ifdef HAVE_SECCOMP
+        if (arg_seccomp)
+                arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop);
+#endif
+        bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
+        if (need_preload && (cfg.seccomp_list32 || cfg.seccomp_list_drop32 || cfg.seccomp_list_keep32))
+                fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n");
+
         // check and assign an IP address - for macvlan it will be done again in the sandbox!
         if (any_bridge_configured()) {
                 EUID_ROOT();
@@ -2602,6 +2906,16 @@ int main(int argc, char **argv) {
         }
         EUID_USER();
 
+        if (checkcfg(CFG_DBUS)) {
+                dbus_check_profile();
+                if (arg_dbus_user == DBUS_POLICY_FILTER ||
+                        arg_dbus_system == DBUS_POLICY_FILTER) {
+                        EUID_ROOT();
+                        dbus_proxy_start();
+                        EUID_USER();
+                }
+        }
+
         // clone environment
         int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD;
 
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 8bf8adecc..01df77ee6 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -89,7 +89,7 @@ int check_kernel_procs(void) {
         // only user processes are available in /proc when running grsecurity
         // EUID_ASSERT();
 
-        char *kern_proc[] = {
+        static char *kern_proc[] = {
                 "kthreadd",
                 "ksoftirqd",
                 "kworker",
diff --git a/src/firejail/output.c b/src/firejail/output.c
index d4a7f464a..36cb905cb 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -30,6 +30,12 @@ void check_output(int argc, char **argv) {
         int enable_stderr = 0;
 
         for (i = 1; i < argc; i++) {
+                if (strncmp(argv[i], "--", 2) != 0) {
+                        return;
+                }
+                if (strcmp(argv[i], "--") == 0) {
+                        return;
+                }
                 if (strncmp(argv[i], "--output=", 9) == 0) {
                         outindex = i;
                         break;
@@ -71,38 +77,67 @@ void check_output(int argc, char **argv) {
                 }
         }
 
-        // build the new command line
-        int len = 0;
-        for (i = 0; i < argc; i++) {
-                len += strlen(argv[i]) + 1; // + ' '
+        int pipefd[2];
+        if (pipe(pipefd) == -1) {
+                errExit("pipe");
         }
-        len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command
 
-        char *cmd = malloc(len + 1); // + '\0'
-        if (!cmd)
-                errExit("malloc");
+        pid_t pid = fork();
+        if (pid == -1) {
+                errExit("fork");
+        } else if (pid == 0) {
+                /* child */
+                if (dup2(pipefd[0], STDIN_FILENO) == -1) {
+                        errExit("dup2");
+                }
+                close(pipefd[1]);
+                if (pipefd[0] != STDIN_FILENO) {
+                        close(pipefd[0]);
+                }
 
-        char *ptr = cmd;
-        for (i = 0; i < argc; i++) {
-                if (strncmp(argv[i], "--output=", 9) == 0)
-                        continue;
-                if (strncmp(argv[i], "--output-stderr=", 16) == 0)
-                        continue;
-                ptr += sprintf(ptr, "%s ", argv[i]);
+                char *args[3];
+                args[0] = LIBDIR "/firejail/ftee";
+                args[1] = outfile;
+                args[2] = NULL;
+                execv(args[0], args);
+                perror("execvp");
+                exit(1);
         }
 
-        if (enable_stderr)
-                sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
-        else
-                sprintf(ptr, " | %s/firejail/ftee %s", LIBDIR, outfile);
+        /* parent */
+        if (dup2(pipefd[1], STDOUT_FILENO) == -1) {
+                errExit("dup2");
+        }
+        if (enable_stderr && dup2(STDOUT_FILENO, STDERR_FILENO) == -1) {
+                errExit("dup2");
+        }
+        close(pipefd[0]);
+        if (pipefd[1] != STDOUT_FILENO) {
+                close(pipefd[1]);
+        }
 
-        // run command
-        char *a[4];
-        a[0] = "/bin/bash";
-        a[1] = "-c";
-        a[2] = cmd;
-        a[3] = NULL;
-        execvp(a[0], a);
+        char **args = calloc(argc + 1, sizeof(char *));
+        if (!args) {
+                errExit("calloc");
+        }
+        bool found_separator = false;
+        /* copy argv into args, but drop --output(-stderr) arguments */
+        int j;
+        for (i = 0, j = 0; i < argc; i++) {
+                if (!found_separator && i > 0) {
+                        if (strncmp(argv[i], "--output=", 9) == 0) {
+                                continue;
+                        }
+                        if (strncmp(argv[i], "--output-stderr=", 16) == 0) {
+                                continue;
+                        }
+                        if (strncmp(argv[i], "--", 2) != 0 || strcmp(argv[i], "--") == 0) {
+                                found_separator = true;
+                        }
+                }
+                args[j++] = argv[i];
+        }
+        execvp(args[0], args);
 
         perror("execvp");
         exit(1);
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 278099e55..c0b09e945 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -58,6 +58,20 @@ void preproc_build_firejail_dir(void) {
                 create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755);
         }
 
+        if (stat(RUN_FIREJAIL_DBUS_DIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_DBUS_DIR, 0755);
+                if (arg_debug)
+                        printf("Remounting the " RUN_FIREJAIL_DBUS_DIR
+                                   " directory as noexec\n");
+                if (mount(RUN_FIREJAIL_DBUS_DIR, RUN_FIREJAIL_DBUS_DIR, NULL,
+                                  MS_BIND, NULL) == -1)
+                        errExit("mounting " RUN_FIREJAIL_DBUS_DIR);
+                if (mount(NULL, RUN_FIREJAIL_DBUS_DIR, NULL,
+                                  MS_REMOUNT | MS_BIND | MS_NOSUID | MS_NOEXEC | MS_NODEV,
+                                  "mode=755,gid=0") == -1)
+                        errExit("remounting " RUN_FIREJAIL_DBUS_DIR);
+        }
+
         if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) {
                 create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
         }
@@ -98,13 +112,16 @@ void preproc_mount_mnt_dir(void) {
                         //copy default seccomp files
                         copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
                 }
-                if (arg_allow_debuggers)
+                if (arg_allow_debuggers) {
                         copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
-                else
+                        copy_file(PATH_SECCOMP_DEBUG_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
+                } else
                         copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
 
-                if (arg_memory_deny_write_execute)
+                if (arg_memory_deny_write_execute) {
                         copy_file(PATH_SECCOMP_MDWX, RUN_SECCOMP_MDWX, getuid(), getgid(), 0644); // root needed
+                        copy_file(PATH_SECCOMP_MDWX_32, RUN_SECCOMP_MDWX_32, getuid(), getgid(), 0644); // root needed
+                }
                 // as root, create empty RUN_SECCOMP_PROTOCOL and RUN_SECCOMP_POSTEXEC files
                 create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
                 if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
@@ -112,6 +129,9 @@ void preproc_mount_mnt_dir(void) {
                 create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644);
                 if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644))
                         errExit("set_perms");
+                create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644);
+                if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644))
+                        errExit("set_perms");
 #endif
         }
 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 969209869..970033899 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -18,6 +18,8 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/seccomp.h"
+#include "../include/syscall.h"
 #include <dirent.h>
 #include <sys/stat.h>
 extern char *xephyr_screen;
@@ -148,7 +150,11 @@ static int check_netoptions(void) {
 }
 
 static int check_nodbus(void) {
-        return arg_nodbus != 0;
+        return arg_dbus_user != DBUS_POLICY_ALLOW || arg_dbus_system != DBUS_POLICY_ALLOW;
+}
+
+static int check_nosound(void) {
+        return arg_nosound != 0;
 }
 
 static int check_x11(void) {
@@ -167,6 +173,7 @@ Cond conditionals[] = {
         {"HAS_APPIMAGE", check_appimage},
         {"HAS_NET", check_netoptions},
         {"HAS_NODBUS", check_nodbus},
+        {"HAS_NOSOUND", check_nosound},
         {"HAS_X11", check_x11},
         {"BROWSER_DISABLE_U2F", check_disable_u2f},
         {"BROWSER_ALLOW_DRM", check_allow_drm},
@@ -425,11 +432,122 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "nodbus") == 0) {
-                arg_nodbus = 1;
+                arg_dbus_user = DBUS_POLICY_BLOCK;
+                arg_dbus_system = DBUS_POLICY_BLOCK;
                 return 0;
         }
+        else if (strncmp("dbus-user ", ptr, 10) == 0) {
+                ptr += 10;
+                if (strcmp("filter", ptr) == 0) {
+                        if (arg_dbus_user == DBUS_POLICY_BLOCK) {
+                                fprintf(stderr, "Error: Cannot relax dbus-user policy, it is already set to block\n");
+                        } else {
+                                arg_dbus_user = DBUS_POLICY_FILTER;
+                        }
+                } else if (strcmp("none", ptr) == 0) {
+                        if (arg_dbus_log_user) {
+                                fprintf(stderr, "Error: --dbus-user.log requires --dbus-user=filter\n");
+                                exit(1);
+                        }
+                        arg_dbus_user = DBUS_POLICY_BLOCK;
+                } else {
+                        fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr);
+                        exit(1);
+                }
+                return 0;
+        }
+        else if (strncmp(ptr, "dbus-user.see ", 14) == 0) {
+                if (!dbus_check_name(ptr + 14)) {
+                        printf("Invalid dbus-user.see name: %s\n", ptr + 15);
+                        exit(1);
+                }
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) {
+                if (!dbus_check_name(ptr + 15)) {
+                        printf("Invalid dbus-user.talk name: %s\n", ptr + 15);
+                        exit(1);
+                }
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-user.own ", 14) == 0) {
+                if (!dbus_check_name(ptr + 14)) {
+                        fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14);
+                        exit(1);
+                }
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-user.call ", 15) == 0) {
+                if (!dbus_check_call_rule(ptr + 15)) {
+                        fprintf(stderr, "Invalid dbus-user.call rule: %s\n", ptr + 15);
+                        exit(1);
+                }
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) {
+                if (!dbus_check_call_rule(ptr + 20)) {
+                        fprintf(stderr, "Invalid dbus-user.broadcast rule: %s\n", ptr + 20);
+                        exit(1);
+                }
+                return 1;
+        }
+        else if (strncmp("dbus-system ", ptr, 12) == 0) {
+                ptr += 12;
+                if (strcmp("filter", ptr) == 0) {
+                        if (arg_dbus_system == DBUS_POLICY_BLOCK) {
+                                fprintf(stderr, "Error: Cannot relax dbus-system policy, it is already set to block\n");
+                        } else {
+                                arg_dbus_system = DBUS_POLICY_FILTER;
+                        }
+                } else if (strcmp("none", ptr) == 0) {
+                        if (arg_dbus_log_system) {
+                                fprintf(stderr, "Error: --dbus-system.log requires --dbus-system=filter\n");
+                                exit(1);
+                        }
+                        arg_dbus_system = DBUS_POLICY_BLOCK;
+                } else {
+                        fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr);
+                        exit(1);
+                }
+                return 0;
+        }
+        else if (strncmp(ptr, "dbus-system.see ", 16) == 0) {
+                if (!dbus_check_name(ptr + 16)) {
+                        fprintf(stderr, "Invalid dbus-system.see name: %s\n", ptr + 17);
+                        exit(1);
+                }
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) {
+                if (!dbus_check_name(ptr + 17)) {
+                        fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17);
+                        exit(1);
+                }
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-system.own ", 16) == 0) {
+                if (!dbus_check_name(ptr + 16)) {
+                        fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16);
+                        exit(1);
+                }
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-system.call ", 17) == 0) {
+                if (!dbus_check_call_rule(ptr + 17)) {
+                        fprintf(stderr, "Invalid dbus-system.call rule: %s\n", ptr + 17);
+                        exit(1);
+                }
+                return 1;
+        }
+        else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) {
+                if (!dbus_check_call_rule(ptr + 22)) {
+                        fprintf(stderr, "Invalid dbus-system.broadcast rule: %s\n", ptr + 22);
+                        exit(1);
+                }
+                return 1;
+        }
         else if (strcmp(ptr, "nou2f") == 0) {
-                arg_nou2f = 1;
+                arg_nou2f = 1;
                 return 0;
         }
         else if (strcmp(ptr, "netfilter") == 0) {
@@ -783,6 +901,18 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
                 return 0;
         }
+        if (strncmp(ptr, "seccomp.32 ", 11) == 0) {
+#ifdef HAVE_SECCOMP
+                if (checkcfg(CFG_SECCOMP)) {
+                        arg_seccomp32 = 1;
+                        cfg.seccomp_list32 = seccomp_check_list(ptr + 11);
+                }
+                else if (!arg_quiet)
+                        warning_feature_disabled("seccomp");
+#endif
+
+                return 0;
+        }
 
         if (strcmp(ptr, "seccomp.block-secondary") == 0) {
 #ifdef HAVE_SECCOMP
@@ -806,6 +936,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
+        if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) {
+#ifdef HAVE_SECCOMP
+                if (checkcfg(CFG_SECCOMP)) {
+                        arg_seccomp32 = 1;
+                        cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13);
+                }
+                else
+                        warning_feature_disabled("seccomp");
+#endif
+                return 0;
+        }
 
         // seccomp keep list
         if (strncmp(ptr, "seccomp.keep ", 13) == 0) {
@@ -819,6 +960,17 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
+        if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) {
+#ifdef HAVE_SECCOMP
+                if (checkcfg(CFG_SECCOMP)) {
+                        arg_seccomp32 = 1;
+                        cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13);
+                }
+                else
+                        warning_feature_disabled("seccomp");
+#endif
+                return 0;
+        }
 
         // memory deny write&execute
         if (strcmp(ptr, "memory-deny-write-execute") == 0) {
@@ -831,6 +983,35 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        // seccomp error action
+        if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
+#ifdef HAVE_SECCOMP
+                if (checkcfg(CFG_SECCOMP)) {
+                        int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION);
+                        if (config_seccomp_error_action == -1) {
+                                if (strcmp(ptr + 21, "kill") == 0)
+                                        arg_seccomp_error_action = SECCOMP_RET_KILL;
+                                else if (strcmp(ptr + 21, "log") == 0)
+                                        arg_seccomp_error_action = SECCOMP_RET_LOG;
+                                else {
+                                        arg_seccomp_error_action = errno_find_name(ptr + 21);
+                                        if (arg_seccomp_error_action == -1)
+                                                errExit("seccomp-error-action: unknown errno");
+                                }
+                                cfg.seccomp_error_action = strdup(ptr + 21);
+                                if (!cfg.seccomp_error_action)
+                                        errExit("strdup");
+                        } else {
+                                arg_seccomp_error_action = config_seccomp_error_action;
+                                cfg.seccomp_error_action = config_seccomp_error_action_str;
+                                warning_feature_disabled("seccomp-error-action");
+                        }
+                } else
+                        warning_feature_disabled("seccomp");
+#endif
+                return 0;
+        }
+
         // caps drop list
         if (strncmp(ptr, "caps.drop ", 10) == 0) {
                 arg_caps_drop = 1;
@@ -1506,7 +1687,7 @@ void profile_read(const char *fname) {
                 }
 
                 // process include
-                if (strncmp(ptr, "include ", 8) == 0) {
+                if (strncmp(ptr, "include ", 8) == 0 && !is_in_ignore_list(ptr)) {
                         include_level++;
 
                         // expand macros in front of the include profile file
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 6402afbc6..a1594d6b9 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -90,7 +90,7 @@ void protocol_print_filter(pid_t pid) {
         exit(0);
 #else
         fwarning("--protocol not supported on this platform\n");
-        return;
+        exit(1);
 #endif
 }
 
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index a8fb838ab..b4df78dda 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -27,7 +27,7 @@
 
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 
 // disable pulseaudio socket
@@ -72,8 +72,13 @@ void pulseaudio_disable(void) {
         closedir(dir);
 }
 
+static void pulseaudio_set_environment(const char *path) {
+        assert(path);
+        if (setenv("PULSE_CLIENTCONFIG", path, 1) < 0)
+                errExit("setenv");
+}
 
-// disable shm in pulseaudio
+// disable shm in pulseaudio (issue #69)
 void pulseaudio_init(void) {
         struct stat s;
 
@@ -108,84 +113,63 @@ void pulseaudio_init(void) {
                 errExit("set_perms");
 
         // create ~/.config/pulse directory if not present
-        char *homeusercfg;
+        char *homeusercfg = NULL;
         if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1)
                 errExit("asprintf");
-        if (lstat(homeusercfg, &s) == -1) {
-                if (create_empty_dir_as_user(homeusercfg, 0700))
-                        fs_logger2("create", homeusercfg);
-        }
-        else if (!S_ISDIR(s.st_mode)) {
-                if (S_ISLNK(s.st_mode))
-                        fprintf(stderr, "Error: %s is a symbolic link\n", homeusercfg);
-                else
-                        fprintf(stderr, "Error: %s is not a directory\n", homeusercfg);
-                exit(1);
-        }
-        free(homeusercfg);
+        if (create_empty_dir_as_user(homeusercfg, 0700))
+                fs_logger2("create", homeusercfg);
 
+        free(homeusercfg);
         if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
                 errExit("asprintf");
-        if (lstat(homeusercfg, &s) == -1) {
-                if (create_empty_dir_as_user(homeusercfg, 0700))
-                        fs_logger2("create", homeusercfg);
-        }
-        else if (!S_ISDIR(s.st_mode)) {
-                if (S_ISLNK(s.st_mode))
-                        fprintf(stderr, "Error: %s is a symbolic link\n", homeusercfg);
-                else
-                        fprintf(stderr, "Error: %s is not a directory\n", homeusercfg);
-                exit(1);
+        if (create_empty_dir_as_user(homeusercfg, 0700))
+                fs_logger2("create", homeusercfg);
+
+        // if ~/.config/pulse now exists and there are no symbolic links, mount the new directory
+        // else set environment variable
+        int fd = safe_fd(homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd == -1) {
+                pulseaudio_set_environment(pulsecfg);
+                goto out;
         }
-
-        // if we have ~/.config/pulse mount the new directory, else set environment variable.
-        if (stat(homeusercfg, &s) == 0) {
-                // get a file descriptor for ~/.config/pulse, fails if there is any symlink
-                int fd = safe_fd(homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                if (fd == -1)
-                        errExit("safe_fd");
-                // confirm the actual mount destination is owned by the user
-                if (fstat(fd, &s) == -1)
-                        errExit("fstat");
-                if (s.st_uid != getuid()) {
-                        fprintf(stderr, "Error: %s is not owned by the current user\n", homeusercfg);
-                        exit(1);
-                }
-                // preserve a read-only mount
-                struct statvfs vfs;
-                if (fstatvfs(fd, &vfs) == -1)
-                        errExit("fstatvfs");
-                if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY)
-                        fs_remount(RUN_PULSE_DIR, MOUNT_READONLY, 0);
-                // mount via the link in /proc/self/fd
-                if (arg_debug)
-                        printf("Mounting %s on %s\n", RUN_PULSE_DIR, homeusercfg);
-                char *proc;
-                if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                        errExit("asprintf");
-                if (mount(RUN_PULSE_DIR, proc, "none", MS_BIND, NULL) < 0)
-                        errExit("mount pulseaudio");
-                fs_logger2("tmpfs", homeusercfg);
-                free(proc);
+        // confirm the actual mount destination is owned by the user
+        if (fstat(fd, &s) == -1)
+                errExit("fstat");
+        if (s.st_uid != getuid()) {
                 close(fd);
-                // check /proc/self/mountinfo to confirm the mount is ok
-                MountData *mptr = get_last_mount();
-                if (strcmp(mptr->dir, homeusercfg) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
-                        errLogExit("invalid pulseaudio mount");
-
-                char *p;
-                if (asprintf(&p, "%s/client.conf", homeusercfg) == -1)
-                        errExit("asprintf");
-                fs_logger2("create", p);
-                free(p);
-        }
-
-        else {
-                // set environment
-                if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0)
-                        errExit("setenv");
+                pulseaudio_set_environment(pulsecfg);
+                goto out;
         }
+        // preserve a read-only mount
+        struct statvfs vfs;
+        if (fstatvfs(fd, &vfs) == -1)
+                errExit("fstatvfs");
+        if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY)
+                fs_remount(RUN_PULSE_DIR, MOUNT_READONLY, 0);
+        // mount via the link in /proc/self/fd
+        if (arg_debug)
+                printf("Mounting %s on %s\n", RUN_PULSE_DIR, homeusercfg);
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        if (mount(RUN_PULSE_DIR, proc, "none", MS_BIND, NULL) < 0)
+                errExit("mount pulseaudio");
+        // check /proc/self/mountinfo to confirm the mount is ok
+        MountData *mptr = get_last_mount();
+        if (strcmp(mptr->dir, homeusercfg) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
+                errLogExit("invalid pulseaudio mount");
+        fs_logger2("tmpfs", homeusercfg);
+        free(proc);
+        close(fd);
+
+        char *p;
+        if (asprintf(&p, "%s/client.conf", homeusercfg) == -1)
+                errExit("asprintf");
+        fs_logger2("create", p);
+        pulseaudio_set_environment(p);
+        free(p);
 
+out:
         free(pulsecfg);
         free(homeusercfg);
 }
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 5ebb0e9ec..a007312a6 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -29,7 +29,7 @@
 
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 
 #define MAXBUF 1024
@@ -68,27 +68,25 @@ static USER_LIST *ulist_find(const char *user) {
 
 static void sanitize_home(void) {
         assert(getuid() != 0);  // this code works only for regular users
+        struct stat s;
 
         if (arg_debug)
                 printf("Cleaning /home directory\n");
-
-        struct stat s;
-        if (stat(cfg.homedir, &s) == -1) {
-                // cannot find home directory, just return
-                fwarning("cannot find home directory\n");
-                return;
-        }
-
-        if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1)
-                errExit("mkdir");
-
         // keep a copy of the user home directory
         int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
-                errExit("safe_fd");
+                goto errout;
+        if (fstat(fd, &s) == -1) { // FUSE
+                if (errno != EACCES)
+                        errExit("fstat");
+                close(fd);
+                goto errout;
+        }
         char *proc;
         if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
                 errExit("asprintf");
+        if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1)
+                errExit("mkdir");
         if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                 errExit("mount bind");
         free(proc);
@@ -125,6 +123,10 @@ static void sanitize_home(void) {
         if (!arg_private)
                 fs_logger2("whitelist", cfg.homedir);
 
+        return;
+
+errout:
+        fwarning("cannot clean /home directory\n");
 }
 
 static void sanitize_run(void) {
@@ -167,7 +169,7 @@ static void sanitize_run(void) {
         if (set_perms(runuser, getuid(), getgid(), 0700))
                 errExit("set_perms");
 
-        // mount user home directory
+        // mount /run/user/$UID directory
         if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0)
                 errExit("mount bind");
 
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index d1d98f636..e42d35be5 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -19,16 +19,17 @@
 */
 
 #include "firejail.h"
+#include "../include/seccomp.h"
 #include <sys/mount.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
-#include <sys/prctl.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <syscall.h>
 
 #include <sched.h>
 #ifndef CLONE_NEWUSER
@@ -37,16 +38,15 @@
 
 #include <sys/prctl.h>
 #ifndef PR_SET_NO_NEW_PRIVS
-# define PR_SET_NO_NEW_PRIVS 38
+#define PR_SET_NO_NEW_PRIVS 38
 #endif
 #ifndef PR_GET_NO_NEW_PRIVS
-# define PR_GET_NO_NEW_PRIVS 39
+#define PR_GET_NO_NEW_PRIVS 39
 #endif
 
 #ifdef HAVE_APPARMOR
 #include <sys/apparmor.h>
 #endif
-#include <syscall.h>
 
 
 static int force_nonewprivs = 0;
@@ -125,6 +125,21 @@ static void set_caps(void) {
                 caps_drop_dac_override();
 }
 
+#ifdef HAVE_APPARMOR
+void set_apparmor(void) {
+        EUID_ASSERT();
+        if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
+                if (aa_change_onexec("firejail-default")) {
+                        fwarning("Cannot confine the application using AppArmor.\n"
+                                "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
+                                "As root, run \"aa-enforce firejail-default\" to load it.\n");
+                }
+                else if (arg_debug)
+                        printf("AppArmor enabled\n");
+        }
+}
+#endif
+
 static void save_nogroups(void) {
         if (arg_nogroups == 0)
                 return;
@@ -182,6 +197,32 @@ static FILE *create_ready_for_join_file(void) {
         }
 }
 
+#ifdef HAVE_SECCOMP
+static void seccomp_debug(void) {
+        if (arg_debug == 0)
+                return;
+
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // dropping privs before calling system(3)
+                drop_privs(1);
+                printf("Seccomp directory:\n");
+                int rv = system("ls -l "  RUN_SECCOMP_DIR);
+                (void) rv;
+                printf("Active seccomp files:\n");
+                rv = system("cat " RUN_SECCOMP_LIST);
+                (void) rv;
+#ifdef HAVE_GCOV
+                __gcov_flush();
+#endif
+                _exit(0);
+        }
+        waitpid(child, NULL, 0);
+}
+#endif
+
 static void sandbox_if_up(Bridge *br) {
         assert(br);
         if (!br->configured)
@@ -625,7 +666,8 @@ int sandbox(void* sandbox_arg) {
         // ... and mount a tmpfs on top of /run/firejail/mnt directory
         preproc_mount_mnt_dir();
         // bind-mount firejail binaries and helper programs
-        if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)
+        if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 ||
+            mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0)
                 errExit("mounting " RUN_FIREJAIL_LIB_DIR);
 
         //****************************
@@ -778,8 +820,6 @@ int sandbox(void* sandbox_arg) {
                 if (rv)
                         exit(rv);
         }
-        if (arg_seccomp && (cfg.seccomp_list || cfg.seccomp_list_drop || cfg.seccomp_list_keep))
-                arg_seccomp_postexec = 1;
 #endif
 
         // need ld.so.preload if tracing or seccomp with any non-default lists
@@ -918,8 +958,7 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // Session D-BUS
         //****************************
-        if (arg_nodbus)
-                dbus_disable();
+        dbus_apply_policy();
 
 
         //****************************
@@ -1098,28 +1137,32 @@ int sandbox(void* sandbox_arg) {
         // if a keep list is available, disregard the drop list
         if (arg_seccomp == 1) {
                 if (cfg.seccomp_list_keep)
-                        seccomp_filter_keep();
+                        seccomp_filter_keep(true);
                 else
-                        seccomp_filter_drop();
-
+                        seccomp_filter_drop(true);
         }
-        else { // clean seccomp files under /run/firejail/mnt
-                int rv = unlink(RUN_SECCOMP_CFG);
-                rv |= unlink(RUN_SECCOMP_32);
-                (void) rv;
+        if (arg_seccomp32 == 1) {
+                if (cfg.seccomp_list_keep32)
+                        seccomp_filter_keep(false);
+                else
+                        seccomp_filter_drop(false);
+
         }
 
         if (arg_memory_deny_write_execute) {
+                if (arg_seccomp_error_action != EPERM) {
+                        seccomp_filter_mdwx(true);
+                        seccomp_filter_mdwx(false);
+                }
                 if (arg_debug)
                         printf("Install memory write&execute filter\n");
                 seccomp_load(RUN_SECCOMP_MDWX); // install filter
+                seccomp_load(RUN_SECCOMP_MDWX_32);
         }
-        else {
-                int rv = unlink(RUN_SECCOMP_MDWX);
-                (void) rv;
-        }
+
         // make seccomp filters read-only
         fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0);
+        seccomp_debug();
 #endif
 
         // set capabilities
@@ -1203,17 +1246,10 @@ int sandbox(void* sandbox_arg) {
 
         if (app_pid == 0) {
 #ifdef HAVE_APPARMOR
-                if (checkcfg(CFG_APPARMOR) && arg_apparmor) {
-                        errno = 0;
-                        if (aa_change_onexec("firejail-default")) {
-                                fwarning("Cannot confine the application using AppArmor.\n"
-                                        "Maybe firejail-default AppArmor profile is not loaded into the kernel.\n"
-                                        "As root, run \"aa-enforce firejail-default\" to load it.\n");
-                        }
-                        else if (arg_debug)
-                                printf("AppArmor enabled\n");
-                }
+                // add apparmor confinement after the execve
+                set_apparmor();
 #endif
+
                 // set nice and rlimits
                 if (arg_nice)
                         set_nice(cfg.nice);
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index c3b68f3a8..57c21ce78 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -23,7 +23,7 @@
 #include <unistd.h>
 #include <net/if.h>
 #include <stdarg.h>
- #include <sys/wait.h>
+#include <sys/wait.h>
 #include "../include/seccomp.h"
 
 #include <fcntl.h>
@@ -31,101 +31,233 @@
 #define O_PATH 010000000
 #endif
 
-static struct sock_filter filter[] = {
-        VALIDATE_ARCHITECTURE,
-        EXAMINE_SYSCALL,
+static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * const arg[]) {
+        // build a new, clean environment
+        int env_index = 0;
+        char *new_environment[256] = { NULL };
+        // preserve firejail-specific env vars
+        char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT");
+        if (cl) {
+                if (asprintf(&new_environment[env_index++], "FIREJAIL_FILE_COPY_LIMIT=%s", cl) == -1)
+                        errExit("asprintf");
+        }
+        if (arg_quiet) // --quiet is passed as an environment variable
+                new_environment[env_index++] = "FIREJAIL_QUIET=yes";
+        if (arg_debug) // --debug is passed as an environment variable
+                new_environment[env_index++] = "FIREJAIL_DEBUG=yes";
+        if (cfg.seccomp_error_action)
+                if (asprintf(&new_environment[env_index++], "FIREJAIL_SECCOMP_ERROR_ACTION=%s", cfg.seccomp_error_action) == -1)
+                        errExit("asprintf");
+
+        if (filtermask & SBOX_STDIN_FROM_FILE) {
+                int fd;
+                if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) {
+                        fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE);
+                        exit(1);
+                }
+                if (dup2(fd, STDIN_FILENO) == -1)
+                        errExit("dup2");
+                close(fd);
+        }
+        else if ((filtermask & SBOX_ALLOW_STDIN) == 0) {
+                int fd = open("/dev/null",O_RDWR, 0);
+                if (fd != -1) {
+                        if (dup2(fd, STDIN_FILENO) == -1)
+                                errExit("dup2");
+                        close(fd);
+                }
+                else // the user could run the sandbox without /dev/null
+                        close(STDIN_FILENO);
+        }
+
+        // close all other file descriptors
+        if ((filtermask & SBOX_KEEP_FDS) == 0) {
+                int i;
+                for (i = 3; i < FIREJAIL_MAX_FD; i++)
+                        close(i); // close open files
+        }
+
+        umask(027);
+
+        // apply filters
+        if (filtermask & SBOX_CAPS_NONE) {
+                caps_drop_all();
+        } else {
+                uint64_t set = 0;
+                if (filtermask & SBOX_CAPS_NETWORK) {
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+                        set |= ((uint64_t) 1) << CAP_NET_ADMIN;
+                        set |= ((uint64_t) 1) << CAP_NET_RAW;
+#endif
+                }
+                if (filtermask & SBOX_CAPS_HIDEPID) {
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+                        set |= ((uint64_t) 1) << CAP_SYS_PTRACE;
+                        set |= ((uint64_t) 1) << CAP_SYS_PACCT;
+#endif
+                }
+                if (filtermask & SBOX_CAPS_NET_SERVICE) {
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+                        set |= ((uint64_t) 1) << CAP_NET_BIND_SERVICE;
+                        set |= ((uint64_t) 1) << CAP_NET_BROADCAST;
+#endif
+                }
+                if (set != 0) { // some SBOX_CAPS_ flag was specified, drop all other capabilities
+#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
+                        caps_set(set);
+#endif
+                }
+        }
+
+        if (filtermask & SBOX_SECCOMP) {
+                struct sock_filter filter[] = {
+                        VALIDATE_ARCHITECTURE,
+                        EXAMINE_SYSCALL,
 
 #if defined(__x86_64__)
 #define X32_SYSCALL_BIT 0x40000000
-        // handle X32 ABI
-        BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0),
-        BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0),
-        RETURN_ERRNO(EPERM),
+                        // handle X32 ABI
+                        BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, X32_SYSCALL_BIT, 1, 0),
+                        BPF_JUMP(BPF_JMP + BPF_JGE + BPF_K, 0, 1, 0),
+                        RETURN_ERRNO(EPERM),
 #endif
 
-        // syscall list
+                // syscall list
 #ifdef SYS_mount
-        BLACKLIST(SYS_mount),  // mount/unmount filesystems
+                        BLACKLIST(SYS_mount), // mount/unmount filesystems
+#endif
+#ifdef SYS_umount
+                        BLACKLIST(SYS_umount),
 #endif
 #ifdef SYS_umount2
-        BLACKLIST(SYS_umount2),
+                        BLACKLIST(SYS_umount2),
 #endif
 #ifdef SYS_ptrace
-        BLACKLIST(SYS_ptrace), // trace processes
+                        BLACKLIST(SYS_ptrace), // trace processes
+#endif
+#ifdef SYS_process_vm_readv
+                        BLACKLIST(SYS_process_vm_readv),
+#endif
+#ifdef SYS_process_vm_writev
+                        BLACKLIST(SYS_process_vm_writev),
 #endif
 #ifdef SYS_kexec_file_load
-        BLACKLIST(SYS_kexec_file_load),
+                        BLACKLIST(SYS_kexec_file_load), // loading a different kernel
 #endif
 #ifdef SYS_kexec_load
-        BLACKLIST(SYS_kexec_load), // loading a different kernel
+                        BLACKLIST(SYS_kexec_load),
 #endif
 #ifdef SYS_name_to_handle_at
-        BLACKLIST(SYS_name_to_handle_at),
+                        BLACKLIST(SYS_name_to_handle_at),
 #endif
 #ifdef SYS_open_by_handle_at
-        BLACKLIST(SYS_open_by_handle_at), // open by handle
+                        BLACKLIST(SYS_open_by_handle_at), // open by handle
 #endif
 #ifdef SYS_init_module
-        BLACKLIST(SYS_init_module), // kernel module handling
+                        BLACKLIST(SYS_init_module), // kernel module handling
 #endif
 #ifdef SYS_finit_module // introduced in 2013
-        BLACKLIST(SYS_finit_module),
+                        BLACKLIST(SYS_finit_module),
 #endif
 #ifdef SYS_create_module
-        BLACKLIST(SYS_create_module),
+                        BLACKLIST(SYS_create_module),
 #endif
 #ifdef SYS_delete_module
-        BLACKLIST(SYS_delete_module),
+                        BLACKLIST(SYS_delete_module),
 #endif
 #ifdef SYS_iopl
-        BLACKLIST(SYS_iopl), // io permissions
-#endif
-#ifdef  SYS_ioperm
-        BLACKLIST(SYS_ioperm),
+                        BLACKLIST(SYS_iopl), // io permissions
 #endif
-#ifdef SYS_iopl
-        BLACKLIST(SYS_iopl), // io permissions
+#ifdef SYS_ioperm
+                        BLACKLIST(SYS_ioperm),
 #endif
-#ifdef  SYS_ioprio_set
-        BLACKLIST(SYS_ioprio_set),
+#ifdef SYS_ioprio_set
+                        BLACKLIST(SYS_ioprio_set),
 #endif
 #ifdef SYS_ni_syscall // new io permissions call on arm devices
-        BLACKLIST(SYS_ni_syscall),
+                        BLACKLIST(SYS_ni_syscall),
 #endif
 #ifdef SYS_swapon
-        BLACKLIST(SYS_swapon), // swap on/off
+                        BLACKLIST(SYS_swapon), // swap on/off
 #endif
 #ifdef SYS_swapoff
-        BLACKLIST(SYS_swapoff),
+                        BLACKLIST(SYS_swapoff),
 #endif
 #ifdef SYS_syslog
-        BLACKLIST(SYS_syslog), // kernel printk control
+                        BLACKLIST(SYS_syslog), // kernel printk control
 #endif
-        RETURN_ALLOW
-};
+                        RETURN_ALLOW
+                };
 
-static struct sock_fprog prog = {
-        .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
-        .filter = filter,
-};
+                struct sock_fprog prog = {
+                        .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
+                        .filter = filter,
+                };
+
+                if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+                        perror("prctl(NO_NEW_PRIVS)");
+                }
+                if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
+                        perror("prctl(PR_SET_SECCOMP)");
+                }
+        }
+
+        if (filtermask & SBOX_ROOT) {
+                // elevate privileges in order to get grsecurity working
+                if (setreuid(0, 0))
+                        errExit("setreuid");
+                if (setregid(0, 0))
+                        errExit("setregid");
+        }
+        else if (filtermask & SBOX_USER)
+                drop_privs(1);
+
+        if (arg[0]) { // get rid of scan-build warning
+                int fd = open(arg[0], O_PATH | O_CLOEXEC);
+                if (fd == -1) {
+                        if (errno == ENOENT) {
+                                fprintf(stderr, "Error: %s does not exist\n", arg[0]);
+                                exit(1);
+                        } else {
+                                errExit("open");
+                        }
+                }
+                struct stat s;
+                if (fstat(fd, &s) == -1)
+                        errExit("fstat");
+                if (s.st_uid != 0 && s.st_gid != 0) {
+                        fprintf(stderr, "Error: %s is not owned by root, refusing to execute\n", arg[0]);
+                        exit(1);
+                }
+                if (s.st_mode & 00002) {
+                        fprintf(stderr, "Error: %s is world writable, refusing to execute\n", arg[0]);
+                        exit(1);
+                }
+                fexecve(fd, arg, new_environment);
+        } else {
+                assert(0);
+        }
+        perror("fexecve");
+        _exit(1);
+}
 
 int sbox_run(unsigned filtermask, int num, ...) {
         va_list valist;
         va_start(valist, num);
 
         // build argument list
-  char **arg = malloc((num + 1) * sizeof(char *));
-  int i;
+        char **arg = malloc((num + 1) * sizeof(char *));
+        int i;
         for (i = 0; i < num; i++)
-                arg[i] = va_arg(valist, char*);
+                arg[i] = va_arg(valist, char *);
         arg[i] = NULL;
         va_end(valist);
 
-  int status = sbox_run_v(filtermask, arg);
+        int status = sbox_run_v(filtermask, arg);
 
-  free(arg);
+        free(arg);
 
-  return status;
+        return status;
 }
 
 int sbox_run_v(unsigned filtermask, char * const arg[]) {
@@ -141,129 +273,14 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
                 printf("\n");
         }
 
+        // KEEP_FDS only makes sense with sbox_exec_v
+        assert((filtermask & SBOX_KEEP_FDS) == 0);
+
         pid_t child = fork();
         if (child < 0)
                 errExit("fork");
         if (child == 0) {
-                int env_index = 0;
-                char *new_environment[256] = { NULL };
-                // preserve firejail-specific env vars
-                char *cl = getenv("FIREJAIL_FILE_COPY_LIMIT");
-                if (cl) {
-                        if (asprintf(&new_environment[env_index++], "FIREJAIL_FILE_COPY_LIMIT=%s", cl) == -1)
-                                errExit("asprintf");
-                }
-                clearenv();
-                if (arg_quiet) // --quiet is passed as an environment variable
-                        new_environment[env_index++] = "FIREJAIL_QUIET=yes";
-                if (arg_debug) // --debug is passed as an environment variable
-                        new_environment[env_index++] = "FIREJAIL_DEBUG=yes";
-
-                if (filtermask & SBOX_STDIN_FROM_FILE) {
-                        int fd;
-                        if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) {
-                                fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE);
-                                exit(1);
-                        }
-                        if (dup2(fd, STDIN_FILENO) == -1)
-                                errExit("dup2");
-                        close(fd);
-                }
-                else if ((filtermask & SBOX_ALLOW_STDIN) == 0) {
-                        int fd = open("/dev/null",O_RDWR, 0);
-                        if (fd != -1) {
-                                if (dup2(fd, STDIN_FILENO) == -1)
-                                        errExit("dup2");
-                                close(fd);
-                        }
-                        else // the user could run the sandbox without /dev/null
-                                close(STDIN_FILENO);
-                }
-
-                // close all other file descriptors
-                int max = 20; // getdtablesize() is overkill for a firejail process
-                int i = 3;
-                for (i = 3; i < max; i++)
-                        close(i); // close open files
-
-                umask(027);
-
-                // apply filters
-                if (filtermask & SBOX_CAPS_NONE) {
-                        caps_drop_all();
-                } else {
-                        uint64_t set = 0;
-                        if (filtermask & SBOX_CAPS_NETWORK) {
-#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
-                                set |= ((uint64_t) 1) << CAP_NET_ADMIN;
-                                set |= ((uint64_t) 1) << CAP_NET_RAW;
-#endif
-                        }
-                        if (filtermask & SBOX_CAPS_HIDEPID) {
-#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
-                                set |= ((uint64_t) 1) << CAP_SYS_PTRACE;
-                                set |= ((uint64_t) 1) << CAP_SYS_PACCT;
-#endif
-                        }
-                        if (filtermask & SBOX_CAPS_NET_SERVICE) {
-#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
-                                set |= ((uint64_t) 1) << CAP_NET_BIND_SERVICE;
-                                set |= ((uint64_t) 1) << CAP_NET_BROADCAST;
-#endif
-                        }
-                        if (set != 0) { // some SBOX_CAPS_ flag was specified, drop all other capabilities
-#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files
-                                caps_set(set);
-#endif
-                        }
-                }
-
-                if (filtermask & SBOX_SECCOMP) {
-                        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-                                perror("prctl(NO_NEW_PRIVS)");
-                        }
-                        if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
-                                perror("prctl(PR_SET_SECCOMP)");
-                        }
-                }
-
-                if (filtermask & SBOX_ROOT) {
-                        // elevate privileges in order to get grsecurity working
-                        if (setreuid(0, 0))
-                                errExit("setreuid");
-                        if (setregid(0, 0))
-                                errExit("setregid");
-                }
-                else if (filtermask & SBOX_USER)
-                        drop_privs(1);
-
-                if (arg[0]) { // get rid of scan-build warning
-                        int fd = open(arg[0], O_PATH | O_CLOEXEC);
-                        if (fd == -1) {
-                                if (errno == ENOENT) {
-                                        fprintf(stderr, "Error: %s does not exist\n", arg[0]);
-                                        exit(1);
-                                } else {
-                                        errExit("open");
-                                }
-                        }
-                        struct stat s;
-                        if (fstat(fd, &s) == -1)
-                                errExit("fstat");
-                        if (s.st_uid != 0 && s.st_gid != 0) {
-                                fprintf(stderr, "Error: %s is not owned by root, refusing to execute\n", arg[0]);
-                                exit(1);
-                        }
-                        if (s.st_mode & 00002) {
-                                fprintf(stderr, "Error: %s is world writable, refusing to execute\n", arg[0]);
-                                exit(1);
-                        }
-                        fexecve(fd, arg, new_environment);
-                } else {
-                        assert(0);
-                }
-                perror("fexecve");
-                _exit(1);
+                sbox_do_exec_v(filtermask, arg);
         }
 
         int status;
@@ -277,3 +294,19 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
 
         return status;
 }
+
+void sbox_exec_v(unsigned filtermask, char * const arg[]) {
+        EUID_ROOT();
+
+        if (arg_debug) {
+                printf("sbox exec: ");
+                int i = 0;
+                while (arg[i]) {
+                        printf("%s ", arg[i]);
+                        i++;
+                }
+                printf("\n");
+        }
+
+        sbox_do_exec_v(filtermask, arg);
+}
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 10a2a5665..7f55ccc0e 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -191,15 +191,25 @@ static void seccomp_filter_block_secondary(void) {
 }
 
 // drop filter for seccomp option
-int seccomp_filter_drop(void) {
+int seccomp_filter_drop(bool native) {
+        const char *filter, *postexec_filter;
+
+        if (native) {
+                filter = RUN_SECCOMP_CFG;
+                postexec_filter = RUN_SECCOMP_POSTEXEC;
+        } else {
+                filter = RUN_SECCOMP_32;
+                postexec_filter = RUN_SECCOMP_POSTEXEC_32;
+        }
+
         // if we have multiple seccomp commands, only one of them is executed
         // in the following order:
         //      - seccomp.drop list
         //      - seccomp list
         //      - seccomp
         if (cfg.seccomp_list_drop == NULL) {
-                // default seccomp
-                if (cfg.seccomp_list == NULL) {
+                // default seccomp if error action is not changed
+                if (cfg.seccomp_list == NULL && cfg.seccomp_error_action) {
                         if (arg_seccomp_block_secondary)
                                 seccomp_filter_block_secondary();
                         else {
@@ -224,19 +234,30 @@ int seccomp_filter_drop(void) {
                         if (arg_debug)
                                 printf("Build default+drop seccomp filter\n");
 
+                        const char *command, *list;
+                        if (native) {
+                                command = "default";
+                                list = cfg.seccomp_list;
+                        } else {
+                                command = "default32";
+                                list = cfg.seccomp_list32;
+                        }
+
+                        if (list == NULL)
+                                list = "";
                         // build the seccomp filter as a regular user
                         int rv;
                         if (arg_allow_debuggers)
                                 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7,
-                                              PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list, "allow-debuggers");
+                                              PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers");
                         else
                                 rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
-                                              PATH_FSECCOMP, "default", "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list);
+                                              PATH_FSECCOMP, command, "drop", filter, postexec_filter, list);
                         if (rv)
                                 exit(rv);
 
                         // optimize the new filter
-                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG);
+                        rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, filter);
                         if (rv)
                                 exit(rv);
                 }
@@ -250,36 +271,45 @@ int seccomp_filter_drop(void) {
                 if (arg_debug)
                         printf("Build drop seccomp filter\n");
 
+                const char *command, *list;
+                if (native) {
+                        command = "drop";
+                        list = cfg.seccomp_list_drop;
+                } else {
+                        command = "drop32";
+                        list = cfg.seccomp_list_drop32;
+                }
+
                 // build the seccomp filter as a regular user
                 int rv;
                 if (arg_allow_debuggers)
                         rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 6,
-                                      PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_drop,  "allow-debuggers");
+                                      PATH_FSECCOMP, command, filter, postexec_filter, list,  "allow-debuggers");
                 else
                         rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
-                                PATH_FSECCOMP, "drop", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_drop);
+                                      PATH_FSECCOMP, command, filter, postexec_filter, list);
 
                 if (rv)
                         exit(rv);
 
                 // optimize the drop filter
-                rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, RUN_SECCOMP_CFG);
+                rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSEC_OPTIMIZE, filter);
                 if (rv)
                         exit(rv);
         }
 
         // load the filter
-        if (seccomp_load(RUN_SECCOMP_CFG) == 0) {
+        if (seccomp_load(filter) == 0) {
                 if (arg_debug)
                         printf("seccomp filter configured\n");
         }
 
         if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) {
                 struct stat st;
-                if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) {
-                        printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC);
+                if (stat(postexec_filter, &st) != -1 && st.st_size != 0) {
+                        printf("configuring postexec seccomp filter in %s\n", postexec_filter);
                         sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2,
-                                  PATH_FSEC_PRINT, RUN_SECCOMP_POSTEXEC);
+                                  PATH_FSEC_PRINT, postexec_filter);
                 }
         }
 
@@ -287,7 +317,7 @@ int seccomp_filter_drop(void) {
 }
 
 // keep filter for seccomp option
-int seccomp_filter_keep(void) {
+int seccomp_filter_keep(bool native) {
         // secondary filters are not installed except when secondary
         // architectures are explicitly blocked
         if (arg_seccomp_block_secondary)
@@ -296,9 +326,20 @@ int seccomp_filter_keep(void) {
         if (arg_debug)
                 printf("Build keep seccomp filter\n");
 
+        const char *filter, *postexec_filter, *list;
+        if (native) {
+                filter = RUN_SECCOMP_CFG;
+                postexec_filter = RUN_SECCOMP_POSTEXEC;
+                list = cfg.seccomp_list_keep;
+        } else {
+                filter = RUN_SECCOMP_32;
+                postexec_filter = RUN_SECCOMP_POSTEXEC_32;
+                list = cfg.seccomp_list_keep32;
+        }
+
         // build the seccomp filter as a regular user
         int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 5,
-                 PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, RUN_SECCOMP_POSTEXEC, cfg.seccomp_list_keep);
+                 PATH_FSECCOMP, "keep", filter, postexec_filter, list);
 
         if (rv) {
                 fprintf(stderr, "Error: cannot configure seccomp filter\n");
@@ -309,23 +350,52 @@ int seccomp_filter_keep(void) {
                 printf("seccomp filter configured\n");
 
         // load the filter
-        if (seccomp_load(RUN_SECCOMP_CFG) == 0) {
+        if (seccomp_load(filter) == 0) {
                 if (arg_debug)
                         printf("seccomp filter configured\n");
         }
 
         if (arg_debug && access(PATH_FSEC_PRINT, X_OK) == 0) {
                 struct stat st;
-                if (stat(RUN_SECCOMP_POSTEXEC, &st) != -1 && st.st_size != 0) {
-                        printf("configuring postexec seccomp filter in %s\n", RUN_SECCOMP_POSTEXEC);
+                if (stat(postexec_filter, &st) != -1 && st.st_size != 0) {
+                        printf("configuring postexec seccomp filter in %s\n", postexec_filter);
                         sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2,
-                                  PATH_FSEC_PRINT, RUN_SECCOMP_POSTEXEC);
+                                  PATH_FSEC_PRINT, postexec_filter);
                 }
         }
 
         return 0;
 }
 
+// create mdwx filter for non-default error action
+int seccomp_filter_mdwx(bool native) {
+        if (arg_debug)
+                printf("Build memory-deny-write-execute filter\n");
+
+        const char *command, *filter;
+        if (native) {
+                command = "memory-deny-write-execute";
+                filter = RUN_SECCOMP_MDWX;
+        } else {
+                command = "memory-deny-write-execute.32";
+                filter = RUN_SECCOMP_MDWX_32;
+        }
+
+        // build the seccomp filter as a regular user
+        int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
+                 PATH_FSECCOMP, command, filter);
+
+        if (rv) {
+                fprintf(stderr, "Error: cannot build memory-deny-write-execute filter\n");
+                exit(rv);
+        }
+
+        if (arg_debug)
+                printf("Memory-deny-write-execute filter configured\n");
+
+        return 0;
+}
+
 void seccomp_print_filter(pid_t pid) {
         EUID_ASSERT();
 
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index a7d0b2fbe..7e9628007 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -63,7 +63,9 @@ void shut(pid_t pid) {
                 sleep(1);
                 monsec--;
 
+                EUID_ROOT();
                 FILE *fp = fopen(monfile, "r");
+                EUID_USER();
                 if (!fp) {
                         killdone = 1;
                         break;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 52d4f7c03..73c9a6a8b 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -53,6 +53,21 @@ static char *usage_str =
 #endif
         "    --cpu=cpu-number,cpu-number - set cpu affinity.\n"
         "    --cpu.print=name|pid - print the cpus in use.\n"
+        "    --dbus-log=file - set DBus log file location.\n"
+        "    --dbus-system=filter|none - set system DBus access policy.\n"
+        "    --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n"
+        "    --dbus-system.call=rule - allow calls on the system DBus according to rule.\n"
+        "    --dbus-system.log - turn on logging for the system DBus."
+        "    --dbus-system.own=name - allow ownership of name on the system DBus.\n"
+        "    --dbus-system.see=name - allow seeing name on the system DBus.\n"
+        "    --dbus-system.talk=name - allow talking to name on the system DBus.\n"
+        "    --dbus-user=filter|none - set session DBus access policy.\n"
+        "    --dbus-user.broadcast=rule - allow signals on the session DBus according to rule.\n"
+        "    --dbus-user.call=rule - allow calls on the session DBus according to rule.\n"
+        "    --dbus-user.log - turn on logging for the user DBus."
+        "    --dbus-user.own=name - allow ownership of name on the session DBus.\n"
+        "    --dbus-user.see=name - allow seeing name on the session DBus.\n"
+        "    --dbus-user.talk=name - allow talking to name on the session DBus.\n"
         "    --debug - print sandbox debug messages.\n"
         "    --debug-blacklists - debug blacklisting.\n"
         "    --debug-caps - print all recognized capabilities.\n"
@@ -60,6 +75,7 @@ static char *usage_str =
         "    --debug-private-lib - debug for --private-lib option.\n"
         "    --debug-protocols - print all recognized protocols.\n"
         "    --debug-syscalls - print all recognized system calls.\n"
+        "    --debug-syscalls32 - print all recognized 32 bit system calls.\n"
 #ifdef HAVE_WHITELIST
         "    --debug-whitelists - debug whitelisting.\n"
 #endif
@@ -207,6 +223,9 @@ static char *usage_str =
         "\twhitelist the syscalls specified by the command.\n"
         "    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"
         "\tidentified by name or PID.\n"
+        "    --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
+        "    --seccomp-error-action=errno|kill|log - change error code, kill process\n"
+        "\tor log the attempt.\n"
 #endif
         "    --shell=none - run the program directly without a user shell.\n"
         "    --shell=program - set default user shell.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 6bfc80903..3aa0584d6 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -957,16 +957,27 @@ int remove_overlay_directory(void) {
         return 0;
 }
 
+// flush stdin if it is connected to a tty and has input
 void flush_stdin(void) {
-        if (isatty(STDIN_FILENO)) {
-                int cnt = 0;
-                int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt);
-                if (rv == 0 && cnt) {
-                        fwarning("removing %d bytes from stdin\n", cnt);
-                        rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
-                        (void) rv;
-                }
-        }
+        if (!isatty(STDIN_FILENO))
+                return;
+
+        int cnt = 0;
+        int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt);
+        if (rv != 0 || cnt == 0)
+                return;
+
+        fwarning("removing %d bytes from stdin\n", cnt);
+
+        // If this process is backgrounded, below ioctl() will trigger
+        // SIGTTOU and stop us. We avoid this by ignoring SIGTTOU for
+        // the duration of the ioctl.
+        sighandler_t hdlr = signal(SIGTTOU, SIG_IGN);
+        rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
+        signal(SIGTTOU, hdlr);
+
+        if (rv)
+                fwarning("Flushing stdin failed: %s\n", strerror(errno));
 }
 
 // return 1 if new directory was created, else return 0
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 6395903f9..ba54ca376 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -625,7 +625,64 @@ void x11_start_xephyr(int argc, char **argv) {
 }
 
 
-void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
+// this function returns the string that will appear in the window title when xpra is being used
+// this string may include one of these items:
+// *  the "--name" argument, if specified
+// *  the basename portion of the "--private" directory, if specified
+// note: the malloc() is leaking, but this is a small string allocated one time only during startup, so don't care
+static char * get_title_arg_str() {
+
+        char * title_arg_str = NULL;
+
+        const char * title_start = "--title=firejail x11 sandbox";
+        const char * title_sep = " ";
+
+        // use the "--name" argument if it was explicitly specified
+        if ((cfg.name != NULL) && (strlen(cfg.name) > 0)) {
+
+                title_arg_str = malloc(strlen(title_start) + strlen(title_sep) + strlen(cfg.name) + 1);
+                if (title_arg_str == NULL) {
+                        fprintf(stderr, "Error: malloc() failed to allocate memory\n");
+                        exit(1);
+                }
+
+                strcpy(title_arg_str, title_start);
+                strcat(title_arg_str, title_sep);
+                strcat(title_arg_str, cfg.name);
+        }
+
+        // use the "--private" argument if it was explicitly specified
+        else if ((cfg.home_private != NULL) && (strlen(cfg.home_private) > 0)) {
+
+                const char * base_out = gnu_basename(cfg.home_private);
+
+                title_arg_str = malloc(strlen(title_start) + strlen(title_sep) + strlen(base_out) + 1);
+                if (title_arg_str == NULL) {
+                        fprintf(stderr, "Error: malloc() failed to allocate memory\n");
+                        exit(1);
+                }
+
+                strcpy(title_arg_str, title_start);
+                strcat(title_arg_str, title_sep);
+                strcat(title_arg_str, base_out);
+        }
+
+        // default
+        else {
+                title_arg_str = malloc(strlen(title_start) + 1);
+                if (title_arg_str == NULL) {
+                        fprintf(stderr, "Error: malloc() failed to allocate memory\n");
+                        exit(1);
+                }
+
+                strcpy(title_arg_str, title_start);
+        }
+
+        return title_arg_str;
+}
+
+
+static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
         EUID_ASSERT();
         int i;
         struct stat s;
@@ -752,7 +809,10 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
         free(fname);
 
         // build attach command
-        char *attach_argv[] = { "xpra", "--title=\"firejail x11 sandbox\"", "attach", display_str, NULL };
+
+        char * title_arg_str = get_title_arg_str();
+
+        char *attach_argv[] = { "xpra", title_arg_str, "attach", display_str, NULL };
 
         // run attach command
         client = fork();
@@ -861,7 +921,7 @@ void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
 }
 
 
-void x11_start_xpra_new(int argc, char **argv, char *display_str) {
+static void __attribute__((noreturn)) x11_start_xpra_new(int argc, char **argv, char *display_str) {
         EUID_ASSERT();
         int i;
         pid_t server = 0;
@@ -1175,16 +1235,15 @@ void x11_xorg(void) {
 
         // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted
         // automatically when the sandbox is closed (rename doesn't work)
-                                                  // root needed
-        if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) {
-                fprintf(stderr, "Error: cannot create the new .Xauthority file\n");
-                exit(1);
-        }
+        if (arg_debug)
+                printf("Copying the new .Xauthority file\n");
+        copy_file_from_user_to_root(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600);
+        
         /* coverity[toctou] */
         unlink(tmpfname);
         umount("/tmp");
 
-        // remount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid
+        // mount RUN_XAUTHORITY_SEC_FILE noexec, nodev, nosuid
         fs_remount(RUN_XAUTHORITY_SEC_FILE, MOUNT_NOEXEC, 0);
 
         // Ensure there is already a file in the usual location, so that bind-mount below will work.
@@ -1294,19 +1353,17 @@ void fs_x11(void) {
         if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0)
                 errExit("mount bind");
 
-        // This directory must be mode 1777, or Xlib will barf.
+        // This directory must be mode 1777
         if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs",
                 MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,
                 "mode=1777,uid=0,gid=0") < 0)
                 errExit("mounting tmpfs on /tmp/.X11-unix");
         fs_logger("tmpfs /tmp/.X11-unix");
 
-        // create an empty file which will have the desired socket bind-mounted over it
-        int fd = open(x11file, O_RDWR|O_CREAT|O_EXCL, x11stat.st_mode & ~S_IFMT);
+        // create an empty root-owned file which will have the desired socket bind-mounted over it
+        int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL, S_IRUSR | S_IWUSR);
         if (fd < 0)
                 errExit(x11file);
-        if (fchown(fd, x11stat.st_uid, x11stat.st_gid))
-                errExit("fchown");
         close(fd);
 
         // the mount source is under control of the user, so be careful and
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index 7a55a64fb..3fba486eb 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -46,13 +46,13 @@ void firemon_sleep(int st);
 
 
 // procevent.c
-void procevent(pid_t pid);
+void procevent(pid_t pid) __attribute__((noreturn));
 
 // usage.c
 void usage(void);
 
 // top.c
-void top(void);
+void top(void) __attribute__((noreturn));
 
 // list.c
 void list(void);
@@ -82,7 +82,7 @@ void cgroup(pid_t pid, int print_procs);
 void tree(pid_t pid);
 
 // netstats.c
-void netstats(void);
+void netstats(void) __attribute__((noreturn));
 
 // x11.c
 void x11(pid_t pid, int print_procs);
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index c823943c0..45964d3a2 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -98,7 +98,7 @@ static int pid_is_firejail(pid_t pid) {
                         "apparmor.print", "caps.print", "cpu.print", "dns.print", "fs.print", "netfilter.print",
                         "netfilter6.print", "profile.print", "protocol.print", "seccomp.print",
                         // debug
-                        "debug-caps", "debug-errnos", "debug-protocols", "debug-syscalls",
+                        "debug-caps", "debug-errnos", "debug-protocols", "debug-syscalls", "debug-syscalls32",
                         // file transfer
                         "ls", "get", "put",
                         // stats
@@ -220,7 +220,7 @@ errexit:
 }
 
 
-static int procevent_monitor(const int sock, pid_t mypid) {
+static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t mypid) {
         ssize_t len;
         struct nlmsghdr *nlmsghdr;
 
@@ -246,8 +246,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
 
                 int rv = select(max, &readfds, NULL, NULL, &tv);
                 if (rv == -1) {
-                        fprintf(stderr, "recv: %s\n", strerror(errno));
-                        return -1;
+                        errExit("recv");
                 }
 
                 // timeout
@@ -259,7 +258,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
 
 
                 if ((len = recv(sock, buf, sizeof(buf), 0)) == 0)
-                        return 0;
+                        exit(0);
                 if (len == -1) {
                         if (errno == EINTR)
                                 continue;
@@ -271,7 +270,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
                         }
                         else {
                                 fprintf(stderr,"Error: rx socket recv call, errno %d, %s\n", errno, strerror(errno));
-                                return -1;
+                                exit(1);
                         }
                 }
 
@@ -497,7 +496,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
                                 exit(0);
                 }
         }
-        return 0;
+        __builtin_unreachable();
 }
 
 void procevent(pid_t pid) {
@@ -515,6 +514,4 @@ void procevent(pid_t pid) {
         }
 
         procevent_monitor(sock, pid); // it will never return from here
-        assert(0);
-        close(sock); // quiet static analyzers
 }
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in
index f717af788..a30ff4ba3 100644
--- a/src/fsec-print/Makefile.in
+++ b/src/fsec-print/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
         $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fsec-print: $(OBJS) ../lib/libnetlink.o
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+fsec-print: $(OBJS) ../lib/libnetlink.o ../lib/errno.o ../lib/syscall.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fsec-print *.gcov *.gcda *.gcno *.plist
 
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h
index 0237fd020..337199288 100644
--- a/src/fsec-print/fsec_print.h
+++ b/src/fsec-print/fsec_print.h
@@ -21,12 +21,10 @@
 #define FSEC_PRINT_H
 #include "../include/common.h"
 #include "../include/seccomp.h"
+#include "../include/syscall.h"
 #include <sys/mman.h>
 
 // print.c
 void print(struct sock_filter *filter, int entries);
 
-// syscall_list.c
-const char *syscall_find_nr(int nr);
-
 #endif
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c
index 728308dac..ade45c881 100644
--- a/src/fsec-print/main.c
+++ b/src/fsec-print/main.c
@@ -24,6 +24,23 @@ static void usage(void) {
         printf("\tfsec-print file - disassemble seccomp filter\n");
 }
 
+int arg_quiet = 0;
+void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) fd;
+        (void) syscall;
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+}
+
+void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) fd;
+        (void) syscall;
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+}
+
 int main(int argc, char **argv) {
 #if 0
 {
diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c
index 5c244b000..a6aae5ecb 100644
--- a/src/fsec-print/print.c
+++ b/src/fsec-print/print.c
@@ -250,7 +250,7 @@ static void bpf_decode_args(const struct sock_filter *bpf, unsigned int line) {
                 break;
         case BPF_JMP:
                 if (BPF_OP(bpf->code) == BPF_JA) {
-                        printf("%.4u", (line + 1) + bpf->k);
+                        printf("%.4x", (line + 1) + bpf->k);
                 }
                 else {
                         const char *name = NULL;
diff --git a/src/fsec-print/syscall_list.c b/src/fsec-print/syscall_list.c
deleted file mode 100644
index 274908cef..000000000
--- a/src/fsec-print/syscall_list.c
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2014-2020 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "fsec_print.h"
-#include <sys/syscall.h>
-
-typedef struct {
-        const char * const name;
-        int nr;
-} SyscallEntry;
-
-static const SyscallEntry syslist[] = {
-//
-// code generated using tools/extract-syscall
-//
-#include "../include/syscall.h"
-//
-// end of generated code
-//
-}; // end of syslist
-
-const char *syscall_find_nr(int nr) {
-        int i;
-        int elems = sizeof(syslist) / sizeof(syslist[0]);
-        for (i = 0; i < elems; i++) {
-                if (nr == syslist[i].nr)
-                        return syslist[i].name;
-        }
-
-        return NULL;
-}
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
index 67e074b3d..8623db6f8 100644
--- a/src/fseccomp/Makefile.in
+++ b/src/fseccomp/Makefile.in
@@ -5,8 +5,8 @@ include ../common.mk
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
         $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
 
-fseccomp: $(OBJS)
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+fseccomp: $(OBJS) ../lib/errno.o ../lib/syscall.o
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) ../lib/errno.o ../lib/syscall.o $(LIBS) $(EXTRA_LDFLAGS)
 
 clean:; rm -fr *.o fseccomp *.gcov *.gcda *.gcno *.plist
 
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h
index bf55870f2..e8dd083b6 100644
--- a/src/fseccomp/fseccomp.h
+++ b/src/fseccomp/fseccomp.h
@@ -24,21 +24,11 @@
 #include <string.h>
 #include <assert.h>
 #include "../include/common.h"
+#include "../include/syscall.h"
 
 // main.c
 extern int arg_quiet;
 
-// syscall.c
-void syscall_print(void);
-int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg, void *ptrarg), int fd, int arg, void *ptrarg);
-const char *syscall_find_nr(int nr);
-void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist);
-
-// errno.c
-void errno_print(void);
-int errno_find_name(const char *name);
-char *errno_find_nr(int nr);
-
 // protocol.c
 void protocol_print(void);
 void protocol_build_filter(const char *prlist, const char *fname);
@@ -49,27 +39,27 @@ void seccomp_secondary_32(const char *fname);
 void seccomp_secondary_block(const char *fname);
 
 // seccomp_file.c
-void write_to_file(int fd, const void *data, int size);
-void filter_init(int fd);
-void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg);
-void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg);
-void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg);
-void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg);
-void filter_add_errno(int fd, int syscall, int arg, void *ptrarg);
+void write_to_file(int fd, const void *data, size_t size);
+void filter_init(int fd, bool native);
+void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg, bool native);
+void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native);
+void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg, bool native);
+void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native);
 void filter_end_blacklist(int fd);
 void filter_end_whitelist(int fd);
 
 // seccomp.c
 // default list
-void seccomp_default(const char *fname, int allow_debuggers);
+void seccomp_default(const char *fname, int allow_debuggers, bool native);
 // drop list
-void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers);
+void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native);
 // default+drop list
-void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers);
+void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native);
 // whitelisted filter
-void seccomp_keep(const char *fname1, const char *fname2, char *list);
+void seccomp_keep(const char *fname1, const char *fname2, char *list, bool native);
 // block writable and executable memory
 void memory_deny_write_execute(const char *fname);
+void memory_deny_write_execute_32(const char *fname);
 
 // seccomp_print
 void filter_print(const char *fname);
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 82b96f476..3b3c92b46 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -18,11 +18,14 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "fseccomp.h"
+#include "../include/seccomp.h"
 int arg_quiet = 0;
+int arg_seccomp_error_action = EPERM; // error action: errno, log or kill
 
 static void usage(void) {
         printf("Usage:\n");
         printf("\tfseccomp debug-syscalls\n");
+        printf("\tfseccomp debug-syscalls32\n");
         printf("\tfseccomp debug-errnos\n");
         printf("\tfseccomp debug-protocols\n");
         printf("\tfseccomp protocol build list file\n");
@@ -31,12 +34,20 @@ static void usage(void) {
         printf("\tfseccomp secondary block file\n");
         printf("\tfseccomp default file\n");
         printf("\tfseccomp default file allow-debuggers\n");
+        printf("\tfseccomp default32 file\n");
+        printf("\tfseccomp default32 file allow-debuggers\n");
         printf("\tfseccomp drop file1 file2 list\n");
         printf("\tfseccomp drop file1 file2 list allow-debuggers\n");
+        printf("\tfseccomp drop32 file1 file2 list\n");
+        printf("\tfseccomp drop32 file1 file2 list allow-debuggers\n");
         printf("\tfseccomp default drop file1 file2 list\n");
         printf("\tfseccomp default drop file1 file2 list allow-debuggers\n");
+        printf("\tfseccomp default32 drop file1 file2 list\n");
+        printf("\tfseccomp default32 drop file1 file2 list allow-debuggers\n");
         printf("\tfseccomp keep file1 file2 list\n");
+        printf("\tfseccomp keep32 file1 file2 list\n");
         printf("\tfseccomp memory-deny-write-execute file\n");
+        printf("\tfseccomp memory-deny-write-execute.32 file\n");
 }
 
 int main(int argc, char **argv) {
@@ -58,12 +69,28 @@ printf("\n");
         if (quiet && strcmp(quiet, "yes") == 0)
                 arg_quiet = 1;
 
+        char *error_action = getenv("FIREJAIL_SECCOMP_ERROR_ACTION");
+        if (error_action) {
+                if (strcmp(error_action, "kill") == 0)
+                        arg_seccomp_error_action = SECCOMP_RET_KILL;
+                else if (strcmp(error_action, "log") == 0)
+                        arg_seccomp_error_action = SECCOMP_RET_LOG;
+                else {
+                        arg_seccomp_error_action = errno_find_name(error_action);
+                        if (arg_seccomp_error_action == -1)
+                                errExit("seccomp-error-action: unknown errno");
+                        arg_seccomp_error_action |= SECCOMP_RET_ERRNO;
+                }
+        }
+
         if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
                 usage();
                 return 0;
         }
         else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0)
                 syscall_print();
+        else if (argc == 2 && strcmp(argv[1], "debug-syscalls32") == 0)
+                syscall_print_32();
         else if (argc == 2 && strcmp(argv[1], "debug-errnos") == 0)
                 errno_print();
         else if (argc == 2 && strcmp(argv[1], "debug-protocols") == 0)
@@ -75,21 +102,37 @@ printf("\n");
         else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0)
                 seccomp_secondary_block(argv[3]);
         else if (argc == 3 && strcmp(argv[1], "default") == 0)
-                seccomp_default(argv[2], 0);
+                seccomp_default(argv[2], 0, true);
         else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0)
-                seccomp_default(argv[2], 1);
+                seccomp_default(argv[2], 1, true);
+        else if (argc == 3 && strcmp(argv[1], "default32") == 0)
+                seccomp_default(argv[2], 0, false);
+        else if (argc == 4 && strcmp(argv[1], "default32") == 0 && strcmp(argv[3], "allow-debuggers") == 0)
+                seccomp_default(argv[2], 1, false);
         else if (argc == 5 && strcmp(argv[1], "drop") == 0)
-                seccomp_drop(argv[2], argv[3], argv[4], 0);
+                seccomp_drop(argv[2], argv[3], argv[4], 0, true);
         else if (argc == 6 && strcmp(argv[1], "drop") == 0 && strcmp(argv[5], "allow-debuggers") == 0)
-                seccomp_drop(argv[2], argv[3], argv[4], 1);
+                seccomp_drop(argv[2], argv[3], argv[4], 1, true);
+        else if (argc == 5 && strcmp(argv[1], "drop32") == 0)
+                seccomp_drop(argv[2], argv[3], argv[4], 0, false);
+        else if (argc == 6 && strcmp(argv[1], "drop32") == 0 && strcmp(argv[5], "allow-debuggers") == 0)
+                seccomp_drop(argv[2], argv[3], argv[4], 1, false);
         else if (argc == 6 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0)
-                seccomp_default_drop(argv[3], argv[4], argv[5], 0);
+                seccomp_default_drop(argv[3], argv[4], argv[5], 0, true);
         else if (argc == 7 && strcmp(argv[1], "default") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[6], "allow-debuggers") == 0)
-                seccomp_default_drop(argv[3], argv[4], argv[5], 1);
+                seccomp_default_drop(argv[3], argv[4], argv[5], 1, true);
+        else if (argc == 6 && strcmp(argv[1], "default32") == 0 && strcmp(argv[2], "drop") == 0)
+                seccomp_default_drop(argv[3], argv[4], argv[5], 0, false);
+        else if (argc == 7 && strcmp(argv[1], "default32") == 0 && strcmp(argv[2], "drop") == 0 && strcmp(argv[6], "allow-debuggers") == 0)
+                seccomp_default_drop(argv[3], argv[4], argv[5], 1, false);
         else if (argc == 5 && strcmp(argv[1], "keep") == 0)
-                seccomp_keep(argv[2], argv[3], argv[4]);
+                seccomp_keep(argv[2], argv[3], argv[4], true);
+        else if (argc == 5 && strcmp(argv[1], "keep32") == 0)
+                seccomp_keep(argv[2], argv[3], argv[4], false);
         else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute") == 0)
                 memory_deny_write_execute(argv[2]);
+        else if (argc == 3 && strcmp(argv[1], "memory-deny-write-execute.32") == 0)
+                memory_deny_write_execute_32(argv[2]);
         else {
                 fprintf(stderr, "Error fseccomp: invalid arguments\n");
                 return 1;
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index 7a21eb2c2..b8b30f488 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -122,10 +122,23 @@ void protocol_build_filter(const char *prlist, const char *fname) {
 
         // header
         struct sock_filter filter_start[] = {
-                VALIDATE_ARCHITECTURE,
-                EXAMINE_SYSCALL,
-                ONLY(SYS_socket),
-                EXAMINE_ARGUMENT(0)
+#if defined __x86_64__
+                /* check for native arch */
+                BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1 + 2 + 1, 0),
+                /* i386 filter */
+                EXAMINE_SYSCALL, // 1
+                // checking SYS_socket only: filtering SYS_socketcall not possible with seccomp
+                ONLY(359), // 1 + 2
+                BPF_JUMP(BPF_JMP+BPF_JA+BPF_K, (3 + 1 + 2), 0, 0), // 1 + 2 + 1
+#else
+#warning 32 bit protocol filter not implemented yet for your architecture
+#endif
+                VALIDATE_ARCHITECTURE, // 3
+                EXAMINE_SYSCALL, // 3 + 1
+                ONLY(SYS_socket), // 3 + 1 + 2
+
+                EXAMINE_ARGUMENT(0) // 3 + 1 + 2 + 1
         };
         memcpy(ptr, &filter_start[0], sizeof(filter_start));
         ptr += sizeof(filter_start);
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 29aa2f2f5..e808538b0 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -24,12 +24,12 @@
 #include <sys/syscall.h>
 #include <sys/types.h>
 
-static void add_default_list(int fd, int allow_debuggers) {
+static void add_default_list(int fd, int allow_debuggers, bool native) {
         int r;
         if (!allow_debuggers)
-                r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0, NULL);
+                r = syscall_check_list("@default-nodebuggers", filter_add_blacklist, fd, 0, NULL, native);
         else
-                r = syscall_check_list("@default", filter_add_blacklist, fd, 0, NULL);
+                r = syscall_check_list("@default", filter_add_blacklist, fd, 0, NULL, native);
 
         assert(r == 0);
 //#ifdef SYS_mknod - emoved in 0.9.29 - it breaks Zotero extension
@@ -46,7 +46,7 @@ static void add_default_list(int fd, int allow_debuggers) {
 }
 
 // default list
-void seccomp_default(const char *fname, int allow_debuggers) {
+void seccomp_default(const char *fname, int allow_debuggers, bool native) {
         assert(fname);
 
         // open file
@@ -57,8 +57,8 @@ void seccomp_default(const char *fname, int allow_debuggers) {
         }
 
         // build filter (no post-exec filter needed because default list is fine for us)
-        filter_init(fd);
-        add_default_list(fd, allow_debuggers);
+        filter_init(fd, native);
+        add_default_list(fd, allow_debuggers, native);
         filter_end_blacklist(fd);
 
         // close file
@@ -66,7 +66,7 @@ void seccomp_default(const char *fname, int allow_debuggers) {
 }
 
 // drop list
-void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) {
+void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native) {
         assert(fname1);
         assert(fname2);
         (void) allow_debuggers; // todo: to implemnet it
@@ -79,15 +79,15 @@ void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_
         }
 
         // build pre-exec filter: don't blacklist any syscalls in @default-keep
-        filter_init(fd);
+        filter_init(fd, native);
 
         // allow exceptions in form of !syscall
-        syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL);
+        syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL, native);
 
         char *prelist, *postlist;
-        syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
+        syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist, native);
         if (prelist)
-                if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) {
+                if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL, native)) {
                         fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
                         exit(1);
                 }
@@ -106,8 +106,8 @@ void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_
         }
 
         // build post-exec filter: blacklist remaining syscalls
-        filter_init(fd);
-        if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) {
+        filter_init(fd, native);
+        if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL, native)) {
                 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
                 exit(1);
         }
@@ -118,7 +118,7 @@ void seccomp_drop(const char *fname1, const char *fname2, char *list, int allow_
 }
 
 // default+drop
-void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers) {
+void seccomp_default_drop(const char *fname1, const char *fname2, char *list, int allow_debuggers, bool native) {
         assert(fname1);
         assert(fname2);
 
@@ -131,16 +131,16 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
 
         // build pre-exec filter: blacklist @default, don't blacklist
         // any listed syscalls in @default-keep
-        filter_init(fd);
+        filter_init(fd, native);
 
         // allow exceptions in form of !syscall
-        syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL);
+        syscall_check_list(list, filter_add_whitelist_for_excluded, fd, 0, NULL, native);
 
-        add_default_list(fd, allow_debuggers);
+        add_default_list(fd, allow_debuggers, native);
         char *prelist, *postlist;
-        syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist);
+        syscalls_in_list(list, "@default-keep", fd, &prelist, &postlist, native);
         if (prelist)
-                if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL)) {
+                if (syscall_check_list(prelist, filter_add_blacklist, fd, 0, NULL, native)) {
                         fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
                         exit(1);
                 }
@@ -160,8 +160,8 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
         }
 
         // build post-exec filter: blacklist remaining syscalls
-        filter_init(fd);
-        if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL)) {
+        filter_init(fd, native);
+        if (syscall_check_list(postlist, filter_add_blacklist, fd, 0, NULL, native)) {
                 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
                 exit(1);
         }
@@ -171,7 +171,7 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
         close(fd);
 }
 
-void seccomp_keep(const char *fname1, const char *fname2, char *list) {
+void seccomp_keep(const char *fname1, const char *fname2, char *list, bool native) {
         (void) fname2;
 
         // open file for pre-exec filter
@@ -182,17 +182,17 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
         }
 
         // build pre-exec filter: whitelist also @default-keep
-        filter_init(fd);
+        filter_init(fd, native);
 
         // allow exceptions in form of !syscall
-        syscall_check_list(list, filter_add_blacklist_for_excluded, fd, 0, NULL);
+        syscall_check_list(list, filter_add_blacklist_for_excluded, fd, 0, NULL, native);
 
         // these syscalls are used by firejail after the seccomp filter is initialized
         int r;
-        r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL);
+        r = syscall_check_list("@default-keep", filter_add_whitelist, fd, 0, NULL, native);
         assert(r == 0);
 
-        if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) {
+        if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL, native)) {
                 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
                 exit(1);
         }
@@ -206,6 +206,15 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
 #if defined(__x86_64__) || defined(__aarch64__) || defined(__powerpc64__)
 # define filter_syscall SYS_mmap
 # undef block_syscall
+#if defined(__x86_64__)
+// i386 syscalls
+# define filter_syscall_32 192
+# define block_syscall_32 90
+# define mprotect_32 125
+# define pkey_mprotect_32 380
+# define shmat_32 397
+# define memfd_create_32 356
+#endif
 #elif defined(__i386__)
 # define filter_syscall SYS_mmap2
 # define block_syscall SYS_mmap
@@ -216,6 +225,12 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
 # warning "Platform does not support seccomp memory-deny-write-execute filter yet"
 # undef filter_syscall
 # undef block_syscall
+# undef filter_syscall_32
+# undef block_syscall_32
+# undef mprotect_32
+# undef pkey_mprotect_32
+# undef shmat_32
+# undef memfd_create_32
 #endif
 
 void memory_deny_write_execute(const char *fname) {
@@ -226,10 +241,10 @@ void memory_deny_write_execute(const char *fname) {
                 exit(1);
         }
 
-        filter_init(fd);
+        filter_init(fd, true);
 
         // build filter
-        static const struct sock_filter filter[] = {
+        struct sock_filter filter[] = {
 #ifdef block_syscall
                 // block old multiplexing mmap syscall for i386
                 BLACKLIST(block_syscall),
@@ -240,7 +255,7 @@ void memory_deny_write_execute(const char *fname) {
                 EXAMINE_ARGUMENT(2),
                 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC),
                 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1),
-                KILL_PROCESS,
+                KILL_OR_RETURN_ERRNO,
                 RETURN_ALLOW,
 #endif
 
@@ -249,7 +264,7 @@ void memory_deny_write_execute(const char *fname) {
                 EXAMINE_ARGUMENT(2),
                 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
                 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
-                KILL_PROCESS,
+                KILL_OR_RETURN_ERRNO,
                 RETURN_ALLOW,
 
                 // same for pkey_mprotect(,,PROT_EXEC), where available
@@ -258,7 +273,7 @@ void memory_deny_write_execute(const char *fname) {
                 EXAMINE_ARGUMENT(2),
                 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
                 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
-                KILL_PROCESS,
+                KILL_OR_RETURN_ERRNO,
                 RETURN_ALLOW,
 #endif
 
@@ -269,7 +284,7 @@ void memory_deny_write_execute(const char *fname) {
                 EXAMINE_ARGUMENT(2),
                 BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
                 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
-                KILL_PROCESS,
+                KILL_OR_RETURN_ERRNO,
                 RETURN_ALLOW,
 #endif
 #ifdef SYS_memfd_create
@@ -277,7 +292,7 @@ void memory_deny_write_execute(const char *fname) {
                 // arbitrary memory contents which can be later mapped
                 // as executable
                 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_memfd_create, 0, 1),
-                KILL_PROCESS,
+                KILL_OR_RETURN_ERRNO,
                 RETURN_ALLOW
 #endif
         };
@@ -288,3 +303,75 @@ void memory_deny_write_execute(const char *fname) {
         // close file
         close(fd);
 }
+
+void memory_deny_write_execute_32(const char *fname) {
+        // open file
+        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+        if (fd < 0) {
+                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
+                exit(1);
+        }
+
+        filter_init(fd, false);
+
+        // build filter
+        struct sock_filter filter[] = {
+#if defined(__x86_64__)
+#ifdef block_syscall_32
+                // block old multiplexing mmap syscall for i386
+                BLACKLIST(block_syscall_32),
+#endif
+#ifdef filter_syscall_32
+                // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, filter_syscall_32, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1),
+                KILL_OR_RETURN_ERRNO,
+                RETURN_ALLOW,
+#endif
+#ifdef mprotect_32
+                // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, mprotect_32, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
+                KILL_OR_RETURN_ERRNO,
+                RETURN_ALLOW,
+#endif
+#ifdef pkey_mprotect_32
+                // same for pkey_mprotect(,,PROT_EXEC), where available
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, pkey_mprotect_32, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_EXEC, 0, 1),
+                KILL_OR_RETURN_ERRNO,
+                RETURN_ALLOW,
+#endif
+
+#ifdef shmat_32
+                // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, shmat_32, 0, 5),
+                EXAMINE_ARGUMENT(2),
+                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, SHM_EXEC),
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SHM_EXEC, 0, 1),
+                KILL_OR_RETURN_ERRNO,
+                RETURN_ALLOW,
+#endif
+#ifdef memfd_create_32
+                // block memfd_create as it can be used to create
+                // arbitrary memory contents which can be later mapped
+                // as executable
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, memfd_create_32, 0, 1),
+                KILL_OR_RETURN_ERRNO,
+#endif
+#endif
+                RETURN_ALLOW
+        };
+        write_to_file(fd, filter, sizeof(filter));
+
+        filter_end_blacklist(fd);
+
+        // close file
+        close(fd);
+}
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
index e47e8db25..9e8ceb898 100644
--- a/src/fseccomp/seccomp_file.c
+++ b/src/fseccomp/seccomp_file.c
@@ -21,11 +21,11 @@
 #include "../include/seccomp.h"
 #include <sys/syscall.h>
 
-void write_to_file(int fd, const void *data, int size) {
+void write_to_file(int fd, const void *data, size_t size) {
         assert(data);
         assert(size);
 
-        int written = 0;
+        size_t written = 0;
         while (written < size) {
                 int rv = write(fd, (unsigned char *) data + written, size - written);
                 if (rv == -1) {
@@ -36,8 +36,8 @@ void write_to_file(int fd, const void *data, int size) {
         }
 }
 
-void filter_init(int fd) {
-        struct sock_filter filter[] = {
+void filter_init(int fd, bool native) {
+        struct sock_filter filter_native[] = {
                 VALIDATE_ARCHITECTURE,
 #if defined(__x86_64__)
                 EXAMINE_SYSCALL,
@@ -46,6 +46,10 @@ void filter_init(int fd) {
                 EXAMINE_SYSCALL
 #endif
         };
+        struct sock_filter filter_32[] = {
+                VALIDATE_ARCHITECTURE_32,
+                EXAMINE_SYSCALL
+        };
 
 #if 0
 {
@@ -57,7 +61,10 @@ void filter_init(int fd) {
 }
 #endif
 
-        write_to_file(fd, filter, sizeof(filter));
+        if (native)
+                write_to_file(fd, filter_native, sizeof(filter_native));
+        else
+                write_to_file(fd, filter_32, sizeof(filter_32));
 }
 
 static void write_whitelist(int fd, int syscall) {
@@ -74,9 +81,10 @@ static void write_blacklist(int fd, int syscall) {
         write_to_file(fd, filter, sizeof(filter));
 }
 
-void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) {
+void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg, bool native) {
         (void) arg;
         (void) ptrarg;
+        (void) native;
 
         if (syscall >= 0) {
                 write_whitelist(fd, syscall);
@@ -84,36 +92,54 @@ void filter_add_whitelist(int fd, int syscall, int arg, void *ptrarg) {
 }
 
 // handle seccomp list exceptions (seccomp x,y,!z)
-void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg) {
+void filter_add_whitelist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native) {
         (void) arg;
         (void) ptrarg;
+        (void) native;
 
         if (syscall < 0) {
                 write_whitelist(fd, -syscall);
         }
 }
 
-void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg) {
+void filter_add_blacklist(int fd, int syscall, int arg, void *ptrarg, bool native) {
         (void) arg;
         (void) ptrarg;
+        (void) native;
 
         if (syscall >= 0) {
                 write_blacklist(fd, syscall);
         }
 }
 
+void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native) {
+        (void) arg;
+        (void) ptrarg;
+        (void) native;
+
+        if (syscall >= 0) {
+                int saved_error_action = arg_seccomp_error_action;
+                arg_seccomp_error_action = SECCOMP_RET_KILL;
+                write_blacklist(fd, syscall);
+                arg_seccomp_error_action = saved_error_action;
+        }
+}
+
 // handle seccomp list exceptions (seccomp x,y,!z)
-void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg) {
+void filter_add_blacklist_for_excluded(int fd, int syscall, int arg, void *ptrarg, bool native) {
         (void) arg;
         (void) ptrarg;
+        (void) native;
 
         if (syscall < 0) {
                 write_blacklist(fd, -syscall);
         }
 }
 
-void filter_add_errno(int fd, int syscall, int arg, void *ptrarg) {
+void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native) {
         (void) ptrarg;
+        (void) native;
+
         struct sock_filter filter[] = {
                 BLACKLIST_ERRNO(syscall, arg)
         };
@@ -129,7 +155,7 @@ void filter_end_blacklist(int fd) {
 
 void filter_end_whitelist(int fd) {
         struct sock_filter filter[] = {
-                KILL_PROCESS
+                KILL_OR_RETURN_ERRNO
         };
         write_to_file(fd, filter, sizeof(filter));
 }
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index 9a00d1884..f024859d3 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -142,7 +142,7 @@ void seccomp_secondary_block(const char *fname) {
                 // 5: if MSW(arg0) == 0, goto 7 (allow) else continue to 6 (kill)
                 BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0, jmp_from_to(5, 7), 0),
                 // 6:
-                KILL_PROCESS,
+                KILL_OR_RETURN_ERRNO,
                 // 7:
                 RETURN_ALLOW
         };
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index 1cfeee28d..f8bcdec52 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -30,6 +30,7 @@
 #define RUN_FIREJAIL_NETWORK_DIR        RUN_FIREJAIL_DIR "/network"
 #define RUN_FIREJAIL_BANDWIDTH_DIR      RUN_FIREJAIL_DIR "/bandwidth"
 #define RUN_FIREJAIL_PROFILE_DIR        RUN_FIREJAIL_DIR "/profile"
+#define RUN_FIREJAIL_DBUS_DIR RUN_FIREJAIL_DIR "/dbus"
 #define RUN_NETWORK_LOCK_FILE           RUN_FIREJAIL_DIR "/firejail-network.lock"
 #define RUN_DIRECTORY_LOCK_FILE         RUN_FIREJAIL_DIR "/firejail-run.lock"
 #define RUN_RO_DIR                      RUN_FIREJAIL_DIR "/firejail.ro.dir"
@@ -56,19 +57,26 @@
 #define RUN_DHCLIENT_4_LEASES_FILE              RUN_DHCLIENT_DIR "/dhclient.leases"
 #define RUN_DHCLIENT_4_PID_FILE                 RUN_DHCLIENT_DIR "/dhclient.pid"
 #define RUN_DHCLIENT_6_PID_FILE                 RUN_DHCLIENT_DIR "/dhclient6.pid"
+#define RUN_DBUS_DIR        RUN_MNT_DIR "/dbus"
+#define RUN_DBUS_USER_SOCKET        RUN_DBUS_DIR "/user"
+#define RUN_DBUS_SYSTEM_SOCKET      RUN_DBUS_DIR "/system"
 
 #define RUN_SECCOMP_DIR                 RUN_MNT_DIR "/seccomp"
 #define RUN_SECCOMP_LIST                RUN_SECCOMP_DIR "/seccomp.list"         // list of seccomp files installed
 #define RUN_SECCOMP_PROTOCOL            RUN_SECCOMP_DIR "/seccomp.protocol"             // protocol filter
 #define RUN_SECCOMP_CFG                 RUN_SECCOMP_DIR "/seccomp"                      // configured filter
 #define RUN_SECCOMP_32                  RUN_SECCOMP_DIR "/seccomp.32"                   // 32bit arch filter installed on 64bit architectures
-#define RUN_SECCOMP_MDWX                RUN_SECCOMP_DIR "/seccomp.mdwx"         // filter for memory-deny-write-execute
+#define RUN_SECCOMP_MDWX                RUN_SECCOMP_DIR "/seccomp.mdwx"                 // filter for memory-deny-write-execute
+#define RUN_SECCOMP_MDWX_32             RUN_SECCOMP_DIR "/seccomp.mdwx.32"
 #define RUN_SECCOMP_BLOCK_SECONDARY     RUN_SECCOMP_DIR "/seccomp.block_secondary"      // secondary arch blocking filter
 #define RUN_SECCOMP_POSTEXEC            RUN_SECCOMP_DIR "/seccomp.postexec"             // filter for post-exec library
+#define RUN_SECCOMP_POSTEXEC_32         RUN_SECCOMP_DIR "/seccomp.postexec32"           // filter for post-exec library
 #define PATH_SECCOMP_DEFAULT            LIBDIR "/firejail/seccomp"                      // default filter built during make
-#define PATH_SECCOMP_DEFAULT_DEBUG      LIBDIR "/firejail/seccomp.debug"                // default filter built during make
+#define PATH_SECCOMP_DEFAULT_DEBUG      LIBDIR "/firejail/seccomp.debug"                // debug filter built during make
 #define PATH_SECCOMP_32                 LIBDIR "/firejail/seccomp.32"                   // 32bit arch filter built during make
-#define PATH_SECCOMP_MDWX               LIBDIR "/firejail/seccomp.mdwx"         // filter for memory-deny-write-execute built during make
+#define PATH_SECCOMP_DEBUG_32           LIBDIR "/firejail/seccomp.debug32"              // 32bit arch debug filter built during make
+#define PATH_SECCOMP_MDWX               LIBDIR "/firejail/seccomp.mdwx"                 // filter for memory-deny-write-execute built during make
+#define PATH_SECCOMP_MDWX_32            LIBDIR "/firejail/seccomp.mdwx.32"
 #define PATH_SECCOMP_BLOCK_SECONDARY    LIBDIR "/firejail/seccomp.block_secondary"      // secondary arch blocking filter built during make
 
 
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 80a83df34..29b858c70 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -243,7 +243,7 @@ struct seccomp_data {
 #define HANDLE_X32_KILL \
                 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, X32_SYSCALL_BIT, 1, 0), \
                 BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, 0, 1, 0), \
-                KILL_PROCESS
+                BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
 #endif
 
 #define EXAMINE_SYSCALL BPF_STMT(BPF_LD+BPF_W+BPF_ABS,  \
@@ -258,7 +258,7 @@ struct seccomp_data {
 
 #define BLACKLIST(syscall_nr)   \
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1),      \
-        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+        KILL_OR_RETURN_ERRNO
 
 #define WHITELIST(syscall_nr) \
         BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, syscall_nr, 0, 1), \
@@ -274,7 +274,8 @@ struct seccomp_data {
 #define RETURN_ERRNO(nr) \
         BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO | nr)
 
-#define KILL_PROCESS \
-        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
+extern int arg_seccomp_error_action;    // error action: errno, log or kill
+#define KILL_OR_RETURN_ERRNO \
+        BPF_STMT(BPF_RET+BPF_K, arg_seccomp_error_action)
 
 #endif
diff --git a/src/include/syscall.h b/src/include/syscall.h
index e11c56a05..489da0600 100644
--- a/src/include/syscall.h
+++ b/src/include/syscall.h
@@ -17,5195 +17,29 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#ifndef SYSCALL_H
+#define SYSCALL_H
+
+#include <stdbool.h>
+
+// main.c
+extern int arg_quiet;
+
+// seccomp_file.c or dummy versions in firejail/main.c and fsec-print/main.c
+void filter_add_errno(int fd, int syscall, int arg, void *ptrarg, bool native);
+void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, bool native);
+
+// errno.c
+void errno_print(void);
+int errno_find_name(const char *name);
+const char *errno_find_nr(int nr);
+
+// syscall.c
+void syscall_print(void);
+void syscall_print_32(void);
+typedef void (filter_fn)(int fd, int syscall, int arg, void *ptrarg, bool native);
+int syscall_check_list(const char *slist, filter_fn *callback, int fd, int arg, void *ptrarg, bool native);
+const char *syscall_find_nr(int nr);
+void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist, bool native);
 
-// content extracted from /bits/syscall.h file form glibc 2.22
-// using ../tools/extract_syscall tool
-#if !defined __x86_64__
-#ifdef SYS__llseek
-#ifdef __NR__llseek
-        {"_llseek", __NR__llseek},
-#endif
-#endif
-#ifdef SYS__newselect
-#ifdef __NR__newselect
-        {"_newselect", __NR__newselect},
-#endif
-#endif
-#ifdef SYS__sysctl
-#ifdef __NR__sysctl
-        {"_sysctl", __NR__sysctl},
-#endif
-#endif
-#ifdef SYS_accept4
-#ifdef __NR_accept4
-        {"accept4", __NR_accept4},
-#endif
-#endif
-#ifdef SYS_access
-#ifdef __NR_access
-        {"access", __NR_access},
-#endif
-#endif
-#ifdef SYS_acct
-#ifdef __NR_acct
-        {"acct", __NR_acct},
-#endif
-#endif
-#ifdef SYS_add_key
-#ifdef __NR_add_key
-        {"add_key", __NR_add_key},
-#endif
-#endif
-#ifdef SYS_adjtimex
-#ifdef __NR_adjtimex
-        {"adjtimex", __NR_adjtimex},
-#endif
-#endif
-#ifdef SYS_afs_syscall
-#ifdef __NR_afs_syscall
-        {"afs_syscall", __NR_afs_syscall},
-#endif
-#endif
-#ifdef SYS_alarm
-#ifdef __NR_alarm
-        {"alarm", __NR_alarm},
-#endif
-#endif
-#ifdef SYS_arch_prctl
-#ifdef __NR_arch_prctl
-        {"arch_prctl", __NR_arch_prctl},
-#endif
-#endif
-#ifdef SYS_bdflush
-#ifdef __NR_bdflush
-        {"bdflush", __NR_bdflush},
-#endif
-#endif
-#ifdef SYS_bind
-#ifdef __NR_bind
-        {"bind", __NR_bind},
-#endif
-#endif
-#ifdef SYS_bpf
-#ifdef __NR_bpf
-        {"bpf", __NR_bpf},
-#endif
-#endif
-#ifdef SYS_break
-#ifdef __NR_break
-        {"break", __NR_break},
-#endif
-#endif
-#ifdef SYS_brk
-#ifdef __NR_brk
-        {"brk", __NR_brk},
-#endif
-#endif
-#ifdef SYS_capget
-#ifdef __NR_capget
-        {"capget", __NR_capget},
-#endif
-#endif
-#ifdef SYS_capset
-#ifdef __NR_capset
-        {"capset", __NR_capset},
-#endif
-#endif
-#ifdef SYS_chdir
-#ifdef __NR_chdir
-        {"chdir", __NR_chdir},
-#endif
-#endif
-#ifdef SYS_chmod
-#ifdef __NR_chmod
-        {"chmod", __NR_chmod},
-#endif
-#endif
-#ifdef SYS_chown
-#ifdef __NR_chown
-        {"chown", __NR_chown},
-#endif
-#endif
-#ifdef SYS_chown32
-#ifdef __NR_chown32
-        {"chown32", __NR_chown32},
-#endif
-#endif
-#ifdef SYS_chroot
-#ifdef __NR_chroot
-        {"chroot", __NR_chroot},
-#endif
-#endif
-#ifdef SYS_clock_adjtime
-#ifdef __NR_clock_adjtime
-        {"clock_adjtime", __NR_clock_adjtime},
-#endif
-#endif
-#ifdef SYS_clock_getres
-#ifdef __NR_clock_getres
-        {"clock_getres", __NR_clock_getres},
-#endif
-#endif
-#ifdef SYS_clock_gettime
-#ifdef __NR_clock_gettime
-        {"clock_gettime", __NR_clock_gettime},
-#endif
-#endif
-#ifdef SYS_clock_nanosleep
-#ifdef __NR_clock_nanosleep
-        {"clock_nanosleep", __NR_clock_nanosleep},
-#endif
-#endif
-#ifdef SYS_clock_settime
-#ifdef __NR_clock_settime
-        {"clock_settime", __NR_clock_settime},
-#endif
-#endif
-#ifdef SYS_clone
-#ifdef __NR_clone
-        {"clone", __NR_clone},
-#endif
-#endif
-#ifdef SYS_close
-#ifdef __NR_close
-        {"close", __NR_close},
-#endif
-#endif
-#ifdef SYS_connect
-#ifdef __NR_connect
-        {"connect", __NR_connect},
-#endif
-#endif
-#ifdef SYS_copy_file_range
-#ifdef __NR_copy_file_range
-        {"copy_file_range", __NR_copy_file_range},
-#endif
-#endif
-#ifdef SYS_creat
-#ifdef __NR_creat
-        {"creat", __NR_creat},
-#endif
-#endif
-#ifdef SYS_create_module
-#ifdef __NR_create_module
-        {"create_module", __NR_create_module},
-#endif
-#endif
-#ifdef SYS_delete_module
-#ifdef __NR_delete_module
-        {"delete_module", __NR_delete_module},
-#endif
-#endif
-#ifdef SYS_dup
-#ifdef __NR_dup
-        {"dup", __NR_dup},
-#endif
-#endif
-#ifdef SYS_dup2
-#ifdef __NR_dup2
-        {"dup2", __NR_dup2},
-#endif
-#endif
-#ifdef SYS_dup3
-#ifdef __NR_dup3
-        {"dup3", __NR_dup3},
-#endif
-#endif
-#ifdef SYS_epoll_create
-#ifdef __NR_epoll_create
-        {"epoll_create", __NR_epoll_create},
-#endif
-#endif
-#ifdef SYS_epoll_create1
-#ifdef __NR_epoll_create1
-        {"epoll_create1", __NR_epoll_create1},
-#endif
-#endif
-#ifdef SYS_epoll_ctl
-#ifdef __NR_epoll_ctl
-        {"epoll_ctl", __NR_epoll_ctl},
-#endif
-#endif
-#ifdef SYS_epoll_pwait
-#ifdef __NR_epoll_pwait
-        {"epoll_pwait", __NR_epoll_pwait},
-#endif
-#endif
-#ifdef SYS_epoll_wait
-#ifdef __NR_epoll_wait
-        {"epoll_wait", __NR_epoll_wait},
-#endif
-#endif
-#ifdef SYS_eventfd
-#ifdef __NR_eventfd
-        {"eventfd", __NR_eventfd},
-#endif
-#endif
-#ifdef SYS_eventfd2
-#ifdef __NR_eventfd2
-        {"eventfd2", __NR_eventfd2},
-#endif
-#endif
-#ifdef SYS_execve
-#ifdef __NR_execve
-        {"execve", __NR_execve},
-#endif
-#endif
-#ifdef SYS_execveat
-#ifdef __NR_execveat
-        {"execveat", __NR_execveat},
-#endif
-#endif
-#ifdef SYS_exit
-#ifdef __NR_exit
-        {"exit", __NR_exit},
-#endif
-#endif
-#ifdef SYS_exit_group
-#ifdef __NR_exit_group
-        {"exit_group", __NR_exit_group},
-#endif
-#endif
-#ifdef SYS_faccessat
-#ifdef __NR_faccessat
-        {"faccessat", __NR_faccessat},
-#endif
-#endif
-#ifdef SYS_fadvise64
-#ifdef __NR_fadvise64
-        {"fadvise64", __NR_fadvise64},
-#endif
-#endif
-#ifdef SYS_fadvise64_64
-#ifdef __NR_fadvise64_64
-        {"fadvise64_64", __NR_fadvise64_64},
-#endif
-#endif
-#ifdef SYS_fallocate
-#ifdef __NR_fallocate
-        {"fallocate", __NR_fallocate},
-#endif
-#endif
-#ifdef SYS_fanotify_init
-#ifdef __NR_fanotify_init
-        {"fanotify_init", __NR_fanotify_init},
-#endif
-#endif
-#ifdef SYS_fanotify_mark
-#ifdef __NR_fanotify_mark
-        {"fanotify_mark", __NR_fanotify_mark},
-#endif
-#endif
-#ifdef SYS_fchdir
-#ifdef __NR_fchdir
-        {"fchdir", __NR_fchdir},
-#endif
-#endif
-#ifdef SYS_fchmod
-#ifdef __NR_fchmod
-        {"fchmod", __NR_fchmod},
-#endif
-#endif
-#ifdef SYS_fchmodat
-#ifdef __NR_fchmodat
-        {"fchmodat", __NR_fchmodat},
-#endif
-#endif
-#ifdef SYS_fchown
-#ifdef __NR_fchown
-        {"fchown", __NR_fchown},
-#endif
-#endif
-#ifdef SYS_fchown32
-#ifdef __NR_fchown32
-        {"fchown32", __NR_fchown32},
-#endif
-#endif
-#ifdef SYS_fchownat
-#ifdef __NR_fchownat
-        {"fchownat", __NR_fchownat},
-#endif
-#endif
-#ifdef SYS_fcntl
-#ifdef __NR_fcntl
-        {"fcntl", __NR_fcntl},
-#endif
-#endif
-#ifdef SYS_fcntl64
-#ifdef __NR_fcntl64
-        {"fcntl64", __NR_fcntl64},
-#endif
-#endif
-#ifdef SYS_fdatasync
-#ifdef __NR_fdatasync
-        {"fdatasync", __NR_fdatasync},
-#endif
-#endif
-#ifdef SYS_fgetxattr
-#ifdef __NR_fgetxattr
-        {"fgetxattr", __NR_fgetxattr},
-#endif
-#endif
-#ifdef SYS_finit_module
-#ifdef __NR_finit_module
-        {"finit_module", __NR_finit_module},
-#endif
-#endif
-#ifdef SYS_flistxattr
-#ifdef __NR_flistxattr
-        {"flistxattr", __NR_flistxattr},
-#endif
-#endif
-#ifdef SYS_flock
-#ifdef __NR_flock
-        {"flock", __NR_flock},
-#endif
-#endif
-#ifdef SYS_fork
-#ifdef __NR_fork
-        {"fork", __NR_fork},
-#endif
-#endif
-#ifdef SYS_fremovexattr
-#ifdef __NR_fremovexattr
-        {"fremovexattr", __NR_fremovexattr},
-#endif
-#endif
-#ifdef SYS_fsetxattr
-#ifdef __NR_fsetxattr
-        {"fsetxattr", __NR_fsetxattr},
-#endif
-#endif
-#ifdef SYS_fstat
-#ifdef __NR_fstat
-        {"fstat", __NR_fstat},
-#endif
-#endif
-#ifdef SYS_fstat64
-#ifdef __NR_fstat64
-        {"fstat64", __NR_fstat64},
-#endif
-#endif
-#ifdef SYS_fstatat64
-#ifdef __NR_fstatat64
-        {"fstatat64", __NR_fstatat64},
-#endif
-#endif
-#ifdef SYS_fstatfs
-#ifdef __NR_fstatfs
-        {"fstatfs", __NR_fstatfs},
-#endif
-#endif
-#ifdef SYS_fstatfs64
-#ifdef __NR_fstatfs64
-        {"fstatfs64", __NR_fstatfs64},
-#endif
-#endif
-#ifdef SYS_fsync
-#ifdef __NR_fsync
-        {"fsync", __NR_fsync},
-#endif
-#endif
-#ifdef SYS_ftime
-#ifdef __NR_ftime
-        {"ftime", __NR_ftime},
-#endif
-#endif
-#ifdef SYS_ftruncate
-#ifdef __NR_ftruncate
-        {"ftruncate", __NR_ftruncate},
-#endif
-#endif
-#ifdef SYS_ftruncate64
-#ifdef __NR_ftruncate64
-        {"ftruncate64", __NR_ftruncate64},
-#endif
-#endif
-#ifdef SYS_futex
-#ifdef __NR_futex
-        {"futex", __NR_futex},
-#endif
-#endif
-#ifdef SYS_futimesat
-#ifdef __NR_futimesat
-        {"futimesat", __NR_futimesat},
-#endif
-#endif
-#ifdef SYS_get_kernel_syms
-#ifdef __NR_get_kernel_syms
-        {"get_kernel_syms", __NR_get_kernel_syms},
-#endif
-#endif
-#ifdef SYS_get_mempolicy
-#ifdef __NR_get_mempolicy
-        {"get_mempolicy", __NR_get_mempolicy},
-#endif
-#endif
-#ifdef SYS_get_robust_list
-#ifdef __NR_get_robust_list
-        {"get_robust_list", __NR_get_robust_list},
-#endif
-#endif
-#ifdef SYS_get_thread_area
-#ifdef __NR_get_thread_area
-        {"get_thread_area", __NR_get_thread_area},
-#endif
-#endif
-#ifdef SYS_getcpu
-#ifdef __NR_getcpu
-        {"getcpu", __NR_getcpu},
-#endif
-#endif
-#ifdef SYS_getcwd
-#ifdef __NR_getcwd
-        {"getcwd", __NR_getcwd},
-#endif
-#endif
-#ifdef SYS_getdents
-#ifdef __NR_getdents
-        {"getdents", __NR_getdents},
-#endif
-#endif
-#ifdef SYS_getdents64
-#ifdef __NR_getdents64
-        {"getdents64", __NR_getdents64},
-#endif
-#endif
-#ifdef SYS_getegid
-#ifdef __NR_getegid
-        {"getegid", __NR_getegid},
-#endif
-#endif
-#ifdef SYS_getegid32
-#ifdef __NR_getegid32
-        {"getegid32", __NR_getegid32},
-#endif
-#endif
-#ifdef SYS_geteuid
-#ifdef __NR_geteuid
-        {"geteuid", __NR_geteuid},
-#endif
-#endif
-#ifdef SYS_geteuid32
-#ifdef __NR_geteuid32
-        {"geteuid32", __NR_geteuid32},
-#endif
-#endif
-#ifdef SYS_getgid
-#ifdef __NR_getgid
-        {"getgid", __NR_getgid},
-#endif
-#endif
-#ifdef SYS_getgid32
-#ifdef __NR_getgid32
-        {"getgid32", __NR_getgid32},
-#endif
-#endif
-#ifdef SYS_getgroups
-#ifdef __NR_getgroups
-        {"getgroups", __NR_getgroups},
-#endif
-#endif
-#ifdef SYS_getgroups32
-#ifdef __NR_getgroups32
-        {"getgroups32", __NR_getgroups32},
-#endif
-#endif
-#ifdef SYS_getitimer
-#ifdef __NR_getitimer
-        {"getitimer", __NR_getitimer},
-#endif
-#endif
-#ifdef SYS_getpeername
-#ifdef __NR_getpeername
-        {"getpeername", __NR_getpeername},
-#endif
-#endif
-#ifdef SYS_getpgid
-#ifdef __NR_getpgid
-        {"getpgid", __NR_getpgid},
-#endif
-#endif
-#ifdef SYS_getpgrp
-#ifdef __NR_getpgrp
-        {"getpgrp", __NR_getpgrp},
-#endif
-#endif
-#ifdef SYS_getpid
-#ifdef __NR_getpid
-        {"getpid", __NR_getpid},
-#endif
-#endif
-#ifdef SYS_getpmsg
-#ifdef __NR_getpmsg
-        {"getpmsg", __NR_getpmsg},
-#endif
-#endif
-#ifdef SYS_getppid
-#ifdef __NR_getppid
-        {"getppid", __NR_getppid},
-#endif
-#endif
-#ifdef SYS_getpriority
-#ifdef __NR_getpriority
-        {"getpriority", __NR_getpriority},
-#endif
-#endif
-#ifdef SYS_getrandom
-#ifdef __NR_getrandom
-        {"getrandom", __NR_getrandom},
-#endif
-#endif
-#ifdef SYS_getresgid
-#ifdef __NR_getresgid
-        {"getresgid", __NR_getresgid},
-#endif
-#endif
-#ifdef SYS_getresgid32
-#ifdef __NR_getresgid32
-        {"getresgid32", __NR_getresgid32},
-#endif
-#endif
-#ifdef SYS_getresuid
-#ifdef __NR_getresuid
-        {"getresuid", __NR_getresuid},
-#endif
-#endif
-#ifdef SYS_getresuid32
-#ifdef __NR_getresuid32
-        {"getresuid32", __NR_getresuid32},
-#endif
-#endif
-#ifdef SYS_getrlimit
-#ifdef __NR_getrlimit
-        {"getrlimit", __NR_getrlimit},
-#endif
-#endif
-#ifdef SYS_getrusage
-#ifdef __NR_getrusage
-        {"getrusage", __NR_getrusage},
-#endif
-#endif
-#ifdef SYS_getsid
-#ifdef __NR_getsid
-        {"getsid", __NR_getsid},
-#endif
-#endif
-#ifdef SYS_getsockname
-#ifdef __NR_getsockname
-        {"getsockname", __NR_getsockname},
-#endif
-#endif
-#ifdef SYS_getsockopt
-#ifdef __NR_getsockopt
-        {"getsockopt", __NR_getsockopt},
-#endif
-#endif
-#ifdef SYS_gettid
-#ifdef __NR_gettid
-        {"gettid", __NR_gettid},
-#endif
-#endif
-#ifdef SYS_gettimeofday
-#ifdef __NR_gettimeofday
-        {"gettimeofday", __NR_gettimeofday},
-#endif
-#endif
-#ifdef SYS_getuid
-#ifdef __NR_getuid
-        {"getuid", __NR_getuid},
-#endif
-#endif
-#ifdef SYS_getuid32
-#ifdef __NR_getuid32
-        {"getuid32", __NR_getuid32},
-#endif
-#endif
-#ifdef SYS_getxattr
-#ifdef __NR_getxattr
-        {"getxattr", __NR_getxattr},
-#endif
-#endif
-#ifdef SYS_gtty
-#ifdef __NR_gtty
-        {"gtty", __NR_gtty},
-#endif
-#endif
-#ifdef SYS_idle
-#ifdef __NR_idle
-        {"idle", __NR_idle},
-#endif
-#endif
-#ifdef SYS_init_module
-#ifdef __NR_init_module
-        {"init_module", __NR_init_module},
-#endif
-#endif
-#ifdef SYS_inotify_add_watch
-#ifdef __NR_inotify_add_watch
-        {"inotify_add_watch", __NR_inotify_add_watch},
-#endif
-#endif
-#ifdef SYS_inotify_init
-#ifdef __NR_inotify_init
-        {"inotify_init", __NR_inotify_init},
-#endif
-#endif
-#ifdef SYS_inotify_init1
-#ifdef __NR_inotify_init1
-        {"inotify_init1", __NR_inotify_init1},
-#endif
-#endif
-#ifdef SYS_inotify_rm_watch
-#ifdef __NR_inotify_rm_watch
-        {"inotify_rm_watch", __NR_inotify_rm_watch},
-#endif
-#endif
-#ifdef SYS_io_cancel
-#ifdef __NR_io_cancel
-        {"io_cancel", __NR_io_cancel},
-#endif
-#endif
-#ifdef SYS_io_destroy
-#ifdef __NR_io_destroy
-        {"io_destroy", __NR_io_destroy},
-#endif
-#endif
-#ifdef SYS_io_getevents
-#ifdef __NR_io_getevents
-        {"io_getevents", __NR_io_getevents},
-#endif
-#endif
-#ifdef SYS_io_setup
-#ifdef __NR_io_setup
-        {"io_setup", __NR_io_setup},
-#endif
-#endif
-#ifdef SYS_io_submit
-#ifdef __NR_io_submit
-        {"io_submit", __NR_io_submit},
-#endif
-#endif
-#ifdef SYS_ioctl
-#ifdef __NR_ioctl
-        {"ioctl", __NR_ioctl},
-#endif
-#endif
-#ifdef SYS_ioperm
-#ifdef __NR_ioperm
-        {"ioperm", __NR_ioperm},
-#endif
-#endif
-#ifdef SYS_iopl
-#ifdef __NR_iopl
-        {"iopl", __NR_iopl},
-#endif
-#endif
-#ifdef SYS_ioprio_get
-#ifdef __NR_ioprio_get
-        {"ioprio_get", __NR_ioprio_get},
-#endif
-#endif
-#ifdef SYS_ioprio_set
-#ifdef __NR_ioprio_set
-        {"ioprio_set", __NR_ioprio_set},
-#endif
-#endif
-#ifdef SYS_ipc
-#ifdef __NR_ipc
-        {"ipc", __NR_ipc},
-#endif
-#endif
-#ifdef SYS_kcmp
-#ifdef __NR_kcmp
-        {"kcmp", __NR_kcmp},
-#endif
-#endif
-#ifdef SYS_kexec_load
-#ifdef __NR_kexec_load
-        {"kexec_load", __NR_kexec_load},
-#endif
-#endif
-#ifdef SYS_keyctl
-#ifdef __NR_keyctl
-        {"keyctl", __NR_keyctl},
-#endif
-#endif
-#ifdef SYS_kill
-#ifdef __NR_kill
-        {"kill", __NR_kill},
-#endif
-#endif
-#ifdef SYS_lchown
-#ifdef __NR_lchown
-        {"lchown", __NR_lchown},
-#endif
-#endif
-#ifdef SYS_lchown32
-#ifdef __NR_lchown32
-        {"lchown32", __NR_lchown32},
-#endif
-#endif
-#ifdef SYS_lgetxattr
-#ifdef __NR_lgetxattr
-        {"lgetxattr", __NR_lgetxattr},
-#endif
-#endif
-#ifdef SYS_link
-#ifdef __NR_link
-        {"link", __NR_link},
-#endif
-#endif
-#ifdef SYS_linkat
-#ifdef __NR_linkat
-        {"linkat", __NR_linkat},
-#endif
-#endif
-#ifdef SYS_listen
-#ifdef __NR_listen
-        {"listen", __NR_listen},
-#endif
-#endif
-#ifdef SYS_listxattr
-#ifdef __NR_listxattr
-        {"listxattr", __NR_listxattr},
-#endif
-#endif
-#ifdef SYS_llistxattr
-#ifdef __NR_llistxattr
-        {"llistxattr", __NR_llistxattr},
-#endif
-#endif
-#ifdef SYS_lock
-#ifdef __NR_lock
-        {"lock", __NR_lock},
-#endif
-#endif
-#ifdef SYS_lookup_dcookie
-#ifdef __NR_lookup_dcookie
-        {"lookup_dcookie", __NR_lookup_dcookie},
-#endif
-#endif
-#ifdef SYS_lremovexattr
-#ifdef __NR_lremovexattr
-        {"lremovexattr", __NR_lremovexattr},
-#endif
-#endif
-#ifdef SYS_lseek
-#ifdef __NR_lseek
-        {"lseek", __NR_lseek},
-#endif
-#endif
-#ifdef SYS_lsetxattr
-#ifdef __NR_lsetxattr
-        {"lsetxattr", __NR_lsetxattr},
-#endif
-#endif
-#ifdef SYS_lstat
-#ifdef __NR_lstat
-        {"lstat", __NR_lstat},
-#endif
-#endif
-#ifdef SYS_lstat64
-#ifdef __NR_lstat64
-        {"lstat64", __NR_lstat64},
-#endif
-#endif
-#ifdef SYS_madvise
-#ifdef __NR_madvise
-        {"madvise", __NR_madvise},
-#endif
-#endif
-#ifdef SYS_mbind
-#ifdef __NR_mbind
-        {"mbind", __NR_mbind},
-#endif
-#endif
-#ifdef SYS_membarrier
-#ifdef __NR_membarrier
-        {"membarrier", __NR_membarrier},
-#endif
-#endif
-#ifdef SYS_memfd_create
-#ifdef __NR_memfd_create
-        {"memfd_create", __NR_memfd_create},
-#endif
-#endif
-#ifdef SYS_migrate_pages
-#ifdef __NR_migrate_pages
-        {"migrate_pages", __NR_migrate_pages},
-#endif
-#endif
-#ifdef SYS_mincore
-#ifdef __NR_mincore
-        {"mincore", __NR_mincore},
-#endif
-#endif
-#ifdef SYS_mkdir
-#ifdef __NR_mkdir
-        {"mkdir", __NR_mkdir},
-#endif
-#endif
-#ifdef SYS_mkdirat
-#ifdef __NR_mkdirat
-        {"mkdirat", __NR_mkdirat},
-#endif
-#endif
-#ifdef SYS_mknod
-#ifdef __NR_mknod
-        {"mknod", __NR_mknod},
-#endif
-#endif
-#ifdef SYS_mknodat
-#ifdef __NR_mknodat
-        {"mknodat", __NR_mknodat},
-#endif
-#endif
-#ifdef SYS_mlock
-#ifdef __NR_mlock
-        {"mlock", __NR_mlock},
-#endif
-#endif
-#ifdef SYS_mlock2
-#ifdef __NR_mlock2
-        {"mlock2", __NR_mlock2},
-#endif
-#endif
-#ifdef SYS_mlockall
-#ifdef __NR_mlockall
-        {"mlockall", __NR_mlockall},
-#endif
-#endif
-#ifdef SYS_mmap
-#ifdef __NR_mmap
-        {"mmap", __NR_mmap},
-#endif
-#endif
-#ifdef SYS_mmap2
-#ifdef __NR_mmap2
-        {"mmap2", __NR_mmap2},
-#endif
-#endif
-#ifdef SYS_modify_ldt
-#ifdef __NR_modify_ldt
-        {"modify_ldt", __NR_modify_ldt},
-#endif
-#endif
-#ifdef SYS_mount
-#ifdef __NR_mount
-        {"mount", __NR_mount},
-#endif
-#endif
-#ifdef SYS_move_pages
-#ifdef __NR_move_pages
-        {"move_pages", __NR_move_pages},
-#endif
-#endif
-#ifdef SYS_mprotect
-#ifdef __NR_mprotect
-        {"mprotect", __NR_mprotect},
-#endif
-#endif
-#ifdef SYS_mpx
-#ifdef __NR_mpx
-        {"mpx", __NR_mpx},
-#endif
-#endif
-#ifdef SYS_mq_getsetattr
-#ifdef __NR_mq_getsetattr
-        {"mq_getsetattr", __NR_mq_getsetattr},
-#endif
-#endif
-#ifdef SYS_mq_notify
-#ifdef __NR_mq_notify
-        {"mq_notify", __NR_mq_notify},
-#endif
-#endif
-#ifdef SYS_mq_open
-#ifdef __NR_mq_open
-        {"mq_open", __NR_mq_open},
-#endif
-#endif
-#ifdef SYS_mq_timedreceive
-#ifdef __NR_mq_timedreceive
-        {"mq_timedreceive", __NR_mq_timedreceive},
-#endif
-#endif
-#ifdef SYS_mq_timedsend
-#ifdef __NR_mq_timedsend
-        {"mq_timedsend", __NR_mq_timedsend},
-#endif
-#endif
-#ifdef SYS_mq_unlink
-#ifdef __NR_mq_unlink
-        {"mq_unlink", __NR_mq_unlink},
-#endif
-#endif
-#ifdef SYS_mremap
-#ifdef __NR_mremap
-        {"mremap", __NR_mremap},
-#endif
-#endif
-#ifdef SYS_msync
-#ifdef __NR_msync
-        {"msync", __NR_msync},
-#endif
-#endif
-#ifdef SYS_munlock
-#ifdef __NR_munlock
-        {"munlock", __NR_munlock},
-#endif
-#endif
-#ifdef SYS_munlockall
-#ifdef __NR_munlockall
-        {"munlockall", __NR_munlockall},
-#endif
-#endif
-#ifdef SYS_munmap
-#ifdef __NR_munmap
-        {"munmap", __NR_munmap},
-#endif
-#endif
-#ifdef SYS_name_to_handle_at
-#ifdef __NR_name_to_handle_at
-        {"name_to_handle_at", __NR_name_to_handle_at},
-#endif
-#endif
-#ifdef SYS_nanosleep
-#ifdef __NR_nanosleep
-        {"nanosleep", __NR_nanosleep},
-#endif
-#endif
-#ifdef SYS_nfsservctl
-#ifdef __NR_nfsservctl
-        {"nfsservctl", __NR_nfsservctl},
-#endif
-#endif
-#ifdef SYS_nice
-#ifdef __NR_nice
-        {"nice", __NR_nice},
-#endif
-#endif
-#ifdef SYS_oldfstat
-#ifdef __NR_oldfstat
-        {"oldfstat", __NR_oldfstat},
-#endif
-#endif
-#ifdef SYS_oldlstat
-#ifdef __NR_oldlstat
-        {"oldlstat", __NR_oldlstat},
-#endif
-#endif
-#ifdef SYS_oldolduname
-#ifdef __NR_oldolduname
-        {"oldolduname", __NR_oldolduname},
-#endif
-#endif
-#ifdef SYS_oldstat
-#ifdef __NR_oldstat
-        {"oldstat", __NR_oldstat},
-#endif
-#endif
-#ifdef SYS_olduname
-#ifdef __NR_olduname
-        {"olduname", __NR_olduname},
-#endif
-#endif
-#ifdef SYS_open
-#ifdef __NR_open
-        {"open", __NR_open},
-#endif
-#endif
-#ifdef SYS_open_by_handle_at
-#ifdef __NR_open_by_handle_at
-        {"open_by_handle_at", __NR_open_by_handle_at},
-#endif
-#endif
-#ifdef SYS_openat
-#ifdef __NR_openat
-        {"openat", __NR_openat},
-#endif
-#endif
-#ifdef SYS_pause
-#ifdef __NR_pause
-        {"pause", __NR_pause},
-#endif
-#endif
-#ifdef SYS_perf_event_open
-#ifdef __NR_perf_event_open
-        {"perf_event_open", __NR_perf_event_open},
-#endif
-#endif
-#ifdef SYS_personality
-#ifdef __NR_personality
-        {"personality", __NR_personality},
-#endif
-#endif
-#ifdef SYS_pipe
-#ifdef __NR_pipe
-        {"pipe", __NR_pipe},
-#endif
-#endif
-#ifdef SYS_pipe2
-#ifdef __NR_pipe2
-        {"pipe2", __NR_pipe2},
-#endif
-#endif
-#ifdef SYS_pivot_root
-#ifdef __NR_pivot_root
-        {"pivot_root", __NR_pivot_root},
-#endif
-#endif
-#ifdef SYS_pkey_alloc
-#ifdef __NR_pkey_alloc
-        {"pkey_alloc", __NR_pkey_alloc},
-#endif
-#endif
-#ifdef SYS_pkey_free
-#ifdef __NR_pkey_free
-        {"pkey_free", __NR_pkey_free},
-#endif
-#endif
-#ifdef SYS_pkey_mprotect
-#ifdef __NR_pkey_mprotect
-        {"pkey_mprotect", __NR_pkey_mprotect},
-#endif
-#endif
-#ifdef SYS_poll
-#ifdef __NR_poll
-        {"poll", __NR_poll},
-#endif
-#endif
-#ifdef SYS_ppoll
-#ifdef __NR_ppoll
-        {"ppoll", __NR_ppoll},
-#endif
-#endif
-#ifdef SYS_prctl
-#ifdef __NR_prctl
-        {"prctl", __NR_prctl},
-#endif
-#endif
-#ifdef SYS_pread64
-#ifdef __NR_pread64
-        {"pread64", __NR_pread64},
-#endif
-#endif
-#ifdef SYS_preadv
-#ifdef __NR_preadv
-        {"preadv", __NR_preadv},
-#endif
-#endif
-#ifdef SYS_preadv2
-#ifdef __NR_preadv2
-        {"preadv2", __NR_preadv2},
-#endif
-#endif
-#ifdef SYS_prlimit64
-#ifdef __NR_prlimit64
-        {"prlimit64", __NR_prlimit64},
-#endif
-#endif
-#ifdef SYS_process_vm_readv
-#ifdef __NR_process_vm_readv
-        {"process_vm_readv", __NR_process_vm_readv},
-#endif
-#endif
-#ifdef SYS_process_vm_writev
-#ifdef __NR_process_vm_writev
-        {"process_vm_writev", __NR_process_vm_writev},
-#endif
-#endif
-#ifdef SYS_prof
-#ifdef __NR_prof
-        {"prof", __NR_prof},
-#endif
-#endif
-#ifdef SYS_profil
-#ifdef __NR_profil
-        {"profil", __NR_profil},
-#endif
-#endif
-#ifdef SYS_pselect6
-#ifdef __NR_pselect6
-        {"pselect6", __NR_pselect6},
-#endif
-#endif
-#ifdef SYS_ptrace
-#ifdef __NR_ptrace
-        {"ptrace", __NR_ptrace},
-#endif
-#endif
-#ifdef SYS_putpmsg
-#ifdef __NR_putpmsg
-        {"putpmsg", __NR_putpmsg},
-#endif
-#endif
-#ifdef SYS_pwrite64
-#ifdef __NR_pwrite64
-        {"pwrite64", __NR_pwrite64},
-#endif
-#endif
-#ifdef SYS_pwritev
-#ifdef __NR_pwritev
-        {"pwritev", __NR_pwritev},
-#endif
-#endif
-#ifdef SYS_pwritev2
-#ifdef __NR_pwritev2
-        {"pwritev2", __NR_pwritev2},
-#endif
-#endif
-#ifdef SYS_query_module
-#ifdef __NR_query_module
-        {"query_module", __NR_query_module},
-#endif
-#endif
-#ifdef SYS_quotactl
-#ifdef __NR_quotactl
-        {"quotactl", __NR_quotactl},
-#endif
-#endif
-#ifdef SYS_read
-#ifdef __NR_read
-        {"read", __NR_read},
-#endif
-#endif
-#ifdef SYS_readahead
-#ifdef __NR_readahead
-        {"readahead", __NR_readahead},
-#endif
-#endif
-#ifdef SYS_readdir
-#ifdef __NR_readdir
-        {"readdir", __NR_readdir},
-#endif
-#endif
-#ifdef SYS_readlink
-#ifdef __NR_readlink
-        {"readlink", __NR_readlink},
-#endif
-#endif
-#ifdef SYS_readlinkat
-#ifdef __NR_readlinkat
-        {"readlinkat", __NR_readlinkat},
-#endif
-#endif
-#ifdef SYS_readv
-#ifdef __NR_readv
-        {"readv", __NR_readv},
-#endif
-#endif
-#ifdef SYS_reboot
-#ifdef __NR_reboot
-        {"reboot", __NR_reboot},
-#endif
-#endif
-#ifdef SYS_recvfrom
-#ifdef __NR_recvfrom
-        {"recvfrom", __NR_recvfrom},
-#endif
-#endif
-#ifdef SYS_recvmmsg
-#ifdef __NR_recvmmsg
-        {"recvmmsg", __NR_recvmmsg},
-#endif
-#endif
-#ifdef SYS_recvmsg
-#ifdef __NR_recvmsg
-        {"recvmsg", __NR_recvmsg},
-#endif
-#endif
-#ifdef SYS_remap_file_pages
-#ifdef __NR_remap_file_pages
-        {"remap_file_pages", __NR_remap_file_pages},
-#endif
-#endif
-#ifdef SYS_removexattr
-#ifdef __NR_removexattr
-        {"removexattr", __NR_removexattr},
-#endif
-#endif
-#ifdef SYS_rename
-#ifdef __NR_rename
-        {"rename", __NR_rename},
-#endif
-#endif
-#ifdef SYS_renameat
-#ifdef __NR_renameat
-        {"renameat", __NR_renameat},
-#endif
-#endif
-#ifdef SYS_renameat2
-#ifdef __NR_renameat2
-        {"renameat2", __NR_renameat2},
-#endif
-#endif
-#ifdef SYS_request_key
-#ifdef __NR_request_key
-        {"request_key", __NR_request_key},
-#endif
-#endif
-#ifdef SYS_restart_syscall
-#ifdef __NR_restart_syscall
-        {"restart_syscall", __NR_restart_syscall},
-#endif
-#endif
-#ifdef SYS_rmdir
-#ifdef __NR_rmdir
-        {"rmdir", __NR_rmdir},
-#endif
-#endif
-#ifdef SYS_rt_sigaction
-#ifdef __NR_rt_sigaction
-        {"rt_sigaction", __NR_rt_sigaction},
-#endif
-#endif
-#ifdef SYS_rt_sigpending
-#ifdef __NR_rt_sigpending
-        {"rt_sigpending", __NR_rt_sigpending},
-#endif
-#endif
-#ifdef SYS_rt_sigprocmask
-#ifdef __NR_rt_sigprocmask
-        {"rt_sigprocmask", __NR_rt_sigprocmask},
-#endif
-#endif
-#ifdef SYS_rt_sigqueueinfo
-#ifdef __NR_rt_sigqueueinfo
-        {"rt_sigqueueinfo", __NR_rt_sigqueueinfo},
-#endif
-#endif
-#ifdef SYS_rt_sigreturn
-#ifdef __NR_rt_sigreturn
-        {"rt_sigreturn", __NR_rt_sigreturn},
-#endif
-#endif
-#ifdef SYS_rt_sigsuspend
-#ifdef __NR_rt_sigsuspend
-        {"rt_sigsuspend", __NR_rt_sigsuspend},
-#endif
-#endif
-#ifdef SYS_rt_sigtimedwait
-#ifdef __NR_rt_sigtimedwait
-        {"rt_sigtimedwait", __NR_rt_sigtimedwait},
-#endif
-#endif
-#ifdef SYS_rt_tgsigqueueinfo
-#ifdef __NR_rt_tgsigqueueinfo
-        {"rt_tgsigqueueinfo", __NR_rt_tgsigqueueinfo},
-#endif
-#endif
-#ifdef SYS_sched_get_priority_max
-#ifdef __NR_sched_get_priority_max
-        {"sched_get_priority_max", __NR_sched_get_priority_max},
-#endif
-#endif
-#ifdef SYS_sched_get_priority_min
-#ifdef __NR_sched_get_priority_min
-        {"sched_get_priority_min", __NR_sched_get_priority_min},
-#endif
-#endif
-#ifdef SYS_sched_getaffinity
-#ifdef __NR_sched_getaffinity
-        {"sched_getaffinity", __NR_sched_getaffinity},
-#endif
-#endif
-#ifdef SYS_sched_getattr
-#ifdef __NR_sched_getattr
-        {"sched_getattr", __NR_sched_getattr},
-#endif
-#endif
-#ifdef SYS_sched_getparam
-#ifdef __NR_sched_getparam
-        {"sched_getparam", __NR_sched_getparam},
-#endif
-#endif
-#ifdef SYS_sched_getscheduler
-#ifdef __NR_sched_getscheduler
-        {"sched_getscheduler", __NR_sched_getscheduler},
-#endif
-#endif
-#ifdef SYS_sched_rr_get_interval
-#ifdef __NR_sched_rr_get_interval
-        {"sched_rr_get_interval", __NR_sched_rr_get_interval},
-#endif
-#endif
-#ifdef SYS_sched_setaffinity
-#ifdef __NR_sched_setaffinity
-        {"sched_setaffinity", __NR_sched_setaffinity},
-#endif
-#endif
-#ifdef SYS_sched_setattr
-#ifdef __NR_sched_setattr
-        {"sched_setattr", __NR_sched_setattr},
-#endif
-#endif
-#ifdef SYS_sched_setparam
-#ifdef __NR_sched_setparam
-        {"sched_setparam", __NR_sched_setparam},
-#endif
-#endif
-#ifdef SYS_sched_setscheduler
-#ifdef __NR_sched_setscheduler
-        {"sched_setscheduler", __NR_sched_setscheduler},
-#endif
-#endif
-#ifdef SYS_sched_yield
-#ifdef __NR_sched_yield
-        {"sched_yield", __NR_sched_yield},
-#endif
-#endif
-#ifdef SYS_seccomp
-#ifdef __NR_seccomp
-        {"seccomp", __NR_seccomp},
-#endif
-#endif
-#ifdef SYS_select
-#ifdef __NR_select
-        {"select", __NR_select},
-#endif
-#endif
-#ifdef SYS_sendfile
-#ifdef __NR_sendfile
-        {"sendfile", __NR_sendfile},
-#endif
-#endif
-#ifdef SYS_sendfile64
-#ifdef __NR_sendfile64
-        {"sendfile64", __NR_sendfile64},
-#endif
-#endif
-#ifdef SYS_sendmmsg
-#ifdef __NR_sendmmsg
-        {"sendmmsg", __NR_sendmmsg},
-#endif
-#endif
-#ifdef SYS_sendmsg
-#ifdef __NR_sendmsg
-        {"sendmsg", __NR_sendmsg},
-#endif
-#endif
-#ifdef SYS_sendto
-#ifdef __NR_sendto
-        {"sendto", __NR_sendto},
-#endif
-#endif
-#ifdef SYS_set_mempolicy
-#ifdef __NR_set_mempolicy
-        {"set_mempolicy", __NR_set_mempolicy},
-#endif
-#endif
-#ifdef SYS_set_robust_list
-#ifdef __NR_set_robust_list
-        {"set_robust_list", __NR_set_robust_list},
-#endif
-#endif
-#ifdef SYS_set_thread_area
-#ifdef __NR_set_thread_area
-        {"set_thread_area", __NR_set_thread_area},
-#endif
-#endif
-#ifdef SYS_set_tid_address
-#ifdef __NR_set_tid_address
-        {"set_tid_address", __NR_set_tid_address},
-#endif
-#endif
-#ifdef SYS_setdomainname
-#ifdef __NR_setdomainname
-        {"setdomainname", __NR_setdomainname},
-#endif
-#endif
-#ifdef SYS_setfsgid
-#ifdef __NR_setfsgid
-        {"setfsgid", __NR_setfsgid},
-#endif
-#endif
-#ifdef SYS_setfsgid32
-#ifdef __NR_setfsgid32
-        {"setfsgid32", __NR_setfsgid32},
-#endif
-#endif
-#ifdef SYS_setfsuid
-#ifdef __NR_setfsuid
-        {"setfsuid", __NR_setfsuid},
-#endif
-#endif
-#ifdef SYS_setfsuid32
-#ifdef __NR_setfsuid32
-        {"setfsuid32", __NR_setfsuid32},
-#endif
-#endif
-#ifdef SYS_setgid
-#ifdef __NR_setgid
-        {"setgid", __NR_setgid},
-#endif
-#endif
-#ifdef SYS_setgid32
-#ifdef __NR_setgid32
-        {"setgid32", __NR_setgid32},
-#endif
-#endif
-#ifdef SYS_setgroups
-#ifdef __NR_setgroups
-        {"setgroups", __NR_setgroups},
-#endif
-#endif
-#ifdef SYS_setgroups32
-#ifdef __NR_setgroups32
-        {"setgroups32", __NR_setgroups32},
-#endif
-#endif
-#ifdef SYS_sethostname
-#ifdef __NR_sethostname
-        {"sethostname", __NR_sethostname},
-#endif
-#endif
-#ifdef SYS_setitimer
-#ifdef __NR_setitimer
-        {"setitimer", __NR_setitimer},
-#endif
-#endif
-#ifdef SYS_setns
-#ifdef __NR_setns
-        {"setns", __NR_setns},
-#endif
-#endif
-#ifdef SYS_setpgid
-#ifdef __NR_setpgid
-        {"setpgid", __NR_setpgid},
-#endif
-#endif
-#ifdef SYS_setpriority
-#ifdef __NR_setpriority
-        {"setpriority", __NR_setpriority},
-#endif
-#endif
-#ifdef SYS_setregid
-#ifdef __NR_setregid
-        {"setregid", __NR_setregid},
-#endif
-#endif
-#ifdef SYS_setregid32
-#ifdef __NR_setregid32
-        {"setregid32", __NR_setregid32},
-#endif
-#endif
-#ifdef SYS_setresgid
-#ifdef __NR_setresgid
-        {"setresgid", __NR_setresgid},
-#endif
-#endif
-#ifdef SYS_setresgid32
-#ifdef __NR_setresgid32
-        {"setresgid32", __NR_setresgid32},
-#endif
-#endif
-#ifdef SYS_setresuid
-#ifdef __NR_setresuid
-        {"setresuid", __NR_setresuid},
-#endif
-#endif
-#ifdef SYS_setresuid32
-#ifdef __NR_setresuid32
-        {"setresuid32", __NR_setresuid32},
-#endif
-#endif
-#ifdef SYS_setreuid
-#ifdef __NR_setreuid
-        {"setreuid", __NR_setreuid},
-#endif
-#endif
-#ifdef SYS_setreuid32
-#ifdef __NR_setreuid32
-        {"setreuid32", __NR_setreuid32},
-#endif
-#endif
-#ifdef SYS_setrlimit
-#ifdef __NR_setrlimit
-        {"setrlimit", __NR_setrlimit},
-#endif
-#endif
-#ifdef SYS_setsid
-#ifdef __NR_setsid
-        {"setsid", __NR_setsid},
-#endif
-#endif
-#ifdef SYS_setsockopt
-#ifdef __NR_setsockopt
-        {"setsockopt", __NR_setsockopt},
-#endif
-#endif
-#ifdef SYS_settimeofday
-#ifdef __NR_settimeofday
-        {"settimeofday", __NR_settimeofday},
-#endif
-#endif
-#ifdef SYS_setuid
-#ifdef __NR_setuid
-        {"setuid", __NR_setuid},
-#endif
-#endif
-#ifdef SYS_setuid32
-#ifdef __NR_setuid32
-        {"setuid32", __NR_setuid32},
-#endif
-#endif
-#ifdef SYS_setxattr
-#ifdef __NR_setxattr
-        {"setxattr", __NR_setxattr},
-#endif
-#endif
-#ifdef SYS_sgetmask
-#ifdef __NR_sgetmask
-        {"sgetmask", __NR_sgetmask},
-#endif
-#endif
-#ifdef SYS_shutdown
-#ifdef __NR_shutdown
-        {"shutdown", __NR_shutdown},
-#endif
-#endif
-#ifdef SYS_sigaction
-#ifdef __NR_sigaction
-        {"sigaction", __NR_sigaction},
-#endif
-#endif
-#ifdef SYS_sigaltstack
-#ifdef __NR_sigaltstack
-        {"sigaltstack", __NR_sigaltstack},
-#endif
-#endif
-#ifdef SYS_signal
-#ifdef __NR_signal
-        {"signal", __NR_signal},
-#endif
-#endif
-#ifdef SYS_signalfd
-#ifdef __NR_signalfd
-        {"signalfd", __NR_signalfd},
-#endif
-#endif
-#ifdef SYS_signalfd4
-#ifdef __NR_signalfd4
-        {"signalfd4", __NR_signalfd4},
-#endif
-#endif
-#ifdef SYS_sigpending
-#ifdef __NR_sigpending
-        {"sigpending", __NR_sigpending},
-#endif
-#endif
-#ifdef SYS_sigprocmask
-#ifdef __NR_sigprocmask
-        {"sigprocmask", __NR_sigprocmask},
-#endif
-#endif
-#ifdef SYS_sigreturn
-#ifdef __NR_sigreturn
-        {"sigreturn", __NR_sigreturn},
-#endif
-#endif
-#ifdef SYS_sigsuspend
-#ifdef __NR_sigsuspend
-        {"sigsuspend", __NR_sigsuspend},
-#endif
-#endif
-#ifdef SYS_socket
-#ifdef __NR_socket
-        {"socket", __NR_socket},
-#endif
-#endif
-#ifdef SYS_socketcall
-#ifdef __NR_socketcall
-        {"socketcall", __NR_socketcall},
-#endif
-#endif
-#ifdef SYS_socketpair
-#ifdef __NR_socketpair
-        {"socketpair", __NR_socketpair},
-#endif
-#endif
-#ifdef SYS_splice
-#ifdef __NR_splice
-        {"splice", __NR_splice},
-#endif
-#endif
-#ifdef SYS_ssetmask
-#ifdef __NR_ssetmask
-        {"ssetmask", __NR_ssetmask},
-#endif
-#endif
-#ifdef SYS_stat
-#ifdef __NR_stat
-        {"stat", __NR_stat},
-#endif
-#endif
-#ifdef SYS_stat64
-#ifdef __NR_stat64
-        {"stat64", __NR_stat64},
-#endif
-#endif
-#ifdef SYS_statfs
-#ifdef __NR_statfs
-        {"statfs", __NR_statfs},
-#endif
-#endif
-#ifdef SYS_statfs64
-#ifdef __NR_statfs64
-        {"statfs64", __NR_statfs64},
-#endif
-#endif
-#ifdef SYS_statx
-#ifdef __NR_statx
-        {"statx", __NR_statx},
-#endif
-#endif
-#ifdef SYS_stime
-#ifdef __NR_stime
-        {"stime", __NR_stime},
-#endif
-#endif
-#ifdef SYS_stty
-#ifdef __NR_stty
-        {"stty", __NR_stty},
-#endif
-#endif
-#ifdef SYS_swapoff
-#ifdef __NR_swapoff
-        {"swapoff", __NR_swapoff},
-#endif
-#endif
-#ifdef SYS_swapon
-#ifdef __NR_swapon
-        {"swapon", __NR_swapon},
-#endif
-#endif
-#ifdef SYS_symlink
-#ifdef __NR_symlink
-        {"symlink", __NR_symlink},
-#endif
-#endif
-#ifdef SYS_symlinkat
-#ifdef __NR_symlinkat
-        {"symlinkat", __NR_symlinkat},
-#endif
-#endif
-#ifdef SYS_sync
-#ifdef __NR_sync
-        {"sync", __NR_sync},
-#endif
-#endif
-#ifdef SYS_sync_file_range
-#ifdef __NR_sync_file_range
-        {"sync_file_range", __NR_sync_file_range},
-#endif
-#endif
-#ifdef SYS_syncfs
-#ifdef __NR_syncfs
-        {"syncfs", __NR_syncfs},
-#endif
-#endif
-#ifdef SYS_sysfs
-#ifdef __NR_sysfs
-        {"sysfs", __NR_sysfs},
-#endif
-#endif
-#ifdef SYS_sysinfo
-#ifdef __NR_sysinfo
-        {"sysinfo", __NR_sysinfo},
-#endif
-#endif
-#ifdef SYS_syslog
-#ifdef __NR_syslog
-        {"syslog", __NR_syslog},
-#endif
-#endif
-#ifdef SYS_tee
-#ifdef __NR_tee
-        {"tee", __NR_tee},
-#endif
-#endif
-#ifdef SYS_tgkill
-#ifdef __NR_tgkill
-        {"tgkill", __NR_tgkill},
-#endif
-#endif
-#ifdef SYS_time
-#ifdef __NR_time
-        {"time", __NR_time},
-#endif
-#endif
-#ifdef SYS_timer_create
-#ifdef __NR_timer_create
-        {"timer_create", __NR_timer_create},
-#endif
-#endif
-#ifdef SYS_timer_delete
-#ifdef __NR_timer_delete
-        {"timer_delete", __NR_timer_delete},
-#endif
-#endif
-#ifdef SYS_timer_getoverrun
-#ifdef __NR_timer_getoverrun
-        {"timer_getoverrun", __NR_timer_getoverrun},
-#endif
-#endif
-#ifdef SYS_timer_gettime
-#ifdef __NR_timer_gettime
-        {"timer_gettime", __NR_timer_gettime},
-#endif
-#endif
-#ifdef SYS_timer_settime
-#ifdef __NR_timer_settime
-        {"timer_settime", __NR_timer_settime},
-#endif
-#endif
-#ifdef SYS_timerfd_create
-#ifdef __NR_timerfd_create
-        {"timerfd_create", __NR_timerfd_create},
-#endif
-#endif
-#ifdef SYS_timerfd_gettime
-#ifdef __NR_timerfd_gettime
-        {"timerfd_gettime", __NR_timerfd_gettime},
-#endif
-#endif
-#ifdef SYS_timerfd_settime
-#ifdef __NR_timerfd_settime
-        {"timerfd_settime", __NR_timerfd_settime},
-#endif
-#endif
-#ifdef SYS_times
-#ifdef __NR_times
-        {"times", __NR_times},
-#endif
-#endif
-#ifdef SYS_tkill
-#ifdef __NR_tkill
-        {"tkill", __NR_tkill},
-#endif
-#endif
-#ifdef SYS_truncate
-#ifdef __NR_truncate
-        {"truncate", __NR_truncate},
-#endif
-#endif
-#ifdef SYS_truncate64
-#ifdef __NR_truncate64
-        {"truncate64", __NR_truncate64},
-#endif
-#endif
-#ifdef SYS_ugetrlimit
-#ifdef __NR_ugetrlimit
-        {"ugetrlimit", __NR_ugetrlimit},
-#endif
-#endif
-#ifdef SYS_ulimit
-#ifdef __NR_ulimit
-        {"ulimit", __NR_ulimit},
-#endif
-#endif
-#ifdef SYS_umask
-#ifdef __NR_umask
-        {"umask", __NR_umask},
-#endif
-#endif
-#ifdef SYS_umount
-#ifdef __NR_umount
-        {"umount", __NR_umount},
-#endif
-#endif
-#ifdef SYS_umount2
-#ifdef __NR_umount2
-        {"umount2", __NR_umount2},
-#endif
-#endif
-#ifdef SYS_uname
-#ifdef __NR_uname
-        {"uname", __NR_uname},
-#endif
-#endif
-#ifdef SYS_unlink
-#ifdef __NR_unlink
-        {"unlink", __NR_unlink},
-#endif
-#endif
-#ifdef SYS_unlinkat
-#ifdef __NR_unlinkat
-        {"unlinkat", __NR_unlinkat},
-#endif
-#endif
-#ifdef SYS_unshare
-#ifdef __NR_unshare
-        {"unshare", __NR_unshare},
-#endif
-#endif
-#ifdef SYS_uselib
-#ifdef __NR_uselib
-        {"uselib", __NR_uselib},
-#endif
-#endif
-#ifdef SYS_userfaultfd
-#ifdef __NR_userfaultfd
-        {"userfaultfd", __NR_userfaultfd},
-#endif
-#endif
-#ifdef SYS_ustat
-#ifdef __NR_ustat
-        {"ustat", __NR_ustat},
-#endif
-#endif
-#ifdef SYS_utime
-#ifdef __NR_utime
-        {"utime", __NR_utime},
-#endif
-#endif
-#ifdef SYS_utimensat
-#ifdef __NR_utimensat
-        {"utimensat", __NR_utimensat},
-#endif
-#endif
-#ifdef SYS_utimes
-#ifdef __NR_utimes
-        {"utimes", __NR_utimes},
-#endif
-#endif
-#ifdef SYS_vfork
-#ifdef __NR_vfork
-        {"vfork", __NR_vfork},
-#endif
-#endif
-#ifdef SYS_vhangup
-#ifdef __NR_vhangup
-        {"vhangup", __NR_vhangup},
-#endif
-#endif
-#ifdef SYS_vm86
-#ifdef __NR_vm86
-        {"vm86", __NR_vm86},
-#endif
-#endif
-#ifdef SYS_vm86old
-#ifdef __NR_vm86old
-        {"vm86old", __NR_vm86old},
-#endif
-#endif
-#ifdef SYS_vmsplice
-#ifdef __NR_vmsplice
-        {"vmsplice", __NR_vmsplice},
-#endif
-#endif
-#ifdef SYS_vserver
-#ifdef __NR_vserver
-        {"vserver", __NR_vserver},
-#endif
-#endif
-#ifdef SYS_wait4
-#ifdef __NR_wait4
-        {"wait4", __NR_wait4},
-#endif
-#endif
-#ifdef SYS_waitid
-#ifdef __NR_waitid
-        {"waitid", __NR_waitid},
-#endif
-#endif
-#ifdef SYS_waitpid
-#ifdef __NR_waitpid
-        {"waitpid", __NR_waitpid},
-#endif
-#endif
-#ifdef SYS_write
-#ifdef __NR_write
-        {"write", __NR_write},
-#endif
-#endif
-#ifdef SYS_writev
-#ifdef __NR_writev
-        {"writev", __NR_writev},
-#endif
-#endif
-#endif
-//#endif
-#if defined __x86_64__ && defined __LP64__
-#ifdef SYS__sysctl
-#ifdef __NR__sysctl
-        {"_sysctl", __NR__sysctl},
-#endif
-#endif
-#ifdef SYS_accept
-#ifdef __NR_accept
-        {"accept", __NR_accept},
-#endif
-#endif
-#ifdef SYS_accept4
-#ifdef __NR_accept4
-        {"accept4", __NR_accept4},
-#endif
-#endif
-#ifdef SYS_access
-#ifdef __NR_access
-        {"access", __NR_access},
-#endif
-#endif
-#ifdef SYS_acct
-#ifdef __NR_acct
-        {"acct", __NR_acct},
-#endif
-#endif
-#ifdef SYS_add_key
-#ifdef __NR_add_key
-        {"add_key", __NR_add_key},
-#endif
-#endif
-#ifdef SYS_adjtimex
-#ifdef __NR_adjtimex
-        {"adjtimex", __NR_adjtimex},
-#endif
-#endif
-#ifdef SYS_afs_syscall
-#ifdef __NR_afs_syscall
-        {"afs_syscall", __NR_afs_syscall},
-#endif
-#endif
-#ifdef SYS_alarm
-#ifdef __NR_alarm
-        {"alarm", __NR_alarm},
-#endif
-#endif
-#ifdef SYS_arch_prctl
-#ifdef __NR_arch_prctl
-        {"arch_prctl", __NR_arch_prctl},
-#endif
-#endif
-#ifdef SYS_bind
-#ifdef __NR_bind
-        {"bind", __NR_bind},
-#endif
-#endif
-#ifdef SYS_bpf
-#ifdef __NR_bpf
-        {"bpf", __NR_bpf},
-#endif
-#endif
-#ifdef SYS_brk
-#ifdef __NR_brk
-        {"brk", __NR_brk},
-#endif
-#endif
-#ifdef SYS_capget
-#ifdef __NR_capget
-        {"capget", __NR_capget},
-#endif
-#endif
-#ifdef SYS_capset
-#ifdef __NR_capset
-        {"capset", __NR_capset},
-#endif
-#endif
-#ifdef SYS_chdir
-#ifdef __NR_chdir
-        {"chdir", __NR_chdir},
-#endif
-#endif
-#ifdef SYS_chmod
-#ifdef __NR_chmod
-        {"chmod", __NR_chmod},
-#endif
-#endif
-#ifdef SYS_chown
-#ifdef __NR_chown
-        {"chown", __NR_chown},
-#endif
-#endif
-#ifdef SYS_chroot
-#ifdef __NR_chroot
-        {"chroot", __NR_chroot},
-#endif
-#endif
-#ifdef SYS_clock_adjtime
-#ifdef __NR_clock_adjtime
-        {"clock_adjtime", __NR_clock_adjtime},
-#endif
-#endif
-#ifdef SYS_clock_getres
-#ifdef __NR_clock_getres
-        {"clock_getres", __NR_clock_getres},
-#endif
-#endif
-#ifdef SYS_clock_gettime
-#ifdef __NR_clock_gettime
-        {"clock_gettime", __NR_clock_gettime},
-#endif
-#endif
-#ifdef SYS_clock_nanosleep
-#ifdef __NR_clock_nanosleep
-        {"clock_nanosleep", __NR_clock_nanosleep},
-#endif
-#endif
-#ifdef SYS_clock_settime
-#ifdef __NR_clock_settime
-        {"clock_settime", __NR_clock_settime},
-#endif
-#endif
-#ifdef SYS_clone
-#ifdef __NR_clone
-        {"clone", __NR_clone},
-#endif
-#endif
-#ifdef SYS_close
-#ifdef __NR_close
-        {"close", __NR_close},
-#endif
-#endif
-#ifdef SYS_connect
-#ifdef __NR_connect
-        {"connect", __NR_connect},
-#endif
-#endif
-#ifdef SYS_copy_file_range
-#ifdef __NR_copy_file_range
-        {"copy_file_range", __NR_copy_file_range},
-#endif
-#endif
-#ifdef SYS_creat
-#ifdef __NR_creat
-        {"creat", __NR_creat},
-#endif
-#endif
-#ifdef SYS_create_module
-#ifdef __NR_create_module
-        {"create_module", __NR_create_module},
-#endif
-#endif
-#ifdef SYS_delete_module
-#ifdef __NR_delete_module
-        {"delete_module", __NR_delete_module},
-#endif
-#endif
-#ifdef SYS_dup
-#ifdef __NR_dup
-        {"dup", __NR_dup},
-#endif
-#endif
-#ifdef SYS_dup2
-#ifdef __NR_dup2
-        {"dup2", __NR_dup2},
-#endif
-#endif
-#ifdef SYS_dup3
-#ifdef __NR_dup3
-        {"dup3", __NR_dup3},
-#endif
-#endif
-#ifdef SYS_epoll_create
-#ifdef __NR_epoll_create
-        {"epoll_create", __NR_epoll_create},
-#endif
-#endif
-#ifdef SYS_epoll_create1
-#ifdef __NR_epoll_create1
-        {"epoll_create1", __NR_epoll_create1},
-#endif
-#endif
-#ifdef SYS_epoll_ctl
-#ifdef __NR_epoll_ctl
-        {"epoll_ctl", __NR_epoll_ctl},
-#endif
-#endif
-#ifdef SYS_epoll_ctl_old
-#ifdef __NR_epoll_ctl_old
-        {"epoll_ctl_old", __NR_epoll_ctl_old},
-#endif
-#endif
-#ifdef SYS_epoll_pwait
-#ifdef __NR_epoll_pwait
-        {"epoll_pwait", __NR_epoll_pwait},
-#endif
-#endif
-#ifdef SYS_epoll_wait
-#ifdef __NR_epoll_wait
-        {"epoll_wait", __NR_epoll_wait},
-#endif
-#endif
-#ifdef SYS_epoll_wait_old
-#ifdef __NR_epoll_wait_old
-        {"epoll_wait_old", __NR_epoll_wait_old},
-#endif
-#endif
-#ifdef SYS_eventfd
-#ifdef __NR_eventfd
-        {"eventfd", __NR_eventfd},
-#endif
-#endif
-#ifdef SYS_eventfd2
-#ifdef __NR_eventfd2
-        {"eventfd2", __NR_eventfd2},
-#endif
-#endif
-#ifdef SYS_execve
-#ifdef __NR_execve
-        {"execve", __NR_execve},
-#endif
-#endif
-#ifdef SYS_execveat
-#ifdef __NR_execveat
-        {"execveat", __NR_execveat},
-#endif
-#endif
-#ifdef SYS_exit
-#ifdef __NR_exit
-        {"exit", __NR_exit},
-#endif
-#endif
-#ifdef SYS_exit_group
-#ifdef __NR_exit_group
-        {"exit_group", __NR_exit_group},
-#endif
-#endif
-#ifdef SYS_faccessat
-#ifdef __NR_faccessat
-        {"faccessat", __NR_faccessat},
-#endif
-#endif
-#ifdef SYS_fadvise64
-#ifdef __NR_fadvise64
-        {"fadvise64", __NR_fadvise64},
-#endif
-#endif
-#ifdef SYS_fallocate
-#ifdef __NR_fallocate
-        {"fallocate", __NR_fallocate},
-#endif
-#endif
-#ifdef SYS_fanotify_init
-#ifdef __NR_fanotify_init
-        {"fanotify_init", __NR_fanotify_init},
-#endif
-#endif
-#ifdef SYS_fanotify_mark
-#ifdef __NR_fanotify_mark
-        {"fanotify_mark", __NR_fanotify_mark},
-#endif
-#endif
-#ifdef SYS_fchdir
-#ifdef __NR_fchdir
-        {"fchdir", __NR_fchdir},
-#endif
-#endif
-#ifdef SYS_fchmod
-#ifdef __NR_fchmod
-        {"fchmod", __NR_fchmod},
-#endif
-#endif
-#ifdef SYS_fchmodat
-#ifdef __NR_fchmodat
-        {"fchmodat", __NR_fchmodat},
-#endif
-#endif
-#ifdef SYS_fchown
-#ifdef __NR_fchown
-        {"fchown", __NR_fchown},
-#endif
-#endif
-#ifdef SYS_fchownat
-#ifdef __NR_fchownat
-        {"fchownat", __NR_fchownat},
-#endif
-#endif
-#ifdef SYS_fcntl
-#ifdef __NR_fcntl
-        {"fcntl", __NR_fcntl},
-#endif
-#endif
-#ifdef SYS_fdatasync
-#ifdef __NR_fdatasync
-        {"fdatasync", __NR_fdatasync},
-#endif
-#endif
-#ifdef SYS_fgetxattr
-#ifdef __NR_fgetxattr
-        {"fgetxattr", __NR_fgetxattr},
-#endif
-#endif
-#ifdef SYS_finit_module
-#ifdef __NR_finit_module
-        {"finit_module", __NR_finit_module},
-#endif
-#endif
-#ifdef SYS_flistxattr
-#ifdef __NR_flistxattr
-        {"flistxattr", __NR_flistxattr},
-#endif
-#endif
-#ifdef SYS_flock
-#ifdef __NR_flock
-        {"flock", __NR_flock},
-#endif
-#endif
-#ifdef SYS_fork
-#ifdef __NR_fork
-        {"fork", __NR_fork},
-#endif
-#endif
-#ifdef SYS_fremovexattr
-#ifdef __NR_fremovexattr
-        {"fremovexattr", __NR_fremovexattr},
-#endif
-#endif
-#ifdef SYS_fsetxattr
-#ifdef __NR_fsetxattr
-        {"fsetxattr", __NR_fsetxattr},
-#endif
-#endif
-#ifdef SYS_fstat
-#ifdef __NR_fstat
-        {"fstat", __NR_fstat},
-#endif
-#endif
-#ifdef SYS_fstatfs
-#ifdef __NR_fstatfs
-        {"fstatfs", __NR_fstatfs},
-#endif
-#endif
-#ifdef SYS_fsync
-#ifdef __NR_fsync
-        {"fsync", __NR_fsync},
-#endif
-#endif
-#ifdef SYS_ftruncate
-#ifdef __NR_ftruncate
-        {"ftruncate", __NR_ftruncate},
-#endif
-#endif
-#ifdef SYS_futex
-#ifdef __NR_futex
-        {"futex", __NR_futex},
-#endif
-#endif
-#ifdef SYS_futimesat
-#ifdef __NR_futimesat
-        {"futimesat", __NR_futimesat},
-#endif
-#endif
-#ifdef SYS_get_kernel_syms
-#ifdef __NR_get_kernel_syms
-        {"get_kernel_syms", __NR_get_kernel_syms},
-#endif
-#endif
-#ifdef SYS_get_mempolicy
-#ifdef __NR_get_mempolicy
-        {"get_mempolicy", __NR_get_mempolicy},
-#endif
-#endif
-#ifdef SYS_get_robust_list
-#ifdef __NR_get_robust_list
-        {"get_robust_list", __NR_get_robust_list},
-#endif
-#endif
-#ifdef SYS_get_thread_area
-#ifdef __NR_get_thread_area
-        {"get_thread_area", __NR_get_thread_area},
-#endif
-#endif
-#ifdef SYS_getcpu
-#ifdef __NR_getcpu
-        {"getcpu", __NR_getcpu},
-#endif
-#endif
-#ifdef SYS_getcwd
-#ifdef __NR_getcwd
-        {"getcwd", __NR_getcwd},
-#endif
-#endif
-#ifdef SYS_getdents
-#ifdef __NR_getdents
-        {"getdents", __NR_getdents},
-#endif
-#endif
-#ifdef SYS_getdents64
-#ifdef __NR_getdents64
-        {"getdents64", __NR_getdents64},
-#endif
-#endif
-#ifdef SYS_getegid
-#ifdef __NR_getegid
-        {"getegid", __NR_getegid},
-#endif
-#endif
-#ifdef SYS_geteuid
-#ifdef __NR_geteuid
-        {"geteuid", __NR_geteuid},
-#endif
-#endif
-#ifdef SYS_getgid
-#ifdef __NR_getgid
-        {"getgid", __NR_getgid},
-#endif
-#endif
-#ifdef SYS_getgroups
-#ifdef __NR_getgroups
-        {"getgroups", __NR_getgroups},
-#endif
-#endif
-#ifdef SYS_getitimer
-#ifdef __NR_getitimer
-        {"getitimer", __NR_getitimer},
-#endif
-#endif
-#ifdef SYS_getpeername
-#ifdef __NR_getpeername
-        {"getpeername", __NR_getpeername},
-#endif
-#endif
-#ifdef SYS_getpgid
-#ifdef __NR_getpgid
-        {"getpgid", __NR_getpgid},
-#endif
-#endif
-#ifdef SYS_getpgrp
-#ifdef __NR_getpgrp
-        {"getpgrp", __NR_getpgrp},
-#endif
-#endif
-#ifdef SYS_getpid
-#ifdef __NR_getpid
-        {"getpid", __NR_getpid},
-#endif
-#endif
-#ifdef SYS_getpmsg
-#ifdef __NR_getpmsg
-        {"getpmsg", __NR_getpmsg},
-#endif
-#endif
-#ifdef SYS_getppid
-#ifdef __NR_getppid
-        {"getppid", __NR_getppid},
-#endif
-#endif
-#ifdef SYS_getpriority
-#ifdef __NR_getpriority
-        {"getpriority", __NR_getpriority},
-#endif
-#endif
-#ifdef SYS_getrandom
-#ifdef __NR_getrandom
-        {"getrandom", __NR_getrandom},
-#endif
-#endif
-#ifdef SYS_getresgid
-#ifdef __NR_getresgid
-        {"getresgid", __NR_getresgid},
-#endif
-#endif
-#ifdef SYS_getresuid
-#ifdef __NR_getresuid
-        {"getresuid", __NR_getresuid},
-#endif
-#endif
-#ifdef SYS_getrlimit
-#ifdef __NR_getrlimit
-        {"getrlimit", __NR_getrlimit},
-#endif
-#endif
-#ifdef SYS_getrusage
-#ifdef __NR_getrusage
-        {"getrusage", __NR_getrusage},
-#endif
-#endif
-#ifdef SYS_getsid
-#ifdef __NR_getsid
-        {"getsid", __NR_getsid},
-#endif
-#endif
-#ifdef SYS_getsockname
-#ifdef __NR_getsockname
-        {"getsockname", __NR_getsockname},
-#endif
-#endif
-#ifdef SYS_getsockopt
-#ifdef __NR_getsockopt
-        {"getsockopt", __NR_getsockopt},
-#endif
-#endif
-#ifdef SYS_gettid
-#ifdef __NR_gettid
-        {"gettid", __NR_gettid},
-#endif
-#endif
-#ifdef SYS_gettimeofday
-#ifdef __NR_gettimeofday
-        {"gettimeofday", __NR_gettimeofday},
-#endif
-#endif
-#ifdef SYS_getuid
-#ifdef __NR_getuid
-        {"getuid", __NR_getuid},
-#endif
-#endif
-#ifdef SYS_getxattr
-#ifdef __NR_getxattr
-        {"getxattr", __NR_getxattr},
-#endif
-#endif
-#ifdef SYS_init_module
-#ifdef __NR_init_module
-        {"init_module", __NR_init_module},
-#endif
-#endif
-#ifdef SYS_inotify_add_watch
-#ifdef __NR_inotify_add_watch
-        {"inotify_add_watch", __NR_inotify_add_watch},
-#endif
-#endif
-#ifdef SYS_inotify_init
-#ifdef __NR_inotify_init
-        {"inotify_init", __NR_inotify_init},
-#endif
-#endif
-#ifdef SYS_inotify_init1
-#ifdef __NR_inotify_init1
-        {"inotify_init1", __NR_inotify_init1},
-#endif
-#endif
-#ifdef SYS_inotify_rm_watch
-#ifdef __NR_inotify_rm_watch
-        {"inotify_rm_watch", __NR_inotify_rm_watch},
-#endif
-#endif
-#ifdef SYS_io_cancel
-#ifdef __NR_io_cancel
-        {"io_cancel", __NR_io_cancel},
-#endif
-#endif
-#ifdef SYS_io_destroy
-#ifdef __NR_io_destroy
-        {"io_destroy", __NR_io_destroy},
-#endif
-#endif
-#ifdef SYS_io_getevents
-#ifdef __NR_io_getevents
-        {"io_getevents", __NR_io_getevents},
-#endif
-#endif
-#ifdef SYS_io_setup
-#ifdef __NR_io_setup
-        {"io_setup", __NR_io_setup},
-#endif
-#endif
-#ifdef SYS_io_submit
-#ifdef __NR_io_submit
-        {"io_submit", __NR_io_submit},
-#endif
-#endif
-#ifdef SYS_ioctl
-#ifdef __NR_ioctl
-        {"ioctl", __NR_ioctl},
-#endif
-#endif
-#ifdef SYS_ioperm
-#ifdef __NR_ioperm
-        {"ioperm", __NR_ioperm},
-#endif
-#endif
-#ifdef SYS_iopl
-#ifdef __NR_iopl
-        {"iopl", __NR_iopl},
-#endif
-#endif
-#ifdef SYS_ioprio_get
-#ifdef __NR_ioprio_get
-        {"ioprio_get", __NR_ioprio_get},
-#endif
-#endif
-#ifdef SYS_ioprio_set
-#ifdef __NR_ioprio_set
-        {"ioprio_set", __NR_ioprio_set},
-#endif
-#endif
-#ifdef SYS_kcmp
-#ifdef __NR_kcmp
-        {"kcmp", __NR_kcmp},
-#endif
-#endif
-#ifdef SYS_kexec_file_load
-#ifdef __NR_kexec_file_load
-        {"kexec_file_load", __NR_kexec_file_load},
-#endif
-#endif
-#ifdef SYS_kexec_load
-#ifdef __NR_kexec_load
-        {"kexec_load", __NR_kexec_load},
-#endif
-#endif
-#ifdef SYS_keyctl
-#ifdef __NR_keyctl
-        {"keyctl", __NR_keyctl},
-#endif
-#endif
-#ifdef SYS_kill
-#ifdef __NR_kill
-        {"kill", __NR_kill},
-#endif
-#endif
-#ifdef SYS_lchown
-#ifdef __NR_lchown
-        {"lchown", __NR_lchown},
-#endif
-#endif
-#ifdef SYS_lgetxattr
-#ifdef __NR_lgetxattr
-        {"lgetxattr", __NR_lgetxattr},
-#endif
-#endif
-#ifdef SYS_link
-#ifdef __NR_link
-        {"link", __NR_link},
-#endif
-#endif
-#ifdef SYS_linkat
-#ifdef __NR_linkat
-        {"linkat", __NR_linkat},
-#endif
-#endif
-#ifdef SYS_listen
-#ifdef __NR_listen
-        {"listen", __NR_listen},
-#endif
-#endif
-#ifdef SYS_listxattr
-#ifdef __NR_listxattr
-        {"listxattr", __NR_listxattr},
-#endif
-#endif
-#ifdef SYS_llistxattr
-#ifdef __NR_llistxattr
-        {"llistxattr", __NR_llistxattr},
-#endif
-#endif
-#ifdef SYS_lookup_dcookie
-#ifdef __NR_lookup_dcookie
-        {"lookup_dcookie", __NR_lookup_dcookie},
-#endif
-#endif
-#ifdef SYS_lremovexattr
-#ifdef __NR_lremovexattr
-        {"lremovexattr", __NR_lremovexattr},
-#endif
-#endif
-#ifdef SYS_lseek
-#ifdef __NR_lseek
-        {"lseek", __NR_lseek},
-#endif
-#endif
-#ifdef SYS_lsetxattr
-#ifdef __NR_lsetxattr
-        {"lsetxattr", __NR_lsetxattr},
-#endif
-#endif
-#ifdef SYS_lstat
-#ifdef __NR_lstat
-        {"lstat", __NR_lstat},
-#endif
-#endif
-#ifdef SYS_madvise
-#ifdef __NR_madvise
-        {"madvise", __NR_madvise},
-#endif
-#endif
-#ifdef SYS_mbind
-#ifdef __NR_mbind
-        {"mbind", __NR_mbind},
-#endif
-#endif
-#ifdef SYS_membarrier
-#ifdef __NR_membarrier
-        {"membarrier", __NR_membarrier},
-#endif
-#endif
-#ifdef SYS_memfd_create
-#ifdef __NR_memfd_create
-        {"memfd_create", __NR_memfd_create},
-#endif
-#endif
-#ifdef SYS_migrate_pages
-#ifdef __NR_migrate_pages
-        {"migrate_pages", __NR_migrate_pages},
-#endif
-#endif
-#ifdef SYS_mincore
-#ifdef __NR_mincore
-        {"mincore", __NR_mincore},
-#endif
-#endif
-#ifdef SYS_mkdir
-#ifdef __NR_mkdir
-        {"mkdir", __NR_mkdir},
-#endif
-#endif
-#ifdef SYS_mkdirat
-#ifdef __NR_mkdirat
-        {"mkdirat", __NR_mkdirat},
-#endif
-#endif
-#ifdef SYS_mknod
-#ifdef __NR_mknod
-        {"mknod", __NR_mknod},
-#endif
-#endif
-#ifdef SYS_mknodat
-#ifdef __NR_mknodat
-        {"mknodat", __NR_mknodat},
-#endif
-#endif
-#ifdef SYS_mlock
-#ifdef __NR_mlock
-        {"mlock", __NR_mlock},
-#endif
-#endif
-#ifdef SYS_mlock2
-#ifdef __NR_mlock2
-        {"mlock2", __NR_mlock2},
-#endif
-#endif
-#ifdef SYS_mlockall
-#ifdef __NR_mlockall
-        {"mlockall", __NR_mlockall},
-#endif
-#endif
-#ifdef SYS_mmap
-#ifdef __NR_mmap
-        {"mmap", __NR_mmap},
-#endif
-#endif
-#ifdef SYS_modify_ldt
-#ifdef __NR_modify_ldt
-        {"modify_ldt", __NR_modify_ldt},
-#endif
-#endif
-#ifdef SYS_mount
-#ifdef __NR_mount
-        {"mount", __NR_mount},
-#endif
-#endif
-#ifdef SYS_move_pages
-#ifdef __NR_move_pages
-        {"move_pages", __NR_move_pages},
-#endif
-#endif
-#ifdef SYS_mprotect
-#ifdef __NR_mprotect
-        {"mprotect", __NR_mprotect},
-#endif
-#endif
-#ifdef SYS_mq_getsetattr
-#ifdef __NR_mq_getsetattr
-        {"mq_getsetattr", __NR_mq_getsetattr},
-#endif
-#endif
-#ifdef SYS_mq_notify
-#ifdef __NR_mq_notify
-        {"mq_notify", __NR_mq_notify},
-#endif
-#endif
-#ifdef SYS_mq_open
-#ifdef __NR_mq_open
-        {"mq_open", __NR_mq_open},
-#endif
-#endif
-#ifdef SYS_mq_timedreceive
-#ifdef __NR_mq_timedreceive
-        {"mq_timedreceive", __NR_mq_timedreceive},
-#endif
-#endif
-#ifdef SYS_mq_timedsend
-#ifdef __NR_mq_timedsend
-        {"mq_timedsend", __NR_mq_timedsend},
-#endif
-#endif
-#ifdef SYS_mq_unlink
-#ifdef __NR_mq_unlink
-        {"mq_unlink", __NR_mq_unlink},
-#endif
-#endif
-#ifdef SYS_mremap
-#ifdef __NR_mremap
-        {"mremap", __NR_mremap},
-#endif
-#endif
-#ifdef SYS_msgctl
-#ifdef __NR_msgctl
-        {"msgctl", __NR_msgctl},
-#endif
-#endif
-#ifdef SYS_msgget
-#ifdef __NR_msgget
-        {"msgget", __NR_msgget},
-#endif
-#endif
-#ifdef SYS_msgrcv
-#ifdef __NR_msgrcv
-        {"msgrcv", __NR_msgrcv},
-#endif
-#endif
-#ifdef SYS_msgsnd
-#ifdef __NR_msgsnd
-        {"msgsnd", __NR_msgsnd},
-#endif
-#endif
-#ifdef SYS_msync
-#ifdef __NR_msync
-        {"msync", __NR_msync},
-#endif
-#endif
-#ifdef SYS_munlock
-#ifdef __NR_munlock
-        {"munlock", __NR_munlock},
-#endif
-#endif
-#ifdef SYS_munlockall
-#ifdef __NR_munlockall
-        {"munlockall", __NR_munlockall},
-#endif
-#endif
-#ifdef SYS_munmap
-#ifdef __NR_munmap
-        {"munmap", __NR_munmap},
-#endif
-#endif
-#ifdef SYS_name_to_handle_at
-#ifdef __NR_name_to_handle_at
-        {"name_to_handle_at", __NR_name_to_handle_at},
-#endif
-#endif
-#ifdef SYS_nanosleep
-#ifdef __NR_nanosleep
-        {"nanosleep", __NR_nanosleep},
-#endif
-#endif
-#ifdef SYS_newfstatat
-#ifdef __NR_newfstatat
-        {"newfstatat", __NR_newfstatat},
-#endif
-#endif
-#ifdef SYS_nfsservctl
-#ifdef __NR_nfsservctl
-        {"nfsservctl", __NR_nfsservctl},
-#endif
-#endif
-#ifdef SYS_open
-#ifdef __NR_open
-        {"open", __NR_open},
-#endif
-#endif
-#ifdef SYS_open_by_handle_at
-#ifdef __NR_open_by_handle_at
-        {"open_by_handle_at", __NR_open_by_handle_at},
-#endif
-#endif
-#ifdef SYS_openat
-#ifdef __NR_openat
-        {"openat", __NR_openat},
-#endif
-#endif
-#ifdef SYS_pause
-#ifdef __NR_pause
-        {"pause", __NR_pause},
-#endif
-#endif
-#ifdef SYS_perf_event_open
-#ifdef __NR_perf_event_open
-        {"perf_event_open", __NR_perf_event_open},
-#endif
-#endif
-#ifdef SYS_personality
-#ifdef __NR_personality
-        {"personality", __NR_personality},
-#endif
-#endif
-#ifdef SYS_pipe
-#ifdef __NR_pipe
-        {"pipe", __NR_pipe},
-#endif
-#endif
-#ifdef SYS_pipe2
-#ifdef __NR_pipe2
-        {"pipe2", __NR_pipe2},
-#endif
-#endif
-#ifdef SYS_pivot_root
-#ifdef __NR_pivot_root
-        {"pivot_root", __NR_pivot_root},
-#endif
-#endif
-#ifdef SYS_pkey_alloc
-#ifdef __NR_pkey_alloc
-        {"pkey_alloc", __NR_pkey_alloc},
-#endif
-#endif
-#ifdef SYS_pkey_free
-#ifdef __NR_pkey_free
-        {"pkey_free", __NR_pkey_free},
-#endif
-#endif
-#ifdef SYS_pkey_mprotect
-#ifdef __NR_pkey_mprotect
-        {"pkey_mprotect", __NR_pkey_mprotect},
-#endif
-#endif
-#ifdef SYS_poll
-#ifdef __NR_poll
-        {"poll", __NR_poll},
-#endif
-#endif
-#ifdef SYS_ppoll
-#ifdef __NR_ppoll
-        {"ppoll", __NR_ppoll},
-#endif
-#endif
-#ifdef SYS_prctl
-#ifdef __NR_prctl
-        {"prctl", __NR_prctl},
-#endif
-#endif
-#ifdef SYS_pread64
-#ifdef __NR_pread64
-        {"pread64", __NR_pread64},
-#endif
-#endif
-#ifdef SYS_preadv
-#ifdef __NR_preadv
-        {"preadv", __NR_preadv},
-#endif
-#endif
-#ifdef SYS_preadv2
-#ifdef __NR_preadv2
-        {"preadv2", __NR_preadv2},
-#endif
-#endif
-#ifdef SYS_prlimit64
-#ifdef __NR_prlimit64
-        {"prlimit64", __NR_prlimit64},
-#endif
-#endif
-#ifdef SYS_process_vm_readv
-#ifdef __NR_process_vm_readv
-        {"process_vm_readv", __NR_process_vm_readv},
-#endif
-#endif
-#ifdef SYS_process_vm_writev
-#ifdef __NR_process_vm_writev
-        {"process_vm_writev", __NR_process_vm_writev},
-#endif
-#endif
-#ifdef SYS_pselect6
-#ifdef __NR_pselect6
-        {"pselect6", __NR_pselect6},
-#endif
-#endif
-#ifdef SYS_ptrace
-#ifdef __NR_ptrace
-        {"ptrace", __NR_ptrace},
-#endif
-#endif
-#ifdef SYS_putpmsg
-#ifdef __NR_putpmsg
-        {"putpmsg", __NR_putpmsg},
-#endif
-#endif
-#ifdef SYS_pwrite64
-#ifdef __NR_pwrite64
-        {"pwrite64", __NR_pwrite64},
-#endif
-#endif
-#ifdef SYS_pwritev
-#ifdef __NR_pwritev
-        {"pwritev", __NR_pwritev},
-#endif
-#endif
-#ifdef SYS_pwritev2
-#ifdef __NR_pwritev2
-        {"pwritev2", __NR_pwritev2},
-#endif
-#endif
-#ifdef SYS_query_module
-#ifdef __NR_query_module
-        {"query_module", __NR_query_module},
-#endif
-#endif
-#ifdef SYS_quotactl
-#ifdef __NR_quotactl
-        {"quotactl", __NR_quotactl},
-#endif
-#endif
-#ifdef SYS_read
-#ifdef __NR_read
-        {"read", __NR_read},
-#endif
-#endif
-#ifdef SYS_readahead
-#ifdef __NR_readahead
-        {"readahead", __NR_readahead},
-#endif
-#endif
-#ifdef SYS_readlink
-#ifdef __NR_readlink
-        {"readlink", __NR_readlink},
-#endif
-#endif
-#ifdef SYS_readlinkat
-#ifdef __NR_readlinkat
-        {"readlinkat", __NR_readlinkat},
-#endif
-#endif
-#ifdef SYS_readv
-#ifdef __NR_readv
-        {"readv", __NR_readv},
-#endif
-#endif
-#ifdef SYS_reboot
-#ifdef __NR_reboot
-        {"reboot", __NR_reboot},
-#endif
-#endif
-#ifdef SYS_recvfrom
-#ifdef __NR_recvfrom
-        {"recvfrom", __NR_recvfrom},
-#endif
-#endif
-#ifdef SYS_recvmmsg
-#ifdef __NR_recvmmsg
-        {"recvmmsg", __NR_recvmmsg},
-#endif
-#endif
-#ifdef SYS_recvmsg
-#ifdef __NR_recvmsg
-        {"recvmsg", __NR_recvmsg},
-#endif
-#endif
-#ifdef SYS_remap_file_pages
-#ifdef __NR_remap_file_pages
-        {"remap_file_pages", __NR_remap_file_pages},
-#endif
-#endif
-#ifdef SYS_removexattr
-#ifdef __NR_removexattr
-        {"removexattr", __NR_removexattr},
-#endif
-#endif
-#ifdef SYS_rename
-#ifdef __NR_rename
-        {"rename", __NR_rename},
-#endif
-#endif
-#ifdef SYS_renameat
-#ifdef __NR_renameat
-        {"renameat", __NR_renameat},
-#endif
-#endif
-#ifdef SYS_renameat2
-#ifdef __NR_renameat2
-        {"renameat2", __NR_renameat2},
-#endif
-#endif
-#ifdef SYS_request_key
-#ifdef __NR_request_key
-        {"request_key", __NR_request_key},
-#endif
-#endif
-#ifdef SYS_restart_syscall
-#ifdef __NR_restart_syscall
-        {"restart_syscall", __NR_restart_syscall},
-#endif
-#endif
-#ifdef SYS_rmdir
-#ifdef __NR_rmdir
-        {"rmdir", __NR_rmdir},
-#endif
-#endif
-#ifdef SYS_rt_sigaction
-#ifdef __NR_rt_sigaction
-        {"rt_sigaction", __NR_rt_sigaction},
-#endif
-#endif
-#ifdef SYS_rt_sigpending
-#ifdef __NR_rt_sigpending
-        {"rt_sigpending", __NR_rt_sigpending},
-#endif
-#endif
-#ifdef SYS_rt_sigprocmask
-#ifdef __NR_rt_sigprocmask
-        {"rt_sigprocmask", __NR_rt_sigprocmask},
-#endif
-#endif
-#ifdef SYS_rt_sigqueueinfo
-#ifdef __NR_rt_sigqueueinfo
-        {"rt_sigqueueinfo", __NR_rt_sigqueueinfo},
-#endif
-#endif
-#ifdef SYS_rt_sigreturn
-#ifdef __NR_rt_sigreturn
-        {"rt_sigreturn", __NR_rt_sigreturn},
-#endif
-#endif
-#ifdef SYS_rt_sigsuspend
-#ifdef __NR_rt_sigsuspend
-        {"rt_sigsuspend", __NR_rt_sigsuspend},
-#endif
-#endif
-#ifdef SYS_rt_sigtimedwait
-#ifdef __NR_rt_sigtimedwait
-        {"rt_sigtimedwait", __NR_rt_sigtimedwait},
-#endif
-#endif
-#ifdef SYS_rt_tgsigqueueinfo
-#ifdef __NR_rt_tgsigqueueinfo
-        {"rt_tgsigqueueinfo", __NR_rt_tgsigqueueinfo},
-#endif
-#endif
-#ifdef SYS_sched_get_priority_max
-#ifdef __NR_sched_get_priority_max
-        {"sched_get_priority_max", __NR_sched_get_priority_max},
-#endif
-#endif
-#ifdef SYS_sched_get_priority_min
-#ifdef __NR_sched_get_priority_min
-        {"sched_get_priority_min", __NR_sched_get_priority_min},
-#endif
-#endif
-#ifdef SYS_sched_getaffinity
-#ifdef __NR_sched_getaffinity
-        {"sched_getaffinity", __NR_sched_getaffinity},
-#endif
-#endif
-#ifdef SYS_sched_getattr
-#ifdef __NR_sched_getattr
-        {"sched_getattr", __NR_sched_getattr},
-#endif
-#endif
-#ifdef SYS_sched_getparam
-#ifdef __NR_sched_getparam
-        {"sched_getparam", __NR_sched_getparam},
-#endif
-#endif
-#ifdef SYS_sched_getscheduler
-#ifdef __NR_sched_getscheduler
-        {"sched_getscheduler", __NR_sched_getscheduler},
-#endif
-#endif
-#ifdef SYS_sched_rr_get_interval
-#ifdef __NR_sched_rr_get_interval
-        {"sched_rr_get_interval", __NR_sched_rr_get_interval},
-#endif
-#endif
-#ifdef SYS_sched_setaffinity
-#ifdef __NR_sched_setaffinity
-        {"sched_setaffinity", __NR_sched_setaffinity},
-#endif
-#endif
-#ifdef SYS_sched_setattr
-#ifdef __NR_sched_setattr
-        {"sched_setattr", __NR_sched_setattr},
-#endif
-#endif
-#ifdef SYS_sched_setparam
-#ifdef __NR_sched_setparam
-        {"sched_setparam", __NR_sched_setparam},
-#endif
-#endif
-#ifdef SYS_sched_setscheduler
-#ifdef __NR_sched_setscheduler
-        {"sched_setscheduler", __NR_sched_setscheduler},
-#endif
-#endif
-#ifdef SYS_sched_yield
-#ifdef __NR_sched_yield
-        {"sched_yield", __NR_sched_yield},
-#endif
-#endif
-#ifdef SYS_seccomp
-#ifdef __NR_seccomp
-        {"seccomp", __NR_seccomp},
-#endif
-#endif
-#ifdef SYS_security
-#ifdef __NR_security
-        {"security", __NR_security},
-#endif
-#endif
-#ifdef SYS_select
-#ifdef __NR_select
-        {"select", __NR_select},
-#endif
-#endif
-#ifdef SYS_semctl
-#ifdef __NR_semctl
-        {"semctl", __NR_semctl},
-#endif
-#endif
-#ifdef SYS_semget
-#ifdef __NR_semget
-        {"semget", __NR_semget},
-#endif
-#endif
-#ifdef SYS_semop
-#ifdef __NR_semop
-        {"semop", __NR_semop},
-#endif
-#endif
-#ifdef SYS_semtimedop
-#ifdef __NR_semtimedop
-        {"semtimedop", __NR_semtimedop},
-#endif
-#endif
-#ifdef SYS_sendfile
-#ifdef __NR_sendfile
-        {"sendfile", __NR_sendfile},
-#endif
-#endif
-#ifdef SYS_sendmmsg
-#ifdef __NR_sendmmsg
-        {"sendmmsg", __NR_sendmmsg},
-#endif
-#endif
-#ifdef SYS_sendmsg
-#ifdef __NR_sendmsg
-        {"sendmsg", __NR_sendmsg},
-#endif
-#endif
-#ifdef SYS_sendto
-#ifdef __NR_sendto
-        {"sendto", __NR_sendto},
-#endif
-#endif
-#ifdef SYS_set_mempolicy
-#ifdef __NR_set_mempolicy
-        {"set_mempolicy", __NR_set_mempolicy},
-#endif
-#endif
-#ifdef SYS_set_robust_list
-#ifdef __NR_set_robust_list
-        {"set_robust_list", __NR_set_robust_list},
-#endif
-#endif
-#ifdef SYS_set_thread_area
-#ifdef __NR_set_thread_area
-        {"set_thread_area", __NR_set_thread_area},
-#endif
-#endif
-#ifdef SYS_set_tid_address
-#ifdef __NR_set_tid_address
-        {"set_tid_address", __NR_set_tid_address},
-#endif
-#endif
-#ifdef SYS_setdomainname
-#ifdef __NR_setdomainname
-        {"setdomainname", __NR_setdomainname},
-#endif
-#endif
-#ifdef SYS_setfsgid
-#ifdef __NR_setfsgid
-        {"setfsgid", __NR_setfsgid},
-#endif
-#endif
-#ifdef SYS_setfsuid
-#ifdef __NR_setfsuid
-        {"setfsuid", __NR_setfsuid},
-#endif
-#endif
-#ifdef SYS_setgid
-#ifdef __NR_setgid
-        {"setgid", __NR_setgid},
-#endif
-#endif
-#ifdef SYS_setgroups
-#ifdef __NR_setgroups
-        {"setgroups", __NR_setgroups},
-#endif
-#endif
-#ifdef SYS_sethostname
-#ifdef __NR_sethostname
-        {"sethostname", __NR_sethostname},
-#endif
-#endif
-#ifdef SYS_setitimer
-#ifdef __NR_setitimer
-        {"setitimer", __NR_setitimer},
-#endif
-#endif
-#ifdef SYS_setns
-#ifdef __NR_setns
-        {"setns", __NR_setns},
-#endif
-#endif
-#ifdef SYS_setpgid
-#ifdef __NR_setpgid
-        {"setpgid", __NR_setpgid},
-#endif
-#endif
-#ifdef SYS_setpriority
-#ifdef __NR_setpriority
-        {"setpriority", __NR_setpriority},
-#endif
-#endif
-#ifdef SYS_setregid
-#ifdef __NR_setregid
-        {"setregid", __NR_setregid},
-#endif
-#endif
-#ifdef SYS_setresgid
-#ifdef __NR_setresgid
-        {"setresgid", __NR_setresgid},
-#endif
-#endif
-#ifdef SYS_setresuid
-#ifdef __NR_setresuid
-        {"setresuid", __NR_setresuid},
-#endif
-#endif
-#ifdef SYS_setreuid
-#ifdef __NR_setreuid
-        {"setreuid", __NR_setreuid},
-#endif
-#endif
-#ifdef SYS_setrlimit
-#ifdef __NR_setrlimit
-        {"setrlimit", __NR_setrlimit},
-#endif
-#endif
-#ifdef SYS_setsid
-#ifdef __NR_setsid
-        {"setsid", __NR_setsid},
-#endif
-#endif
-#ifdef SYS_setsockopt
-#ifdef __NR_setsockopt
-        {"setsockopt", __NR_setsockopt},
-#endif
-#endif
-#ifdef SYS_settimeofday
-#ifdef __NR_settimeofday
-        {"settimeofday", __NR_settimeofday},
-#endif
-#endif
-#ifdef SYS_setuid
-#ifdef __NR_setuid
-        {"setuid", __NR_setuid},
-#endif
-#endif
-#ifdef SYS_setxattr
-#ifdef __NR_setxattr
-        {"setxattr", __NR_setxattr},
-#endif
-#endif
-#ifdef SYS_shmat
-#ifdef __NR_shmat
-        {"shmat", __NR_shmat},
-#endif
-#endif
-#ifdef SYS_shmctl
-#ifdef __NR_shmctl
-        {"shmctl", __NR_shmctl},
-#endif
-#endif
-#ifdef SYS_shmdt
-#ifdef __NR_shmdt
-        {"shmdt", __NR_shmdt},
-#endif
-#endif
-#ifdef SYS_shmget
-#ifdef __NR_shmget
-        {"shmget", __NR_shmget},
-#endif
-#endif
-#ifdef SYS_shutdown
-#ifdef __NR_shutdown
-        {"shutdown", __NR_shutdown},
-#endif
-#endif
-#ifdef SYS_sigaltstack
-#ifdef __NR_sigaltstack
-        {"sigaltstack", __NR_sigaltstack},
-#endif
-#endif
-#ifdef SYS_signalfd
-#ifdef __NR_signalfd
-        {"signalfd", __NR_signalfd},
-#endif
-#endif
-#ifdef SYS_signalfd4
-#ifdef __NR_signalfd4
-        {"signalfd4", __NR_signalfd4},
-#endif
-#endif
-#ifdef SYS_socket
-#ifdef __NR_socket
-        {"socket", __NR_socket},
-#endif
-#endif
-#ifdef SYS_socketpair
-#ifdef __NR_socketpair
-        {"socketpair", __NR_socketpair},
-#endif
-#endif
-#ifdef SYS_splice
-#ifdef __NR_splice
-        {"splice", __NR_splice},
-#endif
-#endif
-#ifdef SYS_stat
-#ifdef __NR_stat
-        {"stat", __NR_stat},
-#endif
-#endif
-#ifdef SYS_statfs
-#ifdef __NR_statfs
-        {"statfs", __NR_statfs},
-#endif
-#endif
-#ifdef SYS_statx
-#ifdef __NR_statx
-        {"statx", __NR_statx},
-#endif
-#endif
-#ifdef SYS_swapoff
-#ifdef __NR_swapoff
-        {"swapoff", __NR_swapoff},
-#endif
-#endif
-#ifdef SYS_swapon
-#ifdef __NR_swapon
-        {"swapon", __NR_swapon},
-#endif
-#endif
-#ifdef SYS_symlink
-#ifdef __NR_symlink
-        {"symlink", __NR_symlink},
-#endif
-#endif
-#ifdef SYS_symlinkat
-#ifdef __NR_symlinkat
-        {"symlinkat", __NR_symlinkat},
-#endif
-#endif
-#ifdef SYS_sync
-#ifdef __NR_sync
-        {"sync", __NR_sync},
-#endif
-#endif
-#ifdef SYS_sync_file_range
-#ifdef __NR_sync_file_range
-        {"sync_file_range", __NR_sync_file_range},
-#endif
-#endif
-#ifdef SYS_syncfs
-#ifdef __NR_syncfs
-        {"syncfs", __NR_syncfs},
-#endif
-#endif
-#ifdef SYS_sysfs
-#ifdef __NR_sysfs
-        {"sysfs", __NR_sysfs},
-#endif
-#endif
-#ifdef SYS_sysinfo
-#ifdef __NR_sysinfo
-        {"sysinfo", __NR_sysinfo},
-#endif
-#endif
-#ifdef SYS_syslog
-#ifdef __NR_syslog
-        {"syslog", __NR_syslog},
-#endif
-#endif
-#ifdef SYS_tee
-#ifdef __NR_tee
-        {"tee", __NR_tee},
-#endif
-#endif
-#ifdef SYS_tgkill
-#ifdef __NR_tgkill
-        {"tgkill", __NR_tgkill},
-#endif
-#endif
-#ifdef SYS_time
-#ifdef __NR_time
-        {"time", __NR_time},
-#endif
-#endif
-#ifdef SYS_timer_create
-#ifdef __NR_timer_create
-        {"timer_create", __NR_timer_create},
-#endif
-#endif
-#ifdef SYS_timer_delete
-#ifdef __NR_timer_delete
-        {"timer_delete", __NR_timer_delete},
-#endif
-#endif
-#ifdef SYS_timer_getoverrun
-#ifdef __NR_timer_getoverrun
-        {"timer_getoverrun", __NR_timer_getoverrun},
-#endif
-#endif
-#ifdef SYS_timer_gettime
-#ifdef __NR_timer_gettime
-        {"timer_gettime", __NR_timer_gettime},
-#endif
-#endif
-#ifdef SYS_timer_settime
-#ifdef __NR_timer_settime
-        {"timer_settime", __NR_timer_settime},
-#endif
-#endif
-#ifdef SYS_timerfd_create
-#ifdef __NR_timerfd_create
-        {"timerfd_create", __NR_timerfd_create},
-#endif
-#endif
-#ifdef SYS_timerfd_gettime
-#ifdef __NR_timerfd_gettime
-        {"timerfd_gettime", __NR_timerfd_gettime},
-#endif
-#endif
-#ifdef SYS_timerfd_settime
-#ifdef __NR_timerfd_settime
-        {"timerfd_settime", __NR_timerfd_settime},
-#endif
-#endif
-#ifdef SYS_times
-#ifdef __NR_times
-        {"times", __NR_times},
-#endif
-#endif
-#ifdef SYS_tkill
-#ifdef __NR_tkill
-        {"tkill", __NR_tkill},
-#endif
-#endif
-#ifdef SYS_truncate
-#ifdef __NR_truncate
-        {"truncate", __NR_truncate},
-#endif
-#endif
-#ifdef SYS_tuxcall
-#ifdef __NR_tuxcall
-        {"tuxcall", __NR_tuxcall},
-#endif
-#endif
-#ifdef SYS_umask
-#ifdef __NR_umask
-        {"umask", __NR_umask},
-#endif
-#endif
-#ifdef SYS_umount2
-#ifdef __NR_umount2
-        {"umount2", __NR_umount2},
-#endif
-#endif
-#ifdef SYS_uname
-#ifdef __NR_uname
-        {"uname", __NR_uname},
-#endif
-#endif
-#ifdef SYS_unlink
-#ifdef __NR_unlink
-        {"unlink", __NR_unlink},
-#endif
-#endif
-#ifdef SYS_unlinkat
-#ifdef __NR_unlinkat
-        {"unlinkat", __NR_unlinkat},
-#endif
-#endif
-#ifdef SYS_unshare
-#ifdef __NR_unshare
-        {"unshare", __NR_unshare},
-#endif
-#endif
-#ifdef SYS_uselib
-#ifdef __NR_uselib
-        {"uselib", __NR_uselib},
-#endif
-#endif
-#ifdef SYS_userfaultfd
-#ifdef __NR_userfaultfd
-        {"userfaultfd", __NR_userfaultfd},
-#endif
-#endif
-#ifdef SYS_ustat
-#ifdef __NR_ustat
-        {"ustat", __NR_ustat},
-#endif
-#endif
-#ifdef SYS_utime
-#ifdef __NR_utime
-        {"utime", __NR_utime},
-#endif
-#endif
-#ifdef SYS_utimensat
-#ifdef __NR_utimensat
-        {"utimensat", __NR_utimensat},
-#endif
-#endif
-#ifdef SYS_utimes
-#ifdef __NR_utimes
-        {"utimes", __NR_utimes},
-#endif
-#endif
-#ifdef SYS_vfork
-#ifdef __NR_vfork
-        {"vfork", __NR_vfork},
-#endif
-#endif
-#ifdef SYS_vhangup
-#ifdef __NR_vhangup
-        {"vhangup", __NR_vhangup},
-#endif
-#endif
-#ifdef SYS_vmsplice
-#ifdef __NR_vmsplice
-        {"vmsplice", __NR_vmsplice},
-#endif
-#endif
-#ifdef SYS_vserver
-#ifdef __NR_vserver
-        {"vserver", __NR_vserver},
-#endif
-#endif
-#ifdef SYS_wait4
-#ifdef __NR_wait4
-        {"wait4", __NR_wait4},
-#endif
-#endif
-#ifdef SYS_waitid
-#ifdef __NR_waitid
-        {"waitid", __NR_waitid},
-#endif
-#endif
-#ifdef SYS_write
-#ifdef __NR_write
-        {"write", __NR_write},
-#endif
-#endif
-#ifdef SYS_writev
-#ifdef __NR_writev
-        {"writev", __NR_writev},
-#endif
-#endif
-#endif
-//#endif
-#if defined __x86_64__ && defined __ILP32__
-#ifdef SYS_accept
-#ifdef __NR_accept
-        {"accept", __NR_accept},
-#endif
-#endif
-#ifdef SYS_accept4
-#ifdef __NR_accept4
-        {"accept4", __NR_accept4},
-#endif
-#endif
-#ifdef SYS_access
-#ifdef __NR_access
-        {"access", __NR_access},
-#endif
-#endif
-#ifdef SYS_acct
-#ifdef __NR_acct
-        {"acct", __NR_acct},
-#endif
-#endif
-#ifdef SYS_add_key
-#ifdef __NR_add_key
-        {"add_key", __NR_add_key},
-#endif
-#endif
-#ifdef SYS_adjtimex
-#ifdef __NR_adjtimex
-        {"adjtimex", __NR_adjtimex},
-#endif
-#endif
-#ifdef SYS_afs_syscall
-#ifdef __NR_afs_syscall
-        {"afs_syscall", __NR_afs_syscall},
-#endif
-#endif
-#ifdef SYS_alarm
-#ifdef __NR_alarm
-        {"alarm", __NR_alarm},
-#endif
-#endif
-#ifdef SYS_arch_prctl
-#ifdef __NR_arch_prctl
-        {"arch_prctl", __NR_arch_prctl},
-#endif
-#endif
-#ifdef SYS_bind
-#ifdef __NR_bind
-        {"bind", __NR_bind},
-#endif
-#endif
-#ifdef SYS_bpf
-#ifdef __NR_bpf
-        {"bpf", __NR_bpf},
-#endif
-#endif
-#ifdef SYS_brk
-#ifdef __NR_brk
-        {"brk", __NR_brk},
-#endif
-#endif
-#ifdef SYS_capget
-#ifdef __NR_capget
-        {"capget", __NR_capget},
-#endif
-#endif
-#ifdef SYS_capset
-#ifdef __NR_capset
-        {"capset", __NR_capset},
-#endif
-#endif
-#ifdef SYS_chdir
-#ifdef __NR_chdir
-        {"chdir", __NR_chdir},
-#endif
-#endif
-#ifdef SYS_chmod
-#ifdef __NR_chmod
-        {"chmod", __NR_chmod},
-#endif
-#endif
-#ifdef SYS_chown
-#ifdef __NR_chown
-        {"chown", __NR_chown},
-#endif
-#endif
-#ifdef SYS_chroot
-#ifdef __NR_chroot
-        {"chroot", __NR_chroot},
-#endif
-#endif
-#ifdef SYS_clock_adjtime
-#ifdef __NR_clock_adjtime
-        {"clock_adjtime", __NR_clock_adjtime},
-#endif
-#endif
-#ifdef SYS_clock_getres
-#ifdef __NR_clock_getres
-        {"clock_getres", __NR_clock_getres},
-#endif
-#endif
-#ifdef SYS_clock_gettime
-#ifdef __NR_clock_gettime
-        {"clock_gettime", __NR_clock_gettime},
-#endif
-#endif
-#ifdef SYS_clock_nanosleep
-#ifdef __NR_clock_nanosleep
-        {"clock_nanosleep", __NR_clock_nanosleep},
-#endif
-#endif
-#ifdef SYS_clock_settime
-#ifdef __NR_clock_settime
-        {"clock_settime", __NR_clock_settime},
-#endif
-#endif
-#ifdef SYS_clone
-#ifdef __NR_clone
-        {"clone", __NR_clone},
-#endif
-#endif
-#ifdef SYS_close
-#ifdef __NR_close
-        {"close", __NR_close},
-#endif
-#endif
-#ifdef SYS_connect
-#ifdef __NR_connect
-        {"connect", __NR_connect},
-#endif
-#endif
-#ifdef SYS_copy_file_range
-#ifdef __NR_copy_file_range
-        {"copy_file_range", __NR_copy_file_range},
-#endif
-#endif
-#ifdef SYS_creat
-#ifdef __NR_creat
-        {"creat", __NR_creat},
-#endif
-#endif
-#ifdef SYS_delete_module
-#ifdef __NR_delete_module
-        {"delete_module", __NR_delete_module},
-#endif
-#endif
-#ifdef SYS_dup
-#ifdef __NR_dup
-        {"dup", __NR_dup},
-#endif
-#endif
-#ifdef SYS_dup2
-#ifdef __NR_dup2
-        {"dup2", __NR_dup2},
-#endif
-#endif
-#ifdef SYS_dup3
-#ifdef __NR_dup3
-        {"dup3", __NR_dup3},
-#endif
-#endif
-#ifdef SYS_epoll_create
-#ifdef __NR_epoll_create
-        {"epoll_create", __NR_epoll_create},
-#endif
-#endif
-#ifdef SYS_epoll_create1
-#ifdef __NR_epoll_create1
-        {"epoll_create1", __NR_epoll_create1},
-#endif
-#endif
-#ifdef SYS_epoll_ctl
-#ifdef __NR_epoll_ctl
-        {"epoll_ctl", __NR_epoll_ctl},
-#endif
-#endif
-#ifdef SYS_epoll_pwait
-#ifdef __NR_epoll_pwait
-        {"epoll_pwait", __NR_epoll_pwait},
-#endif
-#endif
-#ifdef SYS_epoll_wait
-#ifdef __NR_epoll_wait
-        {"epoll_wait", __NR_epoll_wait},
-#endif
-#endif
-#ifdef SYS_eventfd
-#ifdef __NR_eventfd
-        {"eventfd", __NR_eventfd},
-#endif
-#endif
-#ifdef SYS_eventfd2
-#ifdef __NR_eventfd2
-        {"eventfd2", __NR_eventfd2},
-#endif
-#endif
-#ifdef SYS_execve
-#ifdef __NR_execve
-        {"execve", __NR_execve},
-#endif
-#endif
-#ifdef SYS_execveat
-#ifdef __NR_execveat
-        {"execveat", __NR_execveat},
-#endif
-#endif
-#ifdef SYS_exit
-#ifdef __NR_exit
-        {"exit", __NR_exit},
-#endif
-#endif
-#ifdef SYS_exit_group
-#ifdef __NR_exit_group
-        {"exit_group", __NR_exit_group},
-#endif
-#endif
-#ifdef SYS_faccessat
-#ifdef __NR_faccessat
-        {"faccessat", __NR_faccessat},
-#endif
-#endif
-#ifdef SYS_fadvise64
-#ifdef __NR_fadvise64
-        {"fadvise64", __NR_fadvise64},
-#endif
-#endif
-#ifdef SYS_fallocate
-#ifdef __NR_fallocate
-        {"fallocate", __NR_fallocate},
-#endif
-#endif
-#ifdef SYS_fanotify_init
-#ifdef __NR_fanotify_init
-        {"fanotify_init", __NR_fanotify_init},
-#endif
-#endif
-#ifdef SYS_fanotify_mark
-#ifdef __NR_fanotify_mark
-        {"fanotify_mark", __NR_fanotify_mark},
-#endif
-#endif
-#ifdef SYS_fchdir
-#ifdef __NR_fchdir
-        {"fchdir", __NR_fchdir},
-#endif
-#endif
-#ifdef SYS_fchmod
-#ifdef __NR_fchmod
-        {"fchmod", __NR_fchmod},
-#endif
-#endif
-#ifdef SYS_fchmodat
-#ifdef __NR_fchmodat
-        {"fchmodat", __NR_fchmodat},
-#endif
-#endif
-#ifdef SYS_fchown
-#ifdef __NR_fchown
-        {"fchown", __NR_fchown},
-#endif
-#endif
-#ifdef SYS_fchownat
-#ifdef __NR_fchownat
-        {"fchownat", __NR_fchownat},
-#endif
-#endif
-#ifdef SYS_fcntl
-#ifdef __NR_fcntl
-        {"fcntl", __NR_fcntl},
-#endif
-#endif
-#ifdef SYS_fdatasync
-#ifdef __NR_fdatasync
-        {"fdatasync", __NR_fdatasync},
-#endif
-#endif
-#ifdef SYS_fgetxattr
-#ifdef __NR_fgetxattr
-        {"fgetxattr", __NR_fgetxattr},
-#endif
-#endif
-#ifdef SYS_finit_module
-#ifdef __NR_finit_module
-        {"finit_module", __NR_finit_module},
-#endif
-#endif
-#ifdef SYS_flistxattr
-#ifdef __NR_flistxattr
-        {"flistxattr", __NR_flistxattr},
-#endif
-#endif
-#ifdef SYS_flock
-#ifdef __NR_flock
-        {"flock", __NR_flock},
-#endif
-#endif
-#ifdef SYS_fork
-#ifdef __NR_fork
-        {"fork", __NR_fork},
-#endif
-#endif
-#ifdef SYS_fremovexattr
-#ifdef __NR_fremovexattr
-        {"fremovexattr", __NR_fremovexattr},
-#endif
-#endif
-#ifdef SYS_fsetxattr
-#ifdef __NR_fsetxattr
-        {"fsetxattr", __NR_fsetxattr},
-#endif
-#endif
-#ifdef SYS_fstat
-#ifdef __NR_fstat
-        {"fstat", __NR_fstat},
-#endif
-#endif
-#ifdef SYS_fstatfs
-#ifdef __NR_fstatfs
-        {"fstatfs", __NR_fstatfs},
-#endif
-#endif
-#ifdef SYS_fsync
-#ifdef __NR_fsync
-        {"fsync", __NR_fsync},
-#endif
-#endif
-#ifdef SYS_ftruncate
-#ifdef __NR_ftruncate
-        {"ftruncate", __NR_ftruncate},
-#endif
-#endif
-#ifdef SYS_futex
-#ifdef __NR_futex
-        {"futex", __NR_futex},
-#endif
-#endif
-#ifdef SYS_futimesat
-#ifdef __NR_futimesat
-        {"futimesat", __NR_futimesat},
-#endif
-#endif
-#ifdef SYS_get_mempolicy
-#ifdef __NR_get_mempolicy
-        {"get_mempolicy", __NR_get_mempolicy},
-#endif
-#endif
-#ifdef SYS_get_robust_list
-#ifdef __NR_get_robust_list
-        {"get_robust_list", __NR_get_robust_list},
-#endif
-#endif
-#ifdef SYS_getcpu
-#ifdef __NR_getcpu
-        {"getcpu", __NR_getcpu},
-#endif
-#endif
-#ifdef SYS_getcwd
-#ifdef __NR_getcwd
-        {"getcwd", __NR_getcwd},
-#endif
-#endif
-#ifdef SYS_getdents
-#ifdef __NR_getdents
-        {"getdents", __NR_getdents},
-#endif
-#endif
-#ifdef SYS_getdents64
-#ifdef __NR_getdents64
-        {"getdents64", __NR_getdents64},
-#endif
-#endif
-#ifdef SYS_getegid
-#ifdef __NR_getegid
-        {"getegid", __NR_getegid},
-#endif
-#endif
-#ifdef SYS_geteuid
-#ifdef __NR_geteuid
-        {"geteuid", __NR_geteuid},
-#endif
-#endif
-#ifdef SYS_getgid
-#ifdef __NR_getgid
-        {"getgid", __NR_getgid},
-#endif
-#endif
-#ifdef SYS_getgroups
-#ifdef __NR_getgroups
-        {"getgroups", __NR_getgroups},
-#endif
-#endif
-#ifdef SYS_getitimer
-#ifdef __NR_getitimer
-        {"getitimer", __NR_getitimer},
-#endif
-#endif
-#ifdef SYS_getpeername
-#ifdef __NR_getpeername
-        {"getpeername", __NR_getpeername},
-#endif
-#endif
-#ifdef SYS_getpgid
-#ifdef __NR_getpgid
-        {"getpgid", __NR_getpgid},
-#endif
-#endif
-#ifdef SYS_getpgrp
-#ifdef __NR_getpgrp
-        {"getpgrp", __NR_getpgrp},
-#endif
-#endif
-#ifdef SYS_getpid
-#ifdef __NR_getpid
-        {"getpid", __NR_getpid},
-#endif
-#endif
-#ifdef SYS_getpmsg
-#ifdef __NR_getpmsg
-        {"getpmsg", __NR_getpmsg},
-#endif
-#endif
-#ifdef SYS_getppid
-#ifdef __NR_getppid
-        {"getppid", __NR_getppid},
-#endif
-#endif
-#ifdef SYS_getpriority
-#ifdef __NR_getpriority
-        {"getpriority", __NR_getpriority},
-#endif
-#endif
-#ifdef SYS_getrandom
-#ifdef __NR_getrandom
-        {"getrandom", __NR_getrandom},
-#endif
-#endif
-#ifdef SYS_getresgid
-#ifdef __NR_getresgid
-        {"getresgid", __NR_getresgid},
-#endif
-#endif
-#ifdef SYS_getresuid
-#ifdef __NR_getresuid
-        {"getresuid", __NR_getresuid},
-#endif
-#endif
-#ifdef SYS_getrlimit
-#ifdef __NR_getrlimit
-        {"getrlimit", __NR_getrlimit},
-#endif
-#endif
-#ifdef SYS_getrusage
-#ifdef __NR_getrusage
-        {"getrusage", __NR_getrusage},
-#endif
-#endif
-#ifdef SYS_getsid
-#ifdef __NR_getsid
-        {"getsid", __NR_getsid},
-#endif
-#endif
-#ifdef SYS_getsockname
-#ifdef __NR_getsockname
-        {"getsockname", __NR_getsockname},
-#endif
-#endif
-#ifdef SYS_getsockopt
-#ifdef __NR_getsockopt
-        {"getsockopt", __NR_getsockopt},
-#endif
-#endif
-#ifdef SYS_gettid
-#ifdef __NR_gettid
-        {"gettid", __NR_gettid},
-#endif
-#endif
-#ifdef SYS_gettimeofday
-#ifdef __NR_gettimeofday
-        {"gettimeofday", __NR_gettimeofday},
-#endif
-#endif
-#ifdef SYS_getuid
-#ifdef __NR_getuid
-        {"getuid", __NR_getuid},
-#endif
-#endif
-#ifdef SYS_getxattr
-#ifdef __NR_getxattr
-        {"getxattr", __NR_getxattr},
-#endif
-#endif
-#ifdef SYS_init_module
-#ifdef __NR_init_module
-        {"init_module", __NR_init_module},
-#endif
-#endif
-#ifdef SYS_inotify_add_watch
-#ifdef __NR_inotify_add_watch
-        {"inotify_add_watch", __NR_inotify_add_watch},
-#endif
-#endif
-#ifdef SYS_inotify_init
-#ifdef __NR_inotify_init
-        {"inotify_init", __NR_inotify_init},
-#endif
-#endif
-#ifdef SYS_inotify_init1
-#ifdef __NR_inotify_init1
-        {"inotify_init1", __NR_inotify_init1},
-#endif
-#endif
-#ifdef SYS_inotify_rm_watch
-#ifdef __NR_inotify_rm_watch
-        {"inotify_rm_watch", __NR_inotify_rm_watch},
-#endif
-#endif
-#ifdef SYS_io_cancel
-#ifdef __NR_io_cancel
-        {"io_cancel", __NR_io_cancel},
-#endif
-#endif
-#ifdef SYS_io_destroy
-#ifdef __NR_io_destroy
-        {"io_destroy", __NR_io_destroy},
-#endif
-#endif
-#ifdef SYS_io_getevents
-#ifdef __NR_io_getevents
-        {"io_getevents", __NR_io_getevents},
-#endif
-#endif
-#ifdef SYS_io_setup
-#ifdef __NR_io_setup
-        {"io_setup", __NR_io_setup},
-#endif
-#endif
-#ifdef SYS_io_submit
-#ifdef __NR_io_submit
-        {"io_submit", __NR_io_submit},
-#endif
-#endif
-#ifdef SYS_ioctl
-#ifdef __NR_ioctl
-        {"ioctl", __NR_ioctl},
-#endif
-#endif
-#ifdef SYS_ioperm
-#ifdef __NR_ioperm
-        {"ioperm", __NR_ioperm},
-#endif
-#endif
-#ifdef SYS_iopl
-#ifdef __NR_iopl
-        {"iopl", __NR_iopl},
-#endif
-#endif
-#ifdef SYS_ioprio_get
-#ifdef __NR_ioprio_get
-        {"ioprio_get", __NR_ioprio_get},
-#endif
-#endif
-#ifdef SYS_ioprio_set
-#ifdef __NR_ioprio_set
-        {"ioprio_set", __NR_ioprio_set},
-#endif
-#endif
-#ifdef SYS_kcmp
-#ifdef __NR_kcmp
-        {"kcmp", __NR_kcmp},
-#endif
-#endif
-#ifdef SYS_kexec_file_load
-#ifdef __NR_kexec_file_load
-        {"kexec_file_load", __NR_kexec_file_load},
-#endif
-#endif
-#ifdef SYS_kexec_load
-#ifdef __NR_kexec_load
-        {"kexec_load", __NR_kexec_load},
-#endif
-#endif
-#ifdef SYS_keyctl
-#ifdef __NR_keyctl
-        {"keyctl", __NR_keyctl},
-#endif
-#endif
-#ifdef SYS_kill
-#ifdef __NR_kill
-        {"kill", __NR_kill},
-#endif
-#endif
-#ifdef SYS_lchown
-#ifdef __NR_lchown
-        {"lchown", __NR_lchown},
-#endif
-#endif
-#ifdef SYS_lgetxattr
-#ifdef __NR_lgetxattr
-        {"lgetxattr", __NR_lgetxattr},
-#endif
-#endif
-#ifdef SYS_link
-#ifdef __NR_link
-        {"link", __NR_link},
-#endif
-#endif
-#ifdef SYS_linkat
-#ifdef __NR_linkat
-        {"linkat", __NR_linkat},
-#endif
-#endif
-#ifdef SYS_listen
-#ifdef __NR_listen
-        {"listen", __NR_listen},
-#endif
-#endif
-#ifdef SYS_listxattr
-#ifdef __NR_listxattr
-        {"listxattr", __NR_listxattr},
-#endif
-#endif
-#ifdef SYS_llistxattr
-#ifdef __NR_llistxattr
-        {"llistxattr", __NR_llistxattr},
-#endif
-#endif
-#ifdef SYS_lookup_dcookie
-#ifdef __NR_lookup_dcookie
-        {"lookup_dcookie", __NR_lookup_dcookie},
-#endif
-#endif
-#ifdef SYS_lremovexattr
-#ifdef __NR_lremovexattr
-        {"lremovexattr", __NR_lremovexattr},
-#endif
-#endif
-#ifdef SYS_lseek
-#ifdef __NR_lseek
-        {"lseek", __NR_lseek},
-#endif
-#endif
-#ifdef SYS_lsetxattr
-#ifdef __NR_lsetxattr
-        {"lsetxattr", __NR_lsetxattr},
-#endif
-#endif
-#ifdef SYS_lstat
-#ifdef __NR_lstat
-        {"lstat", __NR_lstat},
-#endif
-#endif
-#ifdef SYS_madvise
-#ifdef __NR_madvise
-        {"madvise", __NR_madvise},
-#endif
-#endif
-#ifdef SYS_mbind
-#ifdef __NR_mbind
-        {"mbind", __NR_mbind},
-#endif
-#endif
-#ifdef SYS_membarrier
-#ifdef __NR_membarrier
-        {"membarrier", __NR_membarrier},
-#endif
-#endif
-#ifdef SYS_memfd_create
-#ifdef __NR_memfd_create
-        {"memfd_create", __NR_memfd_create},
-#endif
-#endif
-#ifdef SYS_migrate_pages
-#ifdef __NR_migrate_pages
-        {"migrate_pages", __NR_migrate_pages},
-#endif
-#endif
-#ifdef SYS_mincore
-#ifdef __NR_mincore
-        {"mincore", __NR_mincore},
-#endif
-#endif
-#ifdef SYS_mkdir
-#ifdef __NR_mkdir
-        {"mkdir", __NR_mkdir},
-#endif
-#endif
-#ifdef SYS_mkdirat
-#ifdef __NR_mkdirat
-        {"mkdirat", __NR_mkdirat},
-#endif
-#endif
-#ifdef SYS_mknod
-#ifdef __NR_mknod
-        {"mknod", __NR_mknod},
-#endif
-#endif
-#ifdef SYS_mknodat
-#ifdef __NR_mknodat
-        {"mknodat", __NR_mknodat},
-#endif
-#endif
-#ifdef SYS_mlock
-#ifdef __NR_mlock
-        {"mlock", __NR_mlock},
-#endif
-#endif
-#ifdef SYS_mlock2
-#ifdef __NR_mlock2
-        {"mlock2", __NR_mlock2},
-#endif
-#endif
-#ifdef SYS_mlockall
-#ifdef __NR_mlockall
-        {"mlockall", __NR_mlockall},
-#endif
-#endif
-#ifdef SYS_mmap
-#ifdef __NR_mmap
-        {"mmap", __NR_mmap},
-#endif
-#endif
-#ifdef SYS_modify_ldt
-#ifdef __NR_modify_ldt
-        {"modify_ldt", __NR_modify_ldt},
-#endif
-#endif
-#ifdef SYS_mount
-#ifdef __NR_mount
-        {"mount", __NR_mount},
-#endif
-#endif
-#ifdef SYS_move_pages
-#ifdef __NR_move_pages
-        {"move_pages", __NR_move_pages},
-#endif
-#endif
-#ifdef SYS_mprotect
-#ifdef __NR_mprotect
-        {"mprotect", __NR_mprotect},
-#endif
-#endif
-#ifdef SYS_mq_getsetattr
-#ifdef __NR_mq_getsetattr
-        {"mq_getsetattr", __NR_mq_getsetattr},
-#endif
-#endif
-#ifdef SYS_mq_notify
-#ifdef __NR_mq_notify
-        {"mq_notify", __NR_mq_notify},
-#endif
-#endif
-#ifdef SYS_mq_open
-#ifdef __NR_mq_open
-        {"mq_open", __NR_mq_open},
-#endif
-#endif
-#ifdef SYS_mq_timedreceive
-#ifdef __NR_mq_timedreceive
-        {"mq_timedreceive", __NR_mq_timedreceive},
-#endif
-#endif
-#ifdef SYS_mq_timedsend
-#ifdef __NR_mq_timedsend
-        {"mq_timedsend", __NR_mq_timedsend},
-#endif
-#endif
-#ifdef SYS_mq_unlink
-#ifdef __NR_mq_unlink
-        {"mq_unlink", __NR_mq_unlink},
-#endif
-#endif
-#ifdef SYS_mremap
-#ifdef __NR_mremap
-        {"mremap", __NR_mremap},
-#endif
-#endif
-#ifdef SYS_msgctl
-#ifdef __NR_msgctl
-        {"msgctl", __NR_msgctl},
-#endif
-#endif
-#ifdef SYS_msgget
-#ifdef __NR_msgget
-        {"msgget", __NR_msgget},
-#endif
-#endif
-#ifdef SYS_msgrcv
-#ifdef __NR_msgrcv
-        {"msgrcv", __NR_msgrcv},
-#endif
-#endif
-#ifdef SYS_msgsnd
-#ifdef __NR_msgsnd
-        {"msgsnd", __NR_msgsnd},
-#endif
-#endif
-#ifdef SYS_msync
-#ifdef __NR_msync
-        {"msync", __NR_msync},
-#endif
-#endif
-#ifdef SYS_munlock
-#ifdef __NR_munlock
-        {"munlock", __NR_munlock},
-#endif
-#endif
-#ifdef SYS_munlockall
-#ifdef __NR_munlockall
-        {"munlockall", __NR_munlockall},
-#endif
-#endif
-#ifdef SYS_munmap
-#ifdef __NR_munmap
-        {"munmap", __NR_munmap},
-#endif
-#endif
-#ifdef SYS_name_to_handle_at
-#ifdef __NR_name_to_handle_at
-        {"name_to_handle_at", __NR_name_to_handle_at},
-#endif
-#endif
-#ifdef SYS_nanosleep
-#ifdef __NR_nanosleep
-        {"nanosleep", __NR_nanosleep},
-#endif
-#endif
-#ifdef SYS_newfstatat
-#ifdef __NR_newfstatat
-        {"newfstatat", __NR_newfstatat},
-#endif
-#endif
-#ifdef SYS_open
-#ifdef __NR_open
-        {"open", __NR_open},
-#endif
-#endif
-#ifdef SYS_open_by_handle_at
-#ifdef __NR_open_by_handle_at
-        {"open_by_handle_at", __NR_open_by_handle_at},
-#endif
-#endif
-#ifdef SYS_openat
-#ifdef __NR_openat
-        {"openat", __NR_openat},
-#endif
-#endif
-#ifdef SYS_pause
-#ifdef __NR_pause
-        {"pause", __NR_pause},
-#endif
-#endif
-#ifdef SYS_perf_event_open
-#ifdef __NR_perf_event_open
-        {"perf_event_open", __NR_perf_event_open},
-#endif
-#endif
-#ifdef SYS_personality
-#ifdef __NR_personality
-        {"personality", __NR_personality},
-#endif
-#endif
-#ifdef SYS_pipe
-#ifdef __NR_pipe
-        {"pipe", __NR_pipe},
-#endif
-#endif
-#ifdef SYS_pipe2
-#ifdef __NR_pipe2
-        {"pipe2", __NR_pipe2},
-#endif
-#endif
-#ifdef SYS_pivot_root
-#ifdef __NR_pivot_root
-        {"pivot_root", __NR_pivot_root},
-#endif
-#endif
-#ifdef SYS_pkey_alloc
-#ifdef __NR_pkey_alloc
-        {"pkey_alloc", __NR_pkey_alloc},
-#endif
-#endif
-#ifdef SYS_pkey_free
-#ifdef __NR_pkey_free
-        {"pkey_free", __NR_pkey_free},
-#endif
-#endif
-#ifdef SYS_pkey_mprotect
-#ifdef __NR_pkey_mprotect
-        {"pkey_mprotect", __NR_pkey_mprotect},
-#endif
-#endif
-#ifdef SYS_poll
-#ifdef __NR_poll
-        {"poll", __NR_poll},
-#endif
-#endif
-#ifdef SYS_ppoll
-#ifdef __NR_ppoll
-        {"ppoll", __NR_ppoll},
-#endif
-#endif
-#ifdef SYS_prctl
-#ifdef __NR_prctl
-        {"prctl", __NR_prctl},
-#endif
-#endif
-#ifdef SYS_pread64
-#ifdef __NR_pread64
-        {"pread64", __NR_pread64},
-#endif
-#endif
-#ifdef SYS_preadv
-#ifdef __NR_preadv
-        {"preadv", __NR_preadv},
-#endif
-#endif
-#ifdef SYS_preadv2
-#ifdef __NR_preadv2
-        {"preadv2", __NR_preadv2},
-#endif
-#endif
-#ifdef SYS_prlimit64
-#ifdef __NR_prlimit64
-        {"prlimit64", __NR_prlimit64},
-#endif
-#endif
-#ifdef SYS_process_vm_readv
-#ifdef __NR_process_vm_readv
-        {"process_vm_readv", __NR_process_vm_readv},
-#endif
-#endif
-#ifdef SYS_process_vm_writev
-#ifdef __NR_process_vm_writev
-        {"process_vm_writev", __NR_process_vm_writev},
-#endif
-#endif
-#ifdef SYS_pselect6
-#ifdef __NR_pselect6
-        {"pselect6", __NR_pselect6},
-#endif
-#endif
-#ifdef SYS_ptrace
-#ifdef __NR_ptrace
-        {"ptrace", __NR_ptrace},
-#endif
-#endif
-#ifdef SYS_putpmsg
-#ifdef __NR_putpmsg
-        {"putpmsg", __NR_putpmsg},
-#endif
-#endif
-#ifdef SYS_pwrite64
-#ifdef __NR_pwrite64
-        {"pwrite64", __NR_pwrite64},
-#endif
-#endif
-#ifdef SYS_pwritev
-#ifdef __NR_pwritev
-        {"pwritev", __NR_pwritev},
-#endif
-#endif
-#ifdef SYS_pwritev2
-#ifdef __NR_pwritev2
-        {"pwritev2", __NR_pwritev2},
-#endif
-#endif
-#ifdef SYS_quotactl
-#ifdef __NR_quotactl
-        {"quotactl", __NR_quotactl},
-#endif
-#endif
-#ifdef SYS_read
-#ifdef __NR_read
-        {"read", __NR_read},
-#endif
-#endif
-#ifdef SYS_readahead
-#ifdef __NR_readahead
-        {"readahead", __NR_readahead},
-#endif
-#endif
-#ifdef SYS_readlink
-#ifdef __NR_readlink
-        {"readlink", __NR_readlink},
-#endif
-#endif
-#ifdef SYS_readlinkat
-#ifdef __NR_readlinkat
-        {"readlinkat", __NR_readlinkat},
-#endif
-#endif
-#ifdef SYS_readv
-#ifdef __NR_readv
-        {"readv", __NR_readv},
-#endif
-#endif
-#ifdef SYS_reboot
-#ifdef __NR_reboot
-        {"reboot", __NR_reboot},
-#endif
-#endif
-#ifdef SYS_recvfrom
-#ifdef __NR_recvfrom
-        {"recvfrom", __NR_recvfrom},
-#endif
-#endif
-#ifdef SYS_recvmmsg
-#ifdef __NR_recvmmsg
-        {"recvmmsg", __NR_recvmmsg},
-#endif
-#endif
-#ifdef SYS_recvmsg
-#ifdef __NR_recvmsg
-        {"recvmsg", __NR_recvmsg},
-#endif
-#endif
-#ifdef SYS_remap_file_pages
-#ifdef __NR_remap_file_pages
-        {"remap_file_pages", __NR_remap_file_pages},
-#endif
-#endif
-#ifdef SYS_removexattr
-#ifdef __NR_removexattr
-        {"removexattr", __NR_removexattr},
-#endif
-#endif
-#ifdef SYS_rename
-#ifdef __NR_rename
-        {"rename", __NR_rename},
-#endif
-#endif
-#ifdef SYS_renameat
-#ifdef __NR_renameat
-        {"renameat", __NR_renameat},
-#endif
-#endif
-#ifdef SYS_renameat2
-#ifdef __NR_renameat2
-        {"renameat2", __NR_renameat2},
-#endif
-#endif
-#ifdef SYS_request_key
-#ifdef __NR_request_key
-        {"request_key", __NR_request_key},
-#endif
-#endif
-#ifdef SYS_restart_syscall
-#ifdef __NR_restart_syscall
-        {"restart_syscall", __NR_restart_syscall},
-#endif
-#endif
-#ifdef SYS_rmdir
-#ifdef __NR_rmdir
-        {"rmdir", __NR_rmdir},
-#endif
-#endif
-#ifdef SYS_rt_sigaction
-#ifdef __NR_rt_sigaction
-        {"rt_sigaction", __NR_rt_sigaction},
-#endif
-#endif
-#ifdef SYS_rt_sigpending
-#ifdef __NR_rt_sigpending
-        {"rt_sigpending", __NR_rt_sigpending},
-#endif
-#endif
-#ifdef SYS_rt_sigprocmask
-#ifdef __NR_rt_sigprocmask
-        {"rt_sigprocmask", __NR_rt_sigprocmask},
-#endif
-#endif
-#ifdef SYS_rt_sigqueueinfo
-#ifdef __NR_rt_sigqueueinfo
-        {"rt_sigqueueinfo", __NR_rt_sigqueueinfo},
-#endif
-#endif
-#ifdef SYS_rt_sigreturn
-#ifdef __NR_rt_sigreturn
-        {"rt_sigreturn", __NR_rt_sigreturn},
-#endif
-#endif
-#ifdef SYS_rt_sigsuspend
-#ifdef __NR_rt_sigsuspend
-        {"rt_sigsuspend", __NR_rt_sigsuspend},
-#endif
-#endif
-#ifdef SYS_rt_sigtimedwait
-#ifdef __NR_rt_sigtimedwait
-        {"rt_sigtimedwait", __NR_rt_sigtimedwait},
-#endif
-#endif
-#ifdef SYS_rt_tgsigqueueinfo
-#ifdef __NR_rt_tgsigqueueinfo
-        {"rt_tgsigqueueinfo", __NR_rt_tgsigqueueinfo},
-#endif
-#endif
-#ifdef SYS_sched_get_priority_max
-#ifdef __NR_sched_get_priority_max
-        {"sched_get_priority_max", __NR_sched_get_priority_max},
-#endif
-#endif
-#ifdef SYS_sched_get_priority_min
-#ifdef __NR_sched_get_priority_min
-        {"sched_get_priority_min", __NR_sched_get_priority_min},
-#endif
-#endif
-#ifdef SYS_sched_getaffinity
-#ifdef __NR_sched_getaffinity
-        {"sched_getaffinity", __NR_sched_getaffinity},
-#endif
-#endif
-#ifdef SYS_sched_getattr
-#ifdef __NR_sched_getattr
-        {"sched_getattr", __NR_sched_getattr},
-#endif
-#endif
-#ifdef SYS_sched_getparam
-#ifdef __NR_sched_getparam
-        {"sched_getparam", __NR_sched_getparam},
-#endif
-#endif
-#ifdef SYS_sched_getscheduler
-#ifdef __NR_sched_getscheduler
-        {"sched_getscheduler", __NR_sched_getscheduler},
-#endif
-#endif
-#ifdef SYS_sched_rr_get_interval
-#ifdef __NR_sched_rr_get_interval
-        {"sched_rr_get_interval", __NR_sched_rr_get_interval},
-#endif
-#endif
-#ifdef SYS_sched_setaffinity
-#ifdef __NR_sched_setaffinity
-        {"sched_setaffinity", __NR_sched_setaffinity},
-#endif
-#endif
-#ifdef SYS_sched_setattr
-#ifdef __NR_sched_setattr
-        {"sched_setattr", __NR_sched_setattr},
-#endif
-#endif
-#ifdef SYS_sched_setparam
-#ifdef __NR_sched_setparam
-        {"sched_setparam", __NR_sched_setparam},
-#endif
-#endif
-#ifdef SYS_sched_setscheduler
-#ifdef __NR_sched_setscheduler
-        {"sched_setscheduler", __NR_sched_setscheduler},
-#endif
-#endif
-#ifdef SYS_sched_yield
-#ifdef __NR_sched_yield
-        {"sched_yield", __NR_sched_yield},
-#endif
-#endif
-#ifdef SYS_seccomp
-#ifdef __NR_seccomp
-        {"seccomp", __NR_seccomp},
-#endif
-#endif
-#ifdef SYS_security
-#ifdef __NR_security
-        {"security", __NR_security},
-#endif
-#endif
-#ifdef SYS_select
-#ifdef __NR_select
-        {"select", __NR_select},
-#endif
-#endif
-#ifdef SYS_semctl
-#ifdef __NR_semctl
-        {"semctl", __NR_semctl},
-#endif
-#endif
-#ifdef SYS_semget
-#ifdef __NR_semget
-        {"semget", __NR_semget},
-#endif
-#endif
-#ifdef SYS_semop
-#ifdef __NR_semop
-        {"semop", __NR_semop},
-#endif
-#endif
-#ifdef SYS_semtimedop
-#ifdef __NR_semtimedop
-        {"semtimedop", __NR_semtimedop},
-#endif
-#endif
-#ifdef SYS_sendfile
-#ifdef __NR_sendfile
-        {"sendfile", __NR_sendfile},
-#endif
-#endif
-#ifdef SYS_sendmmsg
-#ifdef __NR_sendmmsg
-        {"sendmmsg", __NR_sendmmsg},
-#endif
-#endif
-#ifdef SYS_sendmsg
-#ifdef __NR_sendmsg
-        {"sendmsg", __NR_sendmsg},
-#endif
-#endif
-#ifdef SYS_sendto
-#ifdef __NR_sendto
-        {"sendto", __NR_sendto},
-#endif
-#endif
-#ifdef SYS_set_mempolicy
-#ifdef __NR_set_mempolicy
-        {"set_mempolicy", __NR_set_mempolicy},
-#endif
-#endif
-#ifdef SYS_set_robust_list
-#ifdef __NR_set_robust_list
-        {"set_robust_list", __NR_set_robust_list},
-#endif
-#endif
-#ifdef SYS_set_tid_address
-#ifdef __NR_set_tid_address
-        {"set_tid_address", __NR_set_tid_address},
-#endif
-#endif
-#ifdef SYS_setdomainname
-#ifdef __NR_setdomainname
-        {"setdomainname", __NR_setdomainname},
-#endif
-#endif
-#ifdef SYS_setfsgid
-#ifdef __NR_setfsgid
-        {"setfsgid", __NR_setfsgid},
-#endif
-#endif
-#ifdef SYS_setfsuid
-#ifdef __NR_setfsuid
-        {"setfsuid", __NR_setfsuid},
-#endif
-#endif
-#ifdef SYS_setgid
-#ifdef __NR_setgid
-        {"setgid", __NR_setgid},
-#endif
-#endif
-#ifdef SYS_setgroups
-#ifdef __NR_setgroups
-        {"setgroups", __NR_setgroups},
-#endif
-#endif
-#ifdef SYS_sethostname
-#ifdef __NR_sethostname
-        {"sethostname", __NR_sethostname},
-#endif
-#endif
-#ifdef SYS_setitimer
-#ifdef __NR_setitimer
-        {"setitimer", __NR_setitimer},
-#endif
-#endif
-#ifdef SYS_setns
-#ifdef __NR_setns
-        {"setns", __NR_setns},
-#endif
-#endif
-#ifdef SYS_setpgid
-#ifdef __NR_setpgid
-        {"setpgid", __NR_setpgid},
-#endif
-#endif
-#ifdef SYS_setpriority
-#ifdef __NR_setpriority
-        {"setpriority", __NR_setpriority},
-#endif
-#endif
-#ifdef SYS_setregid
-#ifdef __NR_setregid
-        {"setregid", __NR_setregid},
-#endif
-#endif
-#ifdef SYS_setresgid
-#ifdef __NR_setresgid
-        {"setresgid", __NR_setresgid},
-#endif
-#endif
-#ifdef SYS_setresuid
-#ifdef __NR_setresuid
-        {"setresuid", __NR_setresuid},
-#endif
-#endif
-#ifdef SYS_setreuid
-#ifdef __NR_setreuid
-        {"setreuid", __NR_setreuid},
-#endif
-#endif
-#ifdef SYS_setrlimit
-#ifdef __NR_setrlimit
-        {"setrlimit", __NR_setrlimit},
-#endif
-#endif
-#ifdef SYS_setsid
-#ifdef __NR_setsid
-        {"setsid", __NR_setsid},
-#endif
-#endif
-#ifdef SYS_setsockopt
-#ifdef __NR_setsockopt
-        {"setsockopt", __NR_setsockopt},
-#endif
-#endif
-#ifdef SYS_settimeofday
-#ifdef __NR_settimeofday
-        {"settimeofday", __NR_settimeofday},
-#endif
-#endif
-#ifdef SYS_setuid
-#ifdef __NR_setuid
-        {"setuid", __NR_setuid},
-#endif
-#endif
-#ifdef SYS_setxattr
-#ifdef __NR_setxattr
-        {"setxattr", __NR_setxattr},
-#endif
-#endif
-#ifdef SYS_shmat
-#ifdef __NR_shmat
-        {"shmat", __NR_shmat},
-#endif
-#endif
-#ifdef SYS_shmctl
-#ifdef __NR_shmctl
-        {"shmctl", __NR_shmctl},
-#endif
-#endif
-#ifdef SYS_shmdt
-#ifdef __NR_shmdt
-        {"shmdt", __NR_shmdt},
-#endif
-#endif
-#ifdef SYS_shmget
-#ifdef __NR_shmget
-        {"shmget", __NR_shmget},
-#endif
-#endif
-#ifdef SYS_shutdown
-#ifdef __NR_shutdown
-        {"shutdown", __NR_shutdown},
-#endif
-#endif
-#ifdef SYS_sigaltstack
-#ifdef __NR_sigaltstack
-        {"sigaltstack", __NR_sigaltstack},
-#endif
-#endif
-#ifdef SYS_signalfd
-#ifdef __NR_signalfd
-        {"signalfd", __NR_signalfd},
-#endif
-#endif
-#ifdef SYS_signalfd4
-#ifdef __NR_signalfd4
-        {"signalfd4", __NR_signalfd4},
-#endif
-#endif
-#ifdef SYS_socket
-#ifdef __NR_socket
-        {"socket", __NR_socket},
-#endif
-#endif
-#ifdef SYS_socketpair
-#ifdef __NR_socketpair
-        {"socketpair", __NR_socketpair},
-#endif
-#endif
-#ifdef SYS_splice
-#ifdef __NR_splice
-        {"splice", __NR_splice},
-#endif
-#endif
-#ifdef SYS_stat
-#ifdef __NR_stat
-        {"stat", __NR_stat},
-#endif
-#endif
-#ifdef SYS_statfs
-#ifdef __NR_statfs
-        {"statfs", __NR_statfs},
-#endif
-#endif
-#ifdef SYS_statx
-#ifdef __NR_statx
-        {"statx", __NR_statx},
-#endif
-#endif
-#ifdef SYS_swapoff
-#ifdef __NR_swapoff
-        {"swapoff", __NR_swapoff},
-#endif
-#endif
-#ifdef SYS_swapon
-#ifdef __NR_swapon
-        {"swapon", __NR_swapon},
-#endif
-#endif
-#ifdef SYS_symlink
-#ifdef __NR_symlink
-        {"symlink", __NR_symlink},
-#endif
-#endif
-#ifdef SYS_symlinkat
-#ifdef __NR_symlinkat
-        {"symlinkat", __NR_symlinkat},
-#endif
-#endif
-#ifdef SYS_sync
-#ifdef __NR_sync
-        {"sync", __NR_sync},
-#endif
-#endif
-#ifdef SYS_sync_file_range
-#ifdef __NR_sync_file_range
-        {"sync_file_range", __NR_sync_file_range},
-#endif
-#endif
-#ifdef SYS_syncfs
-#ifdef __NR_syncfs
-        {"syncfs", __NR_syncfs},
-#endif
-#endif
-#ifdef SYS_sysfs
-#ifdef __NR_sysfs
-        {"sysfs", __NR_sysfs},
-#endif
-#endif
-#ifdef SYS_sysinfo
-#ifdef __NR_sysinfo
-        {"sysinfo", __NR_sysinfo},
-#endif
-#endif
-#ifdef SYS_syslog
-#ifdef __NR_syslog
-        {"syslog", __NR_syslog},
-#endif
-#endif
-#ifdef SYS_tee
-#ifdef __NR_tee
-        {"tee", __NR_tee},
-#endif
-#endif
-#ifdef SYS_tgkill
-#ifdef __NR_tgkill
-        {"tgkill", __NR_tgkill},
-#endif
-#endif
-#ifdef SYS_time
-#ifdef __NR_time
-        {"time", __NR_time},
-#endif
-#endif
-#ifdef SYS_timer_create
-#ifdef __NR_timer_create
-        {"timer_create", __NR_timer_create},
-#endif
-#endif
-#ifdef SYS_timer_delete
-#ifdef __NR_timer_delete
-        {"timer_delete", __NR_timer_delete},
-#endif
-#endif
-#ifdef SYS_timer_getoverrun
-#ifdef __NR_timer_getoverrun
-        {"timer_getoverrun", __NR_timer_getoverrun},
-#endif
-#endif
-#ifdef SYS_timer_gettime
-#ifdef __NR_timer_gettime
-        {"timer_gettime", __NR_timer_gettime},
-#endif
-#endif
-#ifdef SYS_timer_settime
-#ifdef __NR_timer_settime
-        {"timer_settime", __NR_timer_settime},
-#endif
-#endif
-#ifdef SYS_timerfd_create
-#ifdef __NR_timerfd_create
-        {"timerfd_create", __NR_timerfd_create},
-#endif
-#endif
-#ifdef SYS_timerfd_gettime
-#ifdef __NR_timerfd_gettime
-        {"timerfd_gettime", __NR_timerfd_gettime},
-#endif
-#endif
-#ifdef SYS_timerfd_settime
-#ifdef __NR_timerfd_settime
-        {"timerfd_settime", __NR_timerfd_settime},
-#endif
-#endif
-#ifdef SYS_times
-#ifdef __NR_times
-        {"times", __NR_times},
-#endif
-#endif
-#ifdef SYS_tkill
-#ifdef __NR_tkill
-        {"tkill", __NR_tkill},
-#endif
-#endif
-#ifdef SYS_truncate
-#ifdef __NR_truncate
-        {"truncate", __NR_truncate},
-#endif
-#endif
-#ifdef SYS_tuxcall
-#ifdef __NR_tuxcall
-        {"tuxcall", __NR_tuxcall},
-#endif
-#endif
-#ifdef SYS_umask
-#ifdef __NR_umask
-        {"umask", __NR_umask},
-#endif
-#endif
-#ifdef SYS_umount2
-#ifdef __NR_umount2
-        {"umount2", __NR_umount2},
-#endif
-#endif
-#ifdef SYS_uname
-#ifdef __NR_uname
-        {"uname", __NR_uname},
-#endif
-#endif
-#ifdef SYS_unlink
-#ifdef __NR_unlink
-        {"unlink", __NR_unlink},
-#endif
-#endif
-#ifdef SYS_unlinkat
-#ifdef __NR_unlinkat
-        {"unlinkat", __NR_unlinkat},
-#endif
-#endif
-#ifdef SYS_unshare
-#ifdef __NR_unshare
-        {"unshare", __NR_unshare},
-#endif
-#endif
-#ifdef SYS_userfaultfd
-#ifdef __NR_userfaultfd
-        {"userfaultfd", __NR_userfaultfd},
-#endif
-#endif
-#ifdef SYS_ustat
-#ifdef __NR_ustat
-        {"ustat", __NR_ustat},
-#endif
-#endif
-#ifdef SYS_utime
-#ifdef __NR_utime
-        {"utime", __NR_utime},
-#endif
-#endif
-#ifdef SYS_utimensat
-#ifdef __NR_utimensat
-        {"utimensat", __NR_utimensat},
-#endif
-#endif
-#ifdef SYS_utimes
-#ifdef __NR_utimes
-        {"utimes", __NR_utimes},
-#endif
-#endif
-#ifdef SYS_vfork
-#ifdef __NR_vfork
-        {"vfork", __NR_vfork},
-#endif
-#endif
-#ifdef SYS_vhangup
-#ifdef __NR_vhangup
-        {"vhangup", __NR_vhangup},
-#endif
-#endif
-#ifdef SYS_vmsplice
-#ifdef __NR_vmsplice
-        {"vmsplice", __NR_vmsplice},
-#endif
-#endif
-#ifdef SYS_wait4
-#ifdef __NR_wait4
-        {"wait4", __NR_wait4},
-#endif
-#endif
-#ifdef SYS_waitid
-#ifdef __NR_waitid
-        {"waitid", __NR_waitid},
-#endif
-#endif
-#ifdef SYS_write
-#ifdef __NR_write
-        {"write", __NR_write},
-#endif
-#endif
-#ifdef SYS_writev
-#ifdef __NR_writev
-        {"writev", __NR_writev},
-#endif
-#endif
 #endif
-//#endif
diff --git a/src/include/syscall_armeabi.h b/src/include/syscall_armeabi.h
new file mode 100644
index 000000000..cbdc67f37
--- /dev/null
+++ b/src/include/syscall_armeabi.h
@@ -0,0 +1,354 @@
+{ "accept", 285 },
+{ "accept4", 366 },
+{ "access", 33 },
+{ "acct", 51 },
+{ "add_key", 309 },
+{ "adjtimex", 124 },
+{ "alarm", 27 },
+{ "arm_fadvise64_64", 270 },
+{ "arm_sync_file_range", 341 },
+{ "bdflush", 134 },
+{ "bind", 282 },
+{ "bpf", 386 },
+{ "brk", 45 },
+{ "capget", 184 },
+{ "capset", 185 },
+{ "chdir", 12 },
+{ "chmod", 15 },
+{ "chown", 182 },
+{ "chown32", 212 },
+{ "chroot", 61 },
+{ "clock_adjtime", 372 },
+{ "clock_getres", 264 },
+{ "clock_gettime", 263 },
+{ "clock_nanosleep", 265 },
+{ "clock_settime", 262 },
+{ "clone", 120 },
+{ "close", 6 },
+{ "connect", 283 },
+{ "creat", 8 },
+{ "delete_module", 129 },
+{ "dup2", 63 },
+{ "dup3", 358 },
+{ "dup", 41 },
+{ "epoll_create1", 357 },
+{ "epoll_create", 250 },
+{ "epoll_ctl", 251 },
+{ "epoll_pwait", 346 },
+{ "epoll_wait", 252 },
+{ "eventfd2", 356 },
+{ "eventfd", 351 },
+{ "execve", 11 },
+{ "exit", 1 },
+{ "exit_group", 248 },
+{ "faccessat", 334 },
+{ "fallocate", 352 },
+{ "fanotify_init", 367 },
+{ "fanotify_mark", 368 },
+{ "fchdir", 133 },
+{ "fchmod", 94 },
+{ "fchmodat", 333 },
+{ "fchown32", 207 },
+{ "fchown", 95 },
+{ "fchownat", 325 },
+{ "fcntl", 55 },
+{ "fcntl64", 221 },
+{ "fdatasync", 148 },
+{ "fgetxattr", 231 },
+{ "finit_module", 379 },
+{ "flistxattr", 234 },
+{ "flock", 143 },
+{ "fork", 2 },
+{ "fremovexattr", 237 },
+{ "fsetxattr", 228 },
+{ "fstat", 108 },
+{ "fstat64", 197 },
+{ "fstatat64", 327 },
+{ "fstatfs", 100 },
+{ "fstatfs64", 267 },
+{ "fsync", 118 },
+{ "ftruncate64", 194 },
+{ "ftruncate", 93 },
+{ "futex", 240 },
+{ "futimesat", 326 },
+{ "getcpu", 345 },
+{ "getcwd", 183 },
+{ "getdents", 141 },
+{ "getdents64", 217 },
+{ "getegid32", 202 },
+{ "getegid", 50 },
+{ "geteuid32", 201 },
+{ "geteuid", 49 },
+{ "getgid32", 200 },
+{ "getgid", 47 },
+{ "getgroups32", 205 },
+{ "getgroups", 80 },
+{ "getitimer", 105 },
+{ "get_mempolicy", 320 },
+{ "getpeername", 287 },
+{ "getpgid", 132 },
+{ "getpgrp", 65 },
+{ "getpid", 20 },
+{ "getppid", 64 },
+{ "getpriority", 96 },
+{ "getrandom", 384 },
+{ "getresgid", 171 },
+{ "getresgid32", 211 },
+{ "getresuid", 165 },
+{ "getresuid32", 209 },
+{ "getrlimit", 76 },
+{ "get_robust_list", 339 },
+{ "getrusage", 77 },
+{ "getsid", 147 },
+{ "getsockname", 286 },
+{ "getsockopt", 295 },
+{ "gettid", 224 },
+{ "gettimeofday", 78 },
+{ "getuid", 24 },
+{ "getuid32", 199 },
+{ "getxattr", 229 },
+{ "init_module", 128 },
+{ "inotify_add_watch", 317 },
+{ "inotify_init1", 360 },
+{ "inotify_init", 316 },
+{ "inotify_rm_watch", 318 },
+{ "io_cancel", 247 },
+{ "ioctl", 54 },
+{ "io_destroy", 244 },
+{ "io_getevents", 245 },
+{ "ioprio_get", 315 },
+{ "ioprio_set", 314 },
+{ "io_setup", 243 },
+{ "io_submit", 246 },
+{ "ipc", 117 },
+{ "kcmp", 378 },
+{ "kexec_load", 347 },
+{ "keyctl", 311 },
+{ "kill", 37 },
+{ "lchown", 16 },
+{ "lchown32", 198 },
+{ "lgetxattr", 230 },
+{ "link", 9 },
+{ "linkat", 330 },
+{ "listen", 284 },
+{ "listxattr", 232 },
+{ "llistxattr", 233 },
+{ "_llseek", 140 },
+{ "lookup_dcookie", 249 },
+{ "lremovexattr", 236 },
+{ "lseek", 19 },
+{ "lsetxattr", 227 },
+{ "lstat", 107 },
+{ "lstat64", 196 },
+{ "madvise", 220 },
+{ "mbind", 319 },
+{ "memfd_create", 385 },
+{ "mincore", 219 },
+{ "mkdir", 39 },
+{ "mkdirat", 323 },
+{ "mknod", 14 },
+{ "mknodat", 324 },
+{ "mlock", 150 },
+{ "mlockall", 152 },
+{ "mmap2", 192 },
+{ "mmap", 90 },
+{ "mount", 21 },
+{ "move_pages", 344 },
+{ "mprotect", 125 },
+{ "mq_getsetattr", 279 },
+{ "mq_notify", 278 },
+{ "mq_open", 274 },
+{ "mq_timedreceive", 277 },
+{ "mq_timedsend", 276 },
+{ "mq_unlink", 275 },
+{ "mremap", 163 },
+{ "msgctl", 304 },
+{ "msgget", 303 },
+{ "msgrcv", 302 },
+{ "msgsnd", 301 },
+{ "msync", 144 },
+{ "munlock", 151 },
+{ "munlockall", 153 },
+{ "munmap", 91 },
+{ "name_to_handle_at", 370 },
+{ "nanosleep", 162 },
+{ "_newselect", 142 },
+{ "nfsservctl", 169 },
+{ "nice", 34 },
+{ "open", 5 },
+{ "openat", 322 },
+{ "open_by_handle_at", 371 },
+{ "pause", 29 },
+{ "pciconfig_iobase", 271 },
+{ "pciconfig_read", 272 },
+{ "pciconfig_write", 273 },
+{ "perf_event_open", 364 },
+{ "personality", 136 },
+{ "pipe2", 359 },
+{ "pipe", 42 },
+{ "pivot_root", 218 },
+{ "poll", 168 },
+{ "ppoll", 336 },
+{ "prctl", 172 },
+{ "pread64", 180 },
+{ "preadv", 361 },
+{ "prlimit64", 369 },
+{ "process_vm_readv", 376 },
+{ "process_vm_writev", 377 },
+{ "pselect6", 335 },
+{ "ptrace", 26 },
+{ "pwrite64", 181 },
+{ "pwritev", 362 },
+{ "quotactl", 131 },
+{ "read", 3 },
+{ "readahead", 225 },
+{ "readdir", 89 },
+{ "readlink", 85 },
+{ "readlinkat", 332 },
+{ "readv", 145 },
+{ "reboot", 88 },
+{ "recv", 291 },
+{ "recvfrom", 292 },
+{ "recvmmsg", 365 },
+{ "recvmsg", 297 },
+{ "remap_file_pages", 253 },
+{ "removexattr", 235 },
+{ "rename", 38 },
+{ "renameat2", 382 },
+{ "renameat", 329 },
+{ "request_key", 310 },
+{ "rmdir", 40 },
+{ "rt_sigaction", 174 },
+{ "rt_sigpending", 176 },
+{ "rt_sigprocmask", 175 },
+{ "rt_sigqueueinfo", 178 },
+{ "rt_sigreturn", 173 },
+{ "rt_sigsuspend", 179 },
+{ "rt_sigtimedwait", 177 },
+{ "rt_tgsigqueueinfo", 363 },
+{ "sched_getaffinity", 242 },
+{ "sched_getattr", 381 },
+{ "sched_getparam", 155 },
+{ "sched_get_priority_max", 159 },
+{ "sched_get_priority_min", 160 },
+{ "sched_getscheduler", 157 },
+{ "sched_rr_get_interval", 161 },
+{ "sched_setaffinity", 241 },
+{ "sched_setattr", 380 },
+{ "sched_setparam", 154 },
+{ "sched_setscheduler", 156 },
+{ "sched_yield", 158 },
+{ "seccomp", 383 },
+{ "select", 82 },
+{ "semctl", 300 },
+{ "semget", 299 },
+{ "semop", 298 },
+{ "semtimedop", 312 },
+{ "send", 289 },
+{ "sendfile", 187 },
+{ "sendfile64", 239 },
+{ "sendmmsg", 374 },
+{ "sendmsg", 296 },
+{ "sendto", 290 },
+{ "setdomainname", 121 },
+{ "setfsgid", 139 },
+{ "setfsgid32", 216 },
+{ "setfsuid", 138 },
+{ "setfsuid32", 215 },
+{ "setgid32", 214 },
+{ "setgid", 46 },
+{ "setgroups32", 206 },
+{ "setgroups", 81 },
+{ "sethostname", 74 },
+{ "setitimer", 104 },
+{ "set_mempolicy", 321 },
+{ "setns", 375 },
+{ "setpgid", 57 },
+{ "setpriority", 97 },
+{ "setregid32", 204 },
+{ "setregid", 71 },
+{ "setresgid", 170 },
+{ "setresgid32", 210 },
+{ "setresuid", 164 },
+{ "setresuid32", 208 },
+{ "setreuid32", 203 },
+{ "setreuid", 70 },
+{ "setrlimit", 75 },
+{ "set_robust_list", 338 },
+{ "setsid", 66 },
+{ "setsockopt", 294 },
+{ "set_tid_address", 256 },
+{ "settimeofday", 79 },
+{ "setuid", 23 },
+{ "setuid32", 213 },
+{ "setxattr", 226 },
+{ "shmat", 305 },
+{ "shmctl", 308 },
+{ "shmdt", 306 },
+{ "shmget", 307 },
+{ "shutdown", 293 },
+{ "sigaction", 67 },
+{ "sigaltstack", 186 },
+{ "signalfd", 349 },
+{ "signalfd4", 355 },
+{ "sigpending", 73 },
+{ "sigprocmask", 126 },
+{ "sigreturn", 119 },
+{ "sigsuspend", 72 },
+{ "socket", 281 },
+{ "socketcall", 102 },
+{ "socketpair", 288 },
+{ "splice", 340 },
+{ "stat", 106 },
+{ "stat64", 195 },
+{ "statfs64", 266 },
+{ "statfs", 99 },
+{ "stime", 25 },
+{ "swapoff", 115 },
+{ "swapon", 87 },
+{ "symlink", 83 },
+{ "symlinkat", 331 },
+{ "sync", 36 },
+{ "sync_file_range2", 341 },
+{ "syncfs", 373 },
+{ "syscall", 113 },
+{ "_sysctl", 149 },
+{ "sysfs", 135 },
+{ "sysinfo", 116 },
+{ "syslog", 103 },
+{ "tee", 342 },
+{ "tgkill", 268 },
+{ "time", 13 },
+{ "timer_create", 257 },
+{ "timer_delete", 261 },
+{ "timerfd_create", 350 },
+{ "timerfd_gettime", 354 },
+{ "timerfd_settime", 353 },
+{ "timer_getoverrun", 260 },
+{ "timer_gettime", 259 },
+{ "timer_settime", 258 },
+{ "times", 43 },
+{ "tkill", 238 },
+{ "truncate64", 193 },
+{ "truncate", 92 },
+{ "ugetrlimit", 191 },
+{ "umask", 60 },
+{ "umount", 22 },
+{ "umount2", 52 },
+{ "uname", 122 },
+{ "unlink", 10 },
+{ "unlinkat", 328 },
+{ "unshare", 337 },
+{ "uselib", 86 },
+{ "ustat", 62 },
+{ "utime", 30 },
+{ "utimensat", 348 },
+{ "utimes", 269 },
+{ "vfork", 190 },
+{ "vhangup", 111 },
+{ "vmsplice", 343 },
+{ "vserver", 313 },
+{ "wait4", 114 },
+{ "waitid", 280 },
+{ "write", 4 },
+{ "writev", 146 },
diff --git a/src/include/syscall_i386.h b/src/include/syscall_i386.h
new file mode 100644
index 000000000..4795e5b2a
--- /dev/null
+++ b/src/include/syscall_i386.h
@@ -0,0 +1,425 @@
+{ "_llseek", 140 },
+{ "_newselect", 142 },
+{ "_sysctl", 149 },
+{ "accept4", 364 },
+{ "access", 33 },
+{ "acct", 51 },
+{ "add_key", 286 },
+{ "adjtimex", 124 },
+{ "afs_syscall", 137 },
+{ "alarm", 27 },
+{ "arch_prctl", 384 },
+{ "bdflush", 134 },
+{ "bind", 361 },
+{ "bpf", 357 },
+{ "break", 17 },
+{ "brk", 45 },
+{ "capget", 184 },
+{ "capset", 185 },
+{ "chdir", 12 },
+{ "chmod", 15 },
+{ "chown", 182 },
+{ "chown32", 212 },
+{ "chroot", 61 },
+{ "clock_adjtime", 343 },
+{ "clock_adjtime64", 405 },
+{ "clock_getres", 266 },
+{ "clock_getres_time64", 406 },
+{ "clock_gettime", 265 },
+{ "clock_gettime64", 403 },
+{ "clock_nanosleep", 267 },
+{ "clock_nanosleep_time64", 407 },
+{ "clock_settime", 264 },
+{ "clock_settime64", 404 },
+{ "clone", 120 },
+{ "clone3", 435 },
+{ "close", 6 },
+{ "connect", 362 },
+{ "copy_file_range", 377 },
+{ "creat", 8 },
+{ "create_module", 127 },
+{ "delete_module", 129 },
+{ "dup", 41 },
+{ "dup2", 63 },
+{ "dup3", 330 },
+{ "epoll_create", 254 },
+{ "epoll_create1", 329 },
+{ "epoll_ctl", 255 },
+{ "epoll_pwait", 319 },
+{ "epoll_wait", 256 },
+{ "eventfd", 323 },
+{ "eventfd2", 328 },
+{ "execve", 11 },
+{ "execveat", 358 },
+{ "exit", 1 },
+{ "exit_group", 252 },
+{ "faccessat", 307 },
+{ "fadvise64", 250 },
+{ "fadvise64_64", 272 },
+{ "fallocate", 324 },
+{ "fanotify_init", 338 },
+{ "fanotify_mark", 339 },
+{ "fchdir", 133 },
+{ "fchmod", 94 },
+{ "fchmodat", 306 },
+{ "fchown", 95 },
+{ "fchown32", 207 },
+{ "fchownat", 298 },
+{ "fcntl", 55 },
+{ "fcntl64", 221 },
+{ "fdatasync", 148 },
+{ "fgetxattr", 231 },
+{ "finit_module", 350 },
+{ "flistxattr", 234 },
+{ "flock", 143 },
+{ "fork", 2 },
+{ "fremovexattr", 237 },
+{ "fsconfig", 431 },
+{ "fsetxattr", 228 },
+{ "fsmount", 432 },
+{ "fsopen", 430 },
+{ "fspick", 433 },
+{ "fstat", 108 },
+{ "fstat64", 197 },
+{ "fstatat64", 300 },
+{ "fstatfs", 100 },
+{ "fstatfs64", 269 },
+{ "fsync", 118 },
+{ "ftime", 35 },
+{ "ftruncate", 93 },
+{ "ftruncate64", 194 },
+{ "futex", 240 },
+{ "futex_time64", 422 },
+{ "futimesat", 299 },
+{ "get_kernel_syms", 130 },
+{ "get_mempolicy", 275 },
+{ "get_robust_list", 312 },
+{ "get_thread_area", 244 },
+{ "getcpu", 318 },
+{ "getcwd", 183 },
+{ "getdents", 141 },
+{ "getdents64", 220 },
+{ "getegid", 50 },
+{ "getegid32", 202 },
+{ "geteuid", 49 },
+{ "geteuid32", 201 },
+{ "getgid", 47 },
+{ "getgid32", 200 },
+{ "getgroups", 80 },
+{ "getgroups32", 205 },
+{ "getitimer", 105 },
+{ "getpeername", 368 },
+{ "getpgid", 132 },
+{ "getpgrp", 65 },
+{ "getpid", 20 },
+{ "getpmsg", 188 },
+{ "getppid", 64 },
+{ "getpriority", 96 },
+{ "getrandom", 355 },
+{ "getresgid", 171 },
+{ "getresgid32", 211 },
+{ "getresuid", 165 },
+{ "getresuid32", 209 },
+{ "getrlimit", 76 },
+{ "getrusage", 77 },
+{ "getsid", 147 },
+{ "getsockname", 367 },
+{ "getsockopt", 365 },
+{ "gettid", 224 },
+{ "gettimeofday", 78 },
+{ "getuid", 24 },
+{ "getuid32", 199 },
+{ "getxattr", 229 },
+{ "gtty", 32 },
+{ "idle", 112 },
+{ "init_module", 128 },
+{ "inotify_add_watch", 292 },
+{ "inotify_init", 291 },
+{ "inotify_init1", 332 },
+{ "inotify_rm_watch", 293 },
+{ "io_cancel", 249 },
+{ "io_destroy", 246 },
+{ "io_getevents", 247 },
+{ "io_pgetevents", 385 },
+{ "io_pgetevents_time64", 416 },
+{ "io_setup", 245 },
+{ "io_submit", 248 },
+{ "io_uring_enter", 426 },
+{ "io_uring_register", 427 },
+{ "io_uring_setup", 425 },
+{ "ioctl", 54 },
+{ "ioperm", 101 },
+{ "iopl", 110 },
+{ "ioprio_get", 290 },
+{ "ioprio_set", 289 },
+{ "ipc", 117 },
+{ "kcmp", 349 },
+{ "kexec_load", 283 },
+{ "keyctl", 288 },
+{ "kill", 37 },
+{ "lchown", 16 },
+{ "lchown32", 198 },
+{ "lgetxattr", 230 },
+{ "link", 9 },
+{ "linkat", 303 },
+{ "listen", 363 },
+{ "listxattr", 232 },
+{ "llistxattr", 233 },
+{ "lock", 53 },
+{ "lookup_dcookie", 253 },
+{ "lremovexattr", 236 },
+{ "lseek", 19 },
+{ "lsetxattr", 227 },
+{ "lstat", 107 },
+{ "lstat64", 196 },
+{ "madvise", 219 },
+{ "mbind", 274 },
+{ "membarrier", 375 },
+{ "memfd_create", 356 },
+{ "migrate_pages", 294 },
+{ "mincore", 218 },
+{ "mkdir", 39 },
+{ "mkdirat", 296 },
+{ "mknod", 14 },
+{ "mknodat", 297 },
+{ "mlock", 150 },
+{ "mlock2", 376 },
+{ "mlockall", 152 },
+{ "mmap", 90 },
+{ "mmap2", 192 },
+{ "modify_ldt", 123 },
+{ "mount", 21 },
+{ "move_mount", 429 },
+{ "move_pages", 317 },
+{ "mprotect", 125 },
+{ "mpx", 56 },
+{ "mq_getsetattr", 282 },
+{ "mq_notify", 281 },
+{ "mq_open", 277 },
+{ "mq_timedreceive", 280 },
+{ "mq_timedreceive_time64", 419 },
+{ "mq_timedsend", 279 },
+{ "mq_timedsend_time64", 418 },
+{ "mq_unlink", 278 },
+{ "mremap", 163 },
+{ "msgctl", 402 },
+{ "msgget", 399 },
+{ "msgrcv", 401 },
+{ "msgsnd", 400 },
+{ "msync", 144 },
+{ "munlock", 151 },
+{ "munlockall", 153 },
+{ "munmap", 91 },
+{ "name_to_handle_at", 341 },
+{ "nanosleep", 162 },
+{ "nfsservctl", 169 },
+{ "nice", 34 },
+{ "oldfstat", 28 },
+{ "oldlstat", 84 },
+{ "oldolduname", 59 },
+{ "oldstat", 18 },
+{ "olduname", 109 },
+{ "open", 5 },
+{ "open_by_handle_at", 342 },
+{ "open_tree", 428 },
+{ "openat", 295 },
+{ "pause", 29 },
+{ "perf_event_open", 336 },
+{ "personality", 136 },
+{ "pidfd_open", 434 },
+{ "pidfd_send_signal", 424 },
+{ "pipe", 42 },
+{ "pipe2", 331 },
+{ "pivot_root", 217 },
+{ "pkey_alloc", 381 },
+{ "pkey_free", 382 },
+{ "pkey_mprotect", 380 },
+{ "poll", 168 },
+{ "ppoll", 309 },
+{ "ppoll_time64", 414 },
+{ "prctl", 172 },
+{ "pread64", 180 },
+{ "preadv", 333 },
+{ "preadv2", 378 },
+{ "prlimit64", 340 },
+{ "process_vm_readv", 347 },
+{ "process_vm_writev", 348 },
+{ "prof", 44 },
+{ "profil", 98 },
+{ "pselect6", 308 },
+{ "pselect6_time64", 413 },
+{ "ptrace", 26 },
+{ "putpmsg", 189 },
+{ "pwrite64", 181 },
+{ "pwritev", 334 },
+{ "pwritev2", 379 },
+{ "query_module", 167 },
+{ "quotactl", 131 },
+{ "read", 3 },
+{ "readahead", 225 },
+{ "readdir", 89 },
+{ "readlink", 85 },
+{ "readlinkat", 305 },
+{ "readv", 145 },
+{ "reboot", 88 },
+{ "recvfrom", 371 },
+{ "recvmmsg", 337 },
+{ "recvmmsg_time64", 417 },
+{ "recvmsg", 372 },
+{ "remap_file_pages", 257 },
+{ "removexattr", 235 },
+{ "rename", 38 },
+{ "renameat", 302 },
+{ "renameat2", 353 },
+{ "request_key", 287 },
+{ "restart_syscall", 0 },
+{ "rmdir", 40 },
+{ "rseq", 386 },
+{ "rt_sigaction", 174 },
+{ "rt_sigpending", 176 },
+{ "rt_sigprocmask", 175 },
+{ "rt_sigqueueinfo", 178 },
+{ "rt_sigreturn", 173 },
+{ "rt_sigsuspend", 179 },
+{ "rt_sigtimedwait", 177 },
+{ "rt_sigtimedwait_time64", 421 },
+{ "rt_tgsigqueueinfo", 335 },
+{ "sched_get_priority_max", 159 },
+{ "sched_get_priority_min", 160 },
+{ "sched_getaffinity", 242 },
+{ "sched_getattr", 352 },
+{ "sched_getparam", 155 },
+{ "sched_getscheduler", 157 },
+{ "sched_rr_get_interval", 161 },
+{ "sched_rr_get_interval_time64", 423 },
+{ "sched_setaffinity", 241 },
+{ "sched_setattr", 351 },
+{ "sched_setparam", 154 },
+{ "sched_setscheduler", 156 },
+{ "sched_yield", 158 },
+{ "seccomp", 354 },
+{ "select", 82 },
+{ "semctl", 394 },
+{ "semget", 393 },
+{ "semtimedop_time64", 420 },
+{ "sendfile", 187 },
+{ "sendfile64", 239 },
+{ "sendmmsg", 345 },
+{ "sendmsg", 370 },
+{ "sendto", 369 },
+{ "set_mempolicy", 276 },
+{ "set_robust_list", 311 },
+{ "set_thread_area", 243 },
+{ "set_tid_address", 258 },
+{ "setdomainname", 121 },
+{ "setfsgid", 139 },
+{ "setfsgid32", 216 },
+{ "setfsuid", 138 },
+{ "setfsuid32", 215 },
+{ "setgid", 46 },
+{ "setgid32", 214 },
+{ "setgroups", 81 },
+{ "setgroups32", 206 },
+{ "sethostname", 74 },
+{ "setitimer", 104 },
+{ "setns", 346 },
+{ "setpgid", 57 },
+{ "setpriority", 97 },
+{ "setregid", 71 },
+{ "setregid32", 204 },
+{ "setresgid", 170 },
+{ "setresgid32", 210 },
+{ "setresuid", 164 },
+{ "setresuid32", 208 },
+{ "setreuid", 70 },
+{ "setreuid32", 203 },
+{ "setrlimit", 75 },
+{ "setsid", 66 },
+{ "setsockopt", 366 },
+{ "settimeofday", 79 },
+{ "setuid", 23 },
+{ "setuid32", 213 },
+{ "setxattr", 226 },
+{ "sgetmask", 68 },
+{ "shmat", 397 },
+{ "shmctl", 396 },
+{ "shmdt", 398 },
+{ "shmget", 395 },
+{ "shutdown", 373 },
+{ "sigaction", 67 },
+{ "sigaltstack", 186 },
+{ "signal", 48 },
+{ "signalfd", 321 },
+{ "signalfd4", 327 },
+{ "sigpending", 73 },
+{ "sigprocmask", 126 },
+{ "sigreturn", 119 },
+{ "sigsuspend", 72 },
+{ "socket", 359 },
+{ "socketcall", 102 },
+{ "socketpair", 360 },
+{ "splice", 313 },
+{ "ssetmask", 69 },
+{ "stat", 106 },
+{ "stat64", 195 },
+{ "statfs", 99 },
+{ "statfs64", 268 },
+{ "statx", 383 },
+{ "stime", 25 },
+{ "stty", 31 },
+{ "swapoff", 115 },
+{ "swapon", 87 },
+{ "symlink", 83 },
+{ "symlinkat", 304 },
+{ "sync", 36 },
+{ "sync_file_range", 314 },
+{ "syncfs", 344 },
+{ "sysfs", 135 },
+{ "sysinfo", 116 },
+{ "syslog", 103 },
+{ "tee", 315 },
+{ "tgkill", 270 },
+{ "time", 13 },
+{ "timer_create", 259 },
+{ "timer_delete", 263 },
+{ "timer_getoverrun", 262 },
+{ "timer_gettime", 261 },
+{ "timer_gettime64", 408 },
+{ "timer_settime", 260 },
+{ "timer_settime64", 409 },
+{ "timerfd_create", 322 },
+{ "timerfd_gettime", 326 },
+{ "timerfd_gettime64", 410 },
+{ "timerfd_settime", 325 },
+{ "timerfd_settime64", 411 },
+{ "times", 43 },
+{ "tkill", 238 },
+{ "truncate", 92 },
+{ "truncate64", 193 },
+{ "ugetrlimit", 191 },
+{ "ulimit", 58 },
+{ "umask", 60 },
+{ "umount", 22 },
+{ "umount2", 52 },
+{ "uname", 122 },
+{ "unlink", 10 },
+{ "unlinkat", 301 },
+{ "unshare", 310 },
+{ "uselib", 86 },
+{ "userfaultfd", 374 },
+{ "ustat", 62 },
+{ "utime", 30 },
+{ "utimensat", 320 },
+{ "utimensat_time64", 412 },
+{ "utimes", 271 },
+{ "vfork", 190 },
+{ "vhangup", 111 },
+{ "vm86", 166 },
+{ "vm86old", 113 },
+{ "vmsplice", 316 },
+{ "vserver", 273 },
+{ "wait4", 114 },
+{ "waitid", 284 },
+{ "waitpid", 7 },
+{ "write", 4 },
+{ "writev", 146 },
diff --git a/src/include/syscall_x86_64.h b/src/include/syscall_x86_64.h
new file mode 100644
index 000000000..539e874be
--- /dev/null
+++ b/src/include/syscall_x86_64.h
@@ -0,0 +1,347 @@
+{ "_sysctl", 156 },
+{ "accept", 43 },
+{ "accept4", 288 },
+{ "access", 21 },
+{ "acct", 163 },
+{ "add_key", 248 },
+{ "adjtimex", 159 },
+{ "afs_syscall", 183 },
+{ "alarm", 37 },
+{ "arch_prctl", 158 },
+{ "bind", 49 },
+{ "bpf", 321 },
+{ "brk", 12 },
+{ "capget", 125 },
+{ "capset", 126 },
+{ "chdir", 80 },
+{ "chmod", 90 },
+{ "chown", 92 },
+{ "chroot", 161 },
+{ "clock_adjtime", 305 },
+{ "clock_getres", 229 },
+{ "clock_gettime", 228 },
+{ "clock_nanosleep", 230 },
+{ "clock_settime", 227 },
+{ "clone", 56 },
+{ "clone3", 435 },
+{ "close", 3 },
+{ "connect", 42 },
+{ "copy_file_range", 326 },
+{ "creat", 85 },
+{ "create_module", 174 },
+{ "delete_module", 176 },
+{ "dup", 32 },
+{ "dup2", 33 },
+{ "dup3", 292 },
+{ "epoll_create", 213 },
+{ "epoll_create1", 291 },
+{ "epoll_ctl", 233 },
+{ "epoll_ctl_old", 214 },
+{ "epoll_pwait", 281 },
+{ "epoll_wait", 232 },
+{ "epoll_wait_old", 215 },
+{ "eventfd", 284 },
+{ "eventfd2", 290 },
+{ "execve", 59 },
+{ "execveat", 322 },
+{ "exit", 60 },
+{ "exit_group", 231 },
+{ "faccessat", 269 },
+{ "fadvise64", 221 },
+{ "fallocate", 285 },
+{ "fanotify_init", 300 },
+{ "fanotify_mark", 301 },
+{ "fchdir", 81 },
+{ "fchmod", 91 },
+{ "fchmodat", 268 },
+{ "fchown", 93 },
+{ "fchownat", 260 },
+{ "fcntl", 72 },
+{ "fdatasync", 75 },
+{ "fgetxattr", 193 },
+{ "finit_module", 313 },
+{ "flistxattr", 196 },
+{ "flock", 73 },
+{ "fork", 57 },
+{ "fremovexattr", 199 },
+{ "fsconfig", 431 },
+{ "fsetxattr", 190 },
+{ "fsmount", 432 },
+{ "fsopen", 430 },
+{ "fspick", 433 },
+{ "fstat", 5 },
+{ "fstatfs", 138 },
+{ "fsync", 74 },
+{ "ftruncate", 77 },
+{ "futex", 202 },
+{ "futimesat", 261 },
+{ "get_kernel_syms", 177 },
+{ "get_mempolicy", 239 },
+{ "get_robust_list", 274 },
+{ "get_thread_area", 211 },
+{ "getcpu", 309 },
+{ "getcwd", 79 },
+{ "getdents", 78 },
+{ "getdents64", 217 },
+{ "getegid", 108 },
+{ "geteuid", 107 },
+{ "getgid", 104 },
+{ "getgroups", 115 },
+{ "getitimer", 36 },
+{ "getpeername", 52 },
+{ "getpgid", 121 },
+{ "getpgrp", 111 },
+{ "getpid", 39 },
+{ "getpmsg", 181 },
+{ "getppid", 110 },
+{ "getpriority", 140 },
+{ "getrandom", 318 },
+{ "getresgid", 120 },
+{ "getresuid", 118 },
+{ "getrlimit", 97 },
+{ "getrusage", 98 },
+{ "getsid", 124 },
+{ "getsockname", 51 },
+{ "getsockopt", 55 },
+{ "gettid", 186 },
+{ "gettimeofday", 96 },
+{ "getuid", 102 },
+{ "getxattr", 191 },
+{ "init_module", 175 },
+{ "inotify_add_watch", 254 },
+{ "inotify_init", 253 },
+{ "inotify_init1", 294 },
+{ "inotify_rm_watch", 255 },
+{ "io_cancel", 210 },
+{ "io_destroy", 207 },
+{ "io_getevents", 208 },
+{ "io_pgetevents", 333 },
+{ "io_setup", 206 },
+{ "io_submit", 209 },
+{ "io_uring_enter", 426 },
+{ "io_uring_register", 427 },
+{ "io_uring_setup", 425 },
+{ "ioctl", 16 },
+{ "ioperm", 173 },
+{ "iopl", 172 },
+{ "ioprio_get", 252 },
+{ "ioprio_set", 251 },
+{ "kcmp", 312 },
+{ "kexec_file_load", 320 },
+{ "kexec_load", 246 },
+{ "keyctl", 250 },
+{ "kill", 62 },
+{ "lchown", 94 },
+{ "lgetxattr", 192 },
+{ "link", 86 },
+{ "linkat", 265 },
+{ "listen", 50 },
+{ "listxattr", 194 },
+{ "llistxattr", 195 },
+{ "lookup_dcookie", 212 },
+{ "lremovexattr", 198 },
+{ "lseek", 8 },
+{ "lsetxattr", 189 },
+{ "lstat", 6 },
+{ "madvise", 28 },
+{ "mbind", 237 },
+{ "membarrier", 324 },
+{ "memfd_create", 319 },
+{ "migrate_pages", 256 },
+{ "mincore", 27 },
+{ "mkdir", 83 },
+{ "mkdirat", 258 },
+{ "mknod", 133 },
+{ "mknodat", 259 },
+{ "mlock", 149 },
+{ "mlock2", 325 },
+{ "mlockall", 151 },
+{ "mmap", 9 },
+{ "modify_ldt", 154 },
+{ "mount", 165 },
+{ "move_mount", 429 },
+{ "move_pages", 279 },
+{ "mprotect", 10 },
+{ "mq_getsetattr", 245 },
+{ "mq_notify", 244 },
+{ "mq_open", 240 },
+{ "mq_timedreceive", 243 },
+{ "mq_timedsend", 242 },
+{ "mq_unlink", 241 },
+{ "mremap", 25 },
+{ "msgctl", 71 },
+{ "msgget", 68 },
+{ "msgrcv", 70 },
+{ "msgsnd", 69 },
+{ "msync", 26 },
+{ "munlock", 150 },
+{ "munlockall", 152 },
+{ "munmap", 11 },
+{ "name_to_handle_at", 303 },
+{ "nanosleep", 35 },
+{ "newfstatat", 262 },
+{ "nfsservctl", 180 },
+{ "open", 2 },
+{ "open_by_handle_at", 304 },
+{ "open_tree", 428 },
+{ "openat", 257 },
+{ "pause", 34 },
+{ "perf_event_open", 298 },
+{ "personality", 135 },
+{ "pidfd_open", 434 },
+{ "pidfd_send_signal", 424 },
+{ "pipe", 22 },
+{ "pipe2", 293 },
+{ "pivot_root", 155 },
+{ "pkey_alloc", 330 },
+{ "pkey_free", 331 },
+{ "pkey_mprotect", 329 },
+{ "poll", 7 },
+{ "ppoll", 271 },
+{ "prctl", 157 },
+{ "pread64", 17 },
+{ "preadv", 295 },
+{ "preadv2", 327 },
+{ "prlimit64", 302 },
+{ "process_vm_readv", 310 },
+{ "process_vm_writev", 311 },
+{ "pselect6", 270 },
+{ "ptrace", 101 },
+{ "putpmsg", 182 },
+{ "pwrite64", 18 },
+{ "pwritev", 296 },
+{ "pwritev2", 328 },
+{ "query_module", 178 },
+{ "quotactl", 179 },
+{ "read", 0 },
+{ "readahead", 187 },
+{ "readlink", 89 },
+{ "readlinkat", 267 },
+{ "readv", 19 },
+{ "reboot", 169 },
+{ "recvfrom", 45 },
+{ "recvmmsg", 299 },
+{ "recvmsg", 47 },
+{ "remap_file_pages", 216 },
+{ "removexattr", 197 },
+{ "rename", 82 },
+{ "renameat", 264 },
+{ "renameat2", 316 },
+{ "request_key", 249 },
+{ "restart_syscall", 219 },
+{ "rmdir", 84 },
+{ "rseq", 334 },
+{ "rt_sigaction", 13 },
+{ "rt_sigpending", 127 },
+{ "rt_sigprocmask", 14 },
+{ "rt_sigqueueinfo", 129 },
+{ "rt_sigreturn", 15 },
+{ "rt_sigsuspend", 130 },
+{ "rt_sigtimedwait", 128 },
+{ "rt_tgsigqueueinfo", 297 },
+{ "sched_get_priority_max", 146 },
+{ "sched_get_priority_min", 147 },
+{ "sched_getaffinity", 204 },
+{ "sched_getattr", 315 },
+{ "sched_getparam", 143 },
+{ "sched_getscheduler", 145 },
+{ "sched_rr_get_interval", 148 },
+{ "sched_setaffinity", 203 },
+{ "sched_setattr", 314 },
+{ "sched_setparam", 142 },
+{ "sched_setscheduler", 144 },
+{ "sched_yield", 24 },
+{ "seccomp", 317 },
+{ "security", 185 },
+{ "select", 23 },
+{ "semctl", 66 },
+{ "semget", 64 },
+{ "semop", 65 },
+{ "semtimedop", 220 },
+{ "sendfile", 40 },
+{ "sendmmsg", 307 },
+{ "sendmsg", 46 },
+{ "sendto", 44 },
+{ "set_mempolicy", 238 },
+{ "set_robust_list", 273 },
+{ "set_thread_area", 205 },
+{ "set_tid_address", 218 },
+{ "setdomainname", 171 },
+{ "setfsgid", 123 },
+{ "setfsuid", 122 },
+{ "setgid", 106 },
+{ "setgroups", 116 },
+{ "sethostname", 170 },
+{ "setitimer", 38 },
+{ "setns", 308 },
+{ "setpgid", 109 },
+{ "setpriority", 141 },
+{ "setregid", 114 },
+{ "setresgid", 119 },
+{ "setresuid", 117 },
+{ "setreuid", 113 },
+{ "setrlimit", 160 },
+{ "setsid", 112 },
+{ "setsockopt", 54 },
+{ "settimeofday", 164 },
+{ "setuid", 105 },
+{ "setxattr", 188 },
+{ "shmat", 30 },
+{ "shmctl", 31 },
+{ "shmdt", 67 },
+{ "shmget", 29 },
+{ "shutdown", 48 },
+{ "sigaltstack", 131 },
+{ "signalfd", 282 },
+{ "signalfd4", 289 },
+{ "socket", 41 },
+{ "socketpair", 53 },
+{ "splice", 275 },
+{ "stat", 4 },
+{ "statfs", 137 },
+{ "statx", 332 },
+{ "swapoff", 168 },
+{ "swapon", 167 },
+{ "symlink", 88 },
+{ "symlinkat", 266 },
+{ "sync", 162 },
+{ "sync_file_range", 277 },
+{ "syncfs", 306 },
+{ "sysfs", 139 },
+{ "sysinfo", 99 },
+{ "syslog", 103 },
+{ "tee", 276 },
+{ "tgkill", 234 },
+{ "time", 201 },
+{ "timer_create", 222 },
+{ "timer_delete", 226 },
+{ "timer_getoverrun", 225 },
+{ "timer_gettime", 224 },
+{ "timer_settime", 223 },
+{ "timerfd_create", 283 },
+{ "timerfd_gettime", 287 },
+{ "timerfd_settime", 286 },
+{ "times", 100 },
+{ "tkill", 200 },
+{ "truncate", 76 },
+{ "tuxcall", 184 },
+{ "umask", 95 },
+{ "umount2", 166 },
+{ "uname", 63 },
+{ "unlink", 87 },
+{ "unlinkat", 263 },
+{ "unshare", 272 },
+{ "uselib", 134 },
+{ "userfaultfd", 323 },
+{ "ustat", 136 },
+{ "utime", 132 },
+{ "utimensat", 280 },
+{ "utimes", 235 },
+{ "vfork", 58 },
+{ "vhangup", 153 },
+{ "vmsplice", 278 },
+{ "vserver", 236 },
+{ "wait4", 61 },
+{ "waitid", 247 },
+{ "write", 1 },
+{ "writev", 20 },
diff --git a/src/fseccomp/errno.c b/src/lib/errno.c
index 9c5aa770c..881c3b27e 100644
--- a/src/fseccomp/errno.c
+++ b/src/lib/errno.c
@@ -17,9 +17,11 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "fseccomp.h"
+#include "../include/syscall.h"
 
 #include <errno.h>
+#include <stdio.h>
+#include <string.h>
 //#include <attr/xattr.h>
 
 typedef struct {
@@ -181,7 +183,7 @@ int errno_find_name(const char *name) {
         return -1;
 }
 
-char *errno_find_nr(int nr) {
+const char *errno_find_nr(int nr) {
         int i;
         int elems = sizeof(errnolist) / sizeof(errnolist[0]);
         for (i = 0; i < elems; i++) {
diff --git a/src/fseccomp/syscall.c b/src/lib/syscall.c
index 2b112245c..2f8ccaed7 100644
--- a/src/fseccomp/syscall.c
+++ b/src/lib/syscall.c
@@ -18,9 +18,18 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #define _GNU_SOURCE
-#include "fseccomp.h"
+#include "../include/syscall.h"
+#include <assert.h>
+#include <limits.h>
+#include <stdbool.h>
 #include <stdio.h>
+#include <string.h>
 #include <sys/syscall.h>
+#include "../include/common.h"
+#include "../include/seccomp.h"
+
+#define SYSCALL_ERROR INT_MAX
+#define ERRNO_KILL -2
 
 typedef struct {
         const char * const name;
@@ -39,15 +48,31 @@ typedef struct {
         int syscall;
 } SyscallCheckList;
 
+// Native syscalls (64 bit versions for 64 bit arch etc)
 static const SyscallEntry syslist[] = {
-//
-// code generated using tools/extract-syscall
-//
-#include "../include/syscall.h"
-//
-// end of generated code
-//
-}; // end of syslist
+#if defined(__x86_64__)
+// code generated using
+// awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_64.h
+#include "../include/syscall_x86_64.h"
+#elif defined(__i386__)
+// awk '/__NR_/ { print "{ \"" gensub("__NR_", "", "g", $2) "\", " $3 " },"; }' < /usr/include/x86_64-linux-gnu/asm/unistd_32.h
+#include "../include/syscall_i386.h"
+#elif defined(__arm__)
+#include "../include/syscall_armeabi.h"
+#else
+#warning "Please submit a syscall table for your architecture"
+#endif
+};
+
+// 32 bit syscalls for 64 bit arch
+static const SyscallEntry syslist32[] = {
+#if defined(__x86_64__)
+#include "../include/syscall_i386.h"
+// TODO for other 64 bit archs
+#elif defined(__i386__) || defined(__arm__) || defined(__powerpc__)
+// no secondary arch for 32 bit archs
+#endif
+};
 
 static const SyscallGroupList sysgroups[] = {
         { .name = "@aio", .list =
@@ -1412,7 +1437,7 @@ static const SyscallGroupList sysgroups[] = {
         }
 };
 
-// return -1 if error, or syscall number
+// return SYSCALL_ERROR if error, or syscall number
 static int syscall_find_name(const char *name) {
         int i;
         int elems = sizeof(syslist) / sizeof(syslist[0]);
@@ -1421,7 +1446,18 @@ static int syscall_find_name(const char *name) {
                         return syslist[i].nr;
         }
 
-        return -1;
+        return SYSCALL_ERROR;
+}
+
+static int syscall_find_name_32(const char *name) {
+        int i;
+        int elems = sizeof(syslist32) / sizeof(syslist32[0]);
+        for (i = 0; i < elems; i++) {
+                if (strcmp(name, syslist32[i].name) == 0)
+                        return syslist32[i].nr;
+        }
+
+        return SYSCALL_ERROR;
 }
 
 const char *syscall_find_nr(int nr) {
@@ -1435,6 +1471,17 @@ const char *syscall_find_nr(int nr) {
         return "unknown";
 }
 
+const char *syscall_find_nr_32(int nr) {
+        int i;
+        int elems = sizeof(syslist32) / sizeof(syslist32[0]);
+        for (i = 0; i < elems; i++) {
+                if (nr == syslist32[i].nr)
+                        return syslist32[i].name;
+        }
+
+        return "unknown";
+}
+
 void syscall_print(void) {
         int i;
         int elems = sizeof(syslist) / sizeof(syslist[0]);
@@ -1444,6 +1491,15 @@ void syscall_print(void) {
         printf("\n");
 }
 
+void syscall_print_32(void) {
+        int i;
+        int elems = sizeof(syslist32) / sizeof(syslist32[0]);
+        for (i = 0; i < elems; i++) {
+                printf("%d\t- %s\n", syslist32[i].nr, syslist32[i].name);
+        }
+        printf("\n");
+}
+
 static const char *syscall_find_group(const char *name) {
         int i;
         int elems = sizeof(sysgroups) / sizeof(sysgroups[0]);
@@ -1458,7 +1514,7 @@ static const char *syscall_find_group(const char *name) {
 // allowed input:
 // - syscall
 // - syscall(error)
-static void syscall_process_name(const char *name, int *syscall_nr, int *error_nr) {
+static void syscall_process_name(const char *name, int *syscall_nr, int *error_nr, bool native) {
         assert(name);
         if (strlen(name) == 0)
                 goto error;
@@ -1482,12 +1538,20 @@ static void syscall_process_name(const char *name, int *syscall_nr, int *error_n
 
         if (*syscall_name == '$')
                 *syscall_nr = strtol(syscall_name + 1, NULL, 0);
-        else
-                *syscall_nr = syscall_find_name(syscall_name);
+        else {
+                if (native)
+                        *syscall_nr = syscall_find_name(syscall_name);
+                else
+                        *syscall_nr = syscall_find_name_32(syscall_name);
+        }
         if (error_name) {
-                *error_nr = errno_find_name(error_name);
-                if (*error_nr == -1)
-                        *syscall_nr = -1;
+                if (strcmp(error_name, "kill") == 0)
+                        *error_nr = ERRNO_KILL;
+                else {
+                        *error_nr = errno_find_name(error_name);
+                        if (*error_nr == -1)
+                                *syscall_nr = SYSCALL_ERROR;
+                }
         }
 
         free(str);
@@ -1499,7 +1563,7 @@ error:
 }
 
 // return 1 if error, 0 if OK
-int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, int arg, void *ptrarg), int fd, int arg, void *ptrarg) {
+int syscall_check_list(const char *slist, filter_fn *callback, int fd, int arg, void *ptrarg, bool native) {
         // don't allow empty lists
         if (slist == NULL || *slist == '\0') {
                 fprintf(stderr, "Error fseccomp: empty syscall lists are not allowed\n");
@@ -1527,7 +1591,7 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall,
                                 fprintf(stderr, "Error fseccomp: unknown syscall group %s\n", ptr);
                                 exit(1);
                         }
-                        syscall_check_list(new_list, callback, fd, arg, ptrarg);
+                        syscall_check_list(new_list, callback, fd, arg, ptrarg, native);
                 }
                 else {
                         bool negate = false;
@@ -1535,20 +1599,20 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall,
                                 negate = true;
                                 ptr++;
                         }
-                        syscall_process_name(ptr, &syscall_nr, &error_nr);
-                        if (syscall_nr == -1) {;}
-                        else if (callback != NULL) {
+                        syscall_process_name(ptr, &syscall_nr, &error_nr, native);
+                        if (syscall_nr != SYSCALL_ERROR && callback != NULL) {
                                 if (negate) {
                                         syscall_nr = -syscall_nr;
                                 }
-                                if (error_nr != -1 && fd != 0) {
-                                        filter_add_errno(fd, syscall_nr, error_nr, ptrarg);
-                                }
-                                else if (error_nr != -1 && fd == 0) {
-                                        callback(fd, syscall_nr, error_nr, ptrarg);
+                                if (error_nr >= 0 && fd > 0)
+                                        filter_add_errno(fd, syscall_nr, error_nr, ptrarg, native);
+                                else if (error_nr == ERRNO_KILL && fd > 0)
+                                        filter_add_blacklist_override(fd, syscall_nr, 0, ptrarg, native);
+                                else if (error_nr >= 0 && fd == 0) {
+                                        callback(fd, syscall_nr, error_nr, ptrarg, native);
                                 }
                                 else {
-                                        callback(fd, syscall_nr, arg, ptrarg);
+                                        callback(fd, syscall_nr, arg, ptrarg, native);
                                 }
                         }
                 }
@@ -1559,41 +1623,50 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall,
         return 0;
 }
 
-static void find_syscall(int fd, int syscall, int arg, void *ptrarg) {
+static void find_syscall(int fd, int syscall, int arg, void *ptrarg, bool native) {
         (void)fd;
         (void) arg;
+        (void)native;
         SyscallCheckList *ptr = ptrarg;
         if (abs(syscall) == ptr->syscall)
                 ptr->found = true;
 }
 
 // go through list2 and find matches for problem syscall
-static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) {
+static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg, bool native) {
         (void) fd;
         (void)arg;
         SyscallCheckList *ptr = ptrarg;
         SyscallCheckList sl;
+        const char *name;
+
         sl.found = false;
         sl.syscall = syscall;
-        syscall_check_list(ptr->slist, find_syscall, fd, 0, &sl);
+        syscall_check_list(ptr->slist, find_syscall, fd, 0, &sl, native);
+
+        if (native)
+                name = syscall_find_nr(syscall);
+        else
+                name = syscall_find_nr_32(syscall);
+
         // if found in the problem list, add to post-exec list
         if (sl.found) {
                 if (ptr->postlist) {
-                        if (asprintf(&ptr->postlist, "%s,%s", ptr->postlist, syscall_find_nr(syscall)) == -1)
+                        if (asprintf(&ptr->postlist, "%s,%s", ptr->postlist, name) == -1)
                                 errExit("asprintf");
                 }
                 else
-                        ptr->postlist = strdup(syscall_find_nr(syscall));
+                        ptr->postlist = strdup(name);
         }
         else { // no problem, add to pre-exec list
                 // build syscall:error_no
                 char *newcall = NULL;
                 if (arg != 0) {
-                        if (asprintf(&newcall, "%s:%s", syscall_find_nr(syscall), errno_find_nr(arg)) == -1)
+                        if (asprintf(&newcall, "%s:%s", name, errno_find_nr(arg)) == -1)
                                 errExit("asprintf");
                 }
                 else {
-                        newcall = strdup(syscall_find_nr(syscall));
+                        newcall = strdup(name);
                         if (!newcall)
                                 errExit("strdup");
                 }
@@ -1609,14 +1682,14 @@ static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) {
 }
 
 // go through list and find matches for syscalls in list @default-keep
-void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist) {
+void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist, bool native) {
         (void) fd;
         SyscallCheckList sl;
         // these syscalls are used by firejail after the seccomp filter is initialized
         sl.slist = slist;
         sl.prelist = NULL;
         sl.postlist = NULL;
-        syscall_check_list(list, syscall_in_list, 0, 0, &sl);
+        syscall_check_list(list, syscall_in_list, 0, 0, &sl, native);
         if (!arg_quiet) {
                 printf("Seccomp list in: %s,", list);
                 if (sl.slist)
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 2887a6c53..e282c8cf0 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -43,6 +43,10 @@ The following actions are implemented by default by running sudo firecfg:
 
 .br
 - fix desktop files in $HOME/.local/share/applications/ (firecfg --fix).
+.br
+
+.br
+- automatically loads and forces the AppArmor profile "firejail-default".
 .RE
 
 .SH OPTIONS
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 84aed41a4..0784e7fd7 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -103,7 +103,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
 
-Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
+Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
 can be enabled or disabled globally in Firejail's configuration file.
 
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
@@ -165,8 +165,9 @@ host filesystem. Each line describes a file/directory that is inaccessible
 (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),
 a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),
 or mount-bind a directory or file on top of another directory or file (\fBbind\fR).
-Use \fBprivate\fR to set private mode.
-File globbing is supported, and PATH and HOME directories are searched.
+Use \fBprivate\fR to set private mode.  File globbing is supported, and PATH and
+HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR section
+for more details.
 Examples:
 .TP
 \fBblacklist file_or_directory
@@ -210,7 +211,7 @@ Disable /mnt, /media, /run/mount and /run/media access.
 /var/tmp directory is untouched.
 .TP
 \fBmkdir directory
-Create a directory in user home or under /tmp before the sandbox is started.
+Create a directory in user home, under /tmp, or under /run/user/<UID> before the sandbox is started.
 The directory is created if it doesn't already exist.
 .br
 
@@ -229,10 +230,18 @@ whitelist ~/.mozilla
 mkdir ~/.cache/mozilla/firefox
 .br
 whitelist ~/.cache/mozilla/firefox
+.br
+
+.br
+For files in /run/user/<PID> use ${RUNUSER} macro:
+.br
+
+.br
+mkdir ${RUNUSER}/firejail-testing
 .TP
 \fBmkfile file
-Similar to mkdir, this command creates a file in user home or under /tmp before the sandbox is started.
-The file is created if it doesn't already exist.
+Similar to mkdir, this command creates an empty file in user home, or /tmp, or under /run/user/<UID>
+before the sandbox is started. The file is created if it doesn't already exist.
 .TP
 \fBnoexec file_or_directory
 Remount the file or the directory noexec, nodev and nosuid.
@@ -259,6 +268,8 @@ Use directory as user home.
 .TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
+The files in the list must be expressed as relative to the /bin,
+/sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
 .TP
 \fBprivate-cache
@@ -280,26 +291,37 @@ Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional res
 \fBprivate-etc file,directory
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
+The files and directories in the list must be expressed as relative to
+the /etc directory.
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-home file,directory
 Build a new user home in a temporary
 filesystem, and copy the files and directories in the list in the
-new home. All modifications are discarded when the sandbox is
+new home.
+The files and directories in the list must be expressed as relative to
+the current user's home directory.
+All modifications are discarded when the sandbox is
 closed.
 .TP
 \fBprivate-lib file,directory
 Build a new /lib directory and bring in the libraries required by the application to run.
+The files and directories in the list must be expressed as relative to
+the /lib directory.
 This feature is still under development, see \fBman 1 firejail\fR for some examples.
 .TP
 \fBprivate-opt file,directory
 Build a new /opt in a temporary
 filesystem, and copy the files and directories in the list.
+The files and directories in the list must be expressed as relative to
+the /opt directory.
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-srv file,directory
 Build a new /srv in a temporary
 filesystem, and copy the files and directories in the list.
+The files and directories in the list must be expressed as relative to
+the /srv directory.
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-tmp
@@ -386,19 +408,36 @@ first argument to socket system call. Recognized values: \fBunix\fR,
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
 .TP
+\fBseccomp.32
+Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system.
+.TP
 \fBseccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
 .TP
+\fBseccomp.32 syscall,syscall,syscall
+Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system.
+.TP
 \fBseccomp.block-secondary
 Enable seccomp filter and filter system call architectures
 so that only the native architecture is allowed.
 .TP
 \fBseccomp.drop syscall,syscall,syscall
-Enable seccomp filter and blacklist  the system calls in the list.
+Enable seccomp filter and blacklist the system calls in the list.
+.TP
+\fBseccomp.32.drop syscall,syscall,syscall
+Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list.
 .TP
+\fBseccomp.32.keep syscall,syscall,syscall
+Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
+.TP
+\fBseccomp-error-action kill | log | ERRNO
+Return a different error instead of EPERM to the process, kill it when
+an attempt is made to call a blocked system call, or allow but log the
+attempt.
+.TP
 \fBx11
 Enable X11 sandboxing.
 .TP
@@ -432,7 +471,100 @@ xephyr-screen 640x480
 .br
 x11 xephyr
 
+.SH DBus filtering
+
+Access to the session and system DBus UNIX sockets can be allowed, filtered or
+disabled. To disable the abstract sockets (and force applications to use the
+filtered UNIX socket) you would need to request a new network namespace using
+\-\-net command. Another option is to remove unix from the \-\-protocol set.
+.br
+
+.br
+Filtering requires installing the xdg-dbus-proxy utility. Filter rules can be
+specified for well-known DBus names, but they are also propagated to the owning
+unique name, too. The permissions are "sticky" and are kept even if the
+corresponding well-known name is released (however, applications rarely release
+well-known names in practice). Names may have a .* suffix to match all names
+underneath them, including themselves (e.g. "foo.bar.*" matches "foo.bar",
+"foo.bar.baz" and "foo.bar.baz.quux", but not "foobar"). For more information,
+see xdg-dbus-proxy(1).
+.br
 
+.br
+Examples:
+
+.TP
+\fBdbus-system filter
+Enable filtered access to the system DBus. Filters can be specified with the dbus-system.talk and dbus-system.own commands.
+.TP
+\fBdbus-system none
+Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering.
+.TP
+\fBdbus-system.own org.gnome.ghex.*
+Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus.
+.TP
+\fBdbus-system.talk org.freedesktop.Notifications
+Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
+.TP
+\fBdbus-system.see org.freedesktop.Notifications
+Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus.
+.TP
+\fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+.TP
+\fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to recieve broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+.TP
+\fBdbus-user filter
+Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
+.TP
+\fBdbus-user none
+Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering.
+.TP
+\fBdbus-user.own org.gnome.ghex.*
+Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus.
+.TP
+\fBdbus-user.talk org.freedesktop.Notifications
+Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
+.TP
+\fBdbus-user.see org.freedesktop.Notifications
+Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus.
+.TP
+\fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
+.TP
+\fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+Allow the application to recieve broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
+.TP
+\fBnodbus \fR(deprecated)
+Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.
+.TP
+.br
+
+.br
+Individual filters can be overridden via the \-\-ignore command. Supposing a profile has
+.br
+[...]
+.br
+dbus-user filter
+.br
+dbus-user.own org.mozilla.firefox.*
+.br
+dbus-user.talk org.freedesktop.Notifications
+.br
+dbus-system none
+.br
+[...]
+.br
+
+.br
+and the user wants to disable notifications, this can be achieved by putting the below in a local override file:
+.br
+[...]
+.br
+ignore dbus-user.talk org.freedesktop.Notifications
+.br
+[...]
 
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
@@ -507,12 +639,6 @@ Disable 3D hardware acceleration.
 Disable automatic ~/.config/pulse init, for complex setups such as remote
 pulse servers or non-standard socket paths.
 .TP
-\fBnodbus
-Disable D-Bus access. Only the regular UNIX socket is handled by
-this command. To disable the abstract socket, you would need to
-request a new network namespace using the net command. Another
-option is to remove unix from protocol set.
-.TP
 \fBnodvd
 Disable DVD and audio CD devices.
 .TP
@@ -749,5 +875,7 @@ Homepage: https://firejail.wordpress.com
 \&\flfirejail\fR\|(1),
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
-\&\flfirejail-login\fR\|(5)
-\&\flfirejail-users\fR\|(5)
+\&\flfirejail-login\fR\|(5),
+\&\flfirejail-users\fR\|(5),
+.UR https://github.com/netblue30/firejail/wiki/Creating-Profiles 
+.UE 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 926e9b2cc..e216531ae 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -35,7 +35,7 @@ firejail {\-\-list | \-\-netstats | \-\-top | \-\-tree}
 Miscellaneous:
 .PP
 .RS
-firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-protocols | \-\-help | \-\-version}
+firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-syscalls32 | \-\-debug-protocols | \-\-help | \-\-version}
 .RE
 .SH DESCRIPTION
 Firejail is a SUID sandbox program that reduces the risk of security breaches by
@@ -66,7 +66,8 @@ command line options. The default Firejail filesystem is based on the host files
 system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32,
 /libx32 and /lib64. Only /home and /tmp are writable.
 .PP
-As it starts up, Firejail tries to find a security profile based on the name of the application.
+Upon execution Firejail first looks in ~/.config/firejail/ for a profile and if it doesn't find one, it looks in /etc/firejail/.
+For profile resolution detail see https://github.com/netblue30/firejail/wiki/Creating-Profiles#locations-and-types.
 If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
 to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
@@ -326,6 +327,248 @@ $ firejail \-\-list
 $ firejail \-\-cpu.print=3272
 
 .TP
+\fB\-\-dbus-log=file
+Specify the location for the DBus log file.
+.br
+
+.br
+The log file contains events for both the system and session buses if both of
+the --dbus-sysem.log and --dbus-user.log options are specified. If no log file
+path is given, logs are written to the standard output instead.
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.log --dbus-log=dbus.txt
+
+.TP
+\fB\-\-dbus-system=filter|none
+Set system DBus sandboxing policy. 
+.br
+
+.br
+The \fBfilter\fR policy enables the system DBus filter. This option requires
+installing the xdg-dbus-proxy utility. Permissions for well-known can be
+specified with the --dbus-system.talk and --dbus-system.own options.
+.br
+
+.br
+The \fBnone\fR policy disables access to the system DBus.
+.br
+
+.br
+Only the regular system DBus UNIX socket is handled by this option. To disable
+the abstract sockets (and force applications to use the filtered UNIX socket)
+you would need to request a new network namespace using \-\-net command. Another
+option is to remove unix from the \-\-protocol set.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-dbus-system=none
+
+.TP
+\fB\-\-dbus-system.broadcast=name=[member][@path]
+Allows the application to receive broadcast signals from theindicated interface
+member at the indicated object path exposed by the indicated bus name on the
+system DBus.
+The name may have a .* suffix to match all names underneath it, including
+itself.
+The interface member may have a .* to match all members of an interface, or be * to match all interfaces.
+The path may have a /* suffix to indicate all objects underneath it, including
+itself.
+Omitting the interface member or the object path will match all members and
+object paths, respectively.
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.broadcast=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+
+.TP
+\fB\-\-dbus-system.call=name=[member][@path]
+Allows the application to call the indicated interface member at the indicated
+object path exposed by the indicated bus name on the system DBus.
+The name may have a .* suffix to match all names underneath it, including
+itself.
+The interface member may have a .* to match all members of an interface, or be * to match all interfaces.
+The path may have a /* suffix to indicate all objects underneath it, including
+itself.
+Omitting the interface member or the object path will match all members and
+object paths, respectively.
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.call=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+
+.TP
+\fB\-\-dbus-system.log
+Turn on DBus logging for the system DBus. This option requires --dbus-system=log.
+
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.log
+
+.TP
+\fB\-\-dbus-system.own=name
+Allows the application to own the specified well-known name on the system DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.own=org.gnome.ghex.*
+
+.TP
+\fB\-\-dbus-system.see=name
+Allows the application to see, but not talk to the specified well-known name on
+the system DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.see=org.freedesktop.Notifications
+
+.TP
+\fB\-\-dbus-system.talk=name
+Allows the application to talk to the specified well-known name on the system DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.talk=org.freedesktop.Notifications
+
+.TP
+\fB\-\-dbus-user=filter|none
+Set session DBus sandboxing policy.
+.br
+
+.br
+The \fBfilter\fR policy enables the session DBus filter. This option requires
+installing the xdg-dbus-proxy utility. Permissions for well-known names can be
+added with the --dbus-user.talk and --dbus-user.own options.
+.br
+
+.br
+The \fBnone\fR policy disables access to the session DBus.
+.br
+
+.br
+Only the regular session DBus UNIX socket is handled by this option. To disable
+the abstract sockets (and force applications to use the filtered UNIX socket)
+you would need to request a new network namespace using \-\-net command. Another
+option is to remove unix from the \-\-protocol set.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-dbus-user=none
+
+.TP
+\fB\-\-dbus-user.broadcast=name=[member][@path]
+Allows the application to receive broadcast signals from theindicated interface
+member at the indicated object path exposed by the indicated bus name on the
+session DBus.
+The name may have a .* suffix to match all names underneath it, including
+itself.
+The interface member may have a .* to match all members of an interface, or be * to match all interfaces.
+The path may have a /* suffix to indicate all objects underneath it, including
+itself.
+Omitting the interface member or the object path will match all members and
+object paths, respectively.
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.broadcast=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+
+.TP
+\fB\-\-dbus-user.call=name=[member][@path]
+Allows the application to call the indicated interface member at the indicated
+object path exposed by the indicated bus name on the session DBus.
+The name may have a .* suffix to match all names underneath it, including
+itself.
+The interface member may have a .* to match all members of an interface, or be * to match all interfaces.
+The path may have a /* suffix to indicate all objects underneath it, including
+itself.
+Omitting the interface member or the object path will match all members and
+object paths, respectively.
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.call=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+
+.TP
+\fB\-\-dbus-user.log
+Turn on DBus logging for the session DBus. This option requires --dbus-user=log.
+
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.log
+
+.TP
+\fB\-\-dbus-user.own=name
+Allows the application to own the specified well-known name on the session DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
+
+.TP
+\fB\-\-dbus-user.talk=name
+Allows the application to talk to the specified well-known name on the session DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications
+
+.TP
+\fB\-\-dbus-user.see=name
+Allows the application to see, but not talk to the specified well-known name on
+the session DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.see=org.freedesktop.Notifications
+
+.TP
 \fB\-\-debug\fR
 Print debug messages.
 .br
@@ -386,6 +629,10 @@ Example:
 .br
 $ firejail \-\-debug-syscalls
 .TP
+\fB\-\-debug-syscalls32
+Print all recognized 32 bit system calls in the current Firejail software build and exit.
+.br
+.TP
 \fB\-\-debug-whitelists\fR
 Debug whitelisting.
 .br
@@ -810,8 +1057,9 @@ $ firejail \-\-machine-id
 Install a seccomp filter to block attempts to create memory mappings
 that are both writable and executable, to change mappings to be
 executable, or to create executable shared memory. The filter examines
-the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create and
-shmat system calls and kills the process if necessary.
+the arguments of mmap, mmap2, mprotect, pkey_mprotect, memfd_create
+and shmat system calls and returns error EPERM to the process (or
+kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
 .br
 
 .br
@@ -1165,12 +1413,8 @@ $ nc dict.org 2628
 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
 .br
 .TP
-\fB\-\-nodbus
-Disable D-Bus access (both system and session buses). Only the regular
-UNIX sockets are handled by this command. To disable the abstract
-sockets you would need to request a new network namespace using
-\-\-net command. Another option is to remove unix from \-\-protocol
-set.
+\fB\-\-nodbus \fR(deprecated)
+Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none.
 .br
 
 .br
@@ -1453,7 +1697,9 @@ $ firejail \-\-private=/home/netblue/firefox-home firefox
 .TP
 \fB\-\-private-bin=file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
-If no listed file is found, /bin directory will be empty.
+The files in the list must be expressed as relative to the /bin,
+/sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories.
+If no listed files are found, /bin directory will be empty.
 The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.
 All modifications are discarded when the sandbox is closed. File globbing is supported,
 see \fBFILE GLOBBING\fR section for more details.
@@ -1549,6 +1795,8 @@ $
 \fB\-\-private-etc=file,directory
 Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
+The files and directories in the list must be expressed as relative to
+the /etc directory.
 If no listed file is found, /etc directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br
@@ -1558,13 +1806,16 @@ Example:
 .br
 $ firejail --private-etc=group,hostname,localtime, \\
 .br
-nsswitch.conf,passwd,resolv.conf
+nsswitch.conf,passwd,resolv.conf,default/motd-news
 
 .TP
 \fB\-\-private-home=file,directory
 Build a new user home in a temporary
 filesystem, and copy the files and directories in the list in the
-new home. All modifications are discarded when the sandbox is
+new home.
+The files and directories in the list must be expressed as relative to
+the current user's home directory.
+All modifications are discarded when the sandbox is
 closed.
 .br
 
@@ -1576,6 +1827,8 @@ $ firejail \-\-private-home=.mozilla firefox
 .TP
 \fB\-\-private-lib=file,directory
 This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
+The files and directories in the list must be expressed as relative to
+the /lib directory.
 The idea is to build a new /lib in a temporary filesystem,
 with only the library files necessary to run the application.
 It could be as simple as:
@@ -1627,6 +1880,8 @@ $
 \fB\-\-private-opt=file,directory
 Build a new /opt in a temporary
 filesystem, and copy the files and directories in the list.
+The files and directories in the list must be expressed as relative to
+the /opt directory.
 If no listed file is found, /opt directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br
@@ -1640,6 +1895,8 @@ $ firejail --private-opt=firefox /opt/firefox/firefox
 \fB\-\-private-srv=file,directory
 Build a new /srv in a temporary
 filesystem, and copy the files and directories in the list.
+The files and directories in the list must be expressed as relative to
+the /srv directory.
 If no listed file is found, /srv directory will be empty.
 All modifications are discarded when the sandbox is closed.
 .br
@@ -1832,7 +2089,9 @@ Exceptions can be allowed with prefix !.
 System architecture is strictly imposed only if flag
 \-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
-and AMD64 both 32-bit and 64-bit filters are installed.
+and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit
+architecture, an additional filter for 32 bit system calls can be
+installed with \-\-seccomp.32.
 .br
 
 .br
@@ -1859,8 +2118,12 @@ $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
 .br
 
 .br
-Instead of dropping the syscall, a specific error number can be returned
-using \fBsyscall:errorno\fR syntax.
+Instead of dropping the syscall by returning EPERM, another error
+number can be returned using \fBsyscall:errno\fR syntax. This can be
+also changed globally with \-\-seccomp-error-action or
+in /etc/firejail/firejail.config file.  The process can also be killed
+by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
+\fBsyscall:log\fR.
 .br
 
 .br
@@ -1881,7 +2144,8 @@ rm: cannot remove `testfile': Operation not permitted
 .br
 If the blocked system calls would also block Firejail from operating,
 they are handled by adding a preloaded library which performs seccomp
-system calls later.
+system calls later. However, this is incompatible with 32 bit seccomp
+filters.
 .br
 
 .br
@@ -1912,7 +2176,10 @@ domain with personality(2) system call.
 
 .TP
 \fB\-\-seccomp.drop=syscall,@group
-Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command.
+Enable seccomp filter, and blacklist the syscalls or the syscall
+groups specified by the command. On a 64 bit architecture, an
+additional filter for 32 bit system calls can be installed with
+\-\-seccomp.32.drop.
 .br
 
 .br
@@ -1922,8 +2189,12 @@ $ firejail \-\-seccomp.drop=utime,utimensat,utimes,@clock
 .br
 
 .br
-Instead of dropping the syscall, a specific error number can be returned
-using \fBsyscall:errorno\fR syntax.
+Instead of dropping the syscall by returning EPERM, another error
+number can be returned using \fBsyscall:errno\fR syntax. This can be
+also changed globally with \-\-seccomp-error-action or
+in /etc/firejail/firejail.config file.  The process can also be killed
+by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
+\fBsyscall:log\fR.
 .br
 
 .br
@@ -1950,7 +2221,9 @@ rm: cannot remove `testfile': Operation not permitted
 \fB\-\-seccomp.keep=syscall,@group,!syscall2
 Enable seccomp filter, blacklist all syscall not listed and "syscall2".
 The system calls needed by Firejail (group @default-keep: prctl, execve)
-are handled with the preload library.
+are handled with the preload library. On a 64 bit architecture, an
+additional filter for 32 bit system calls can be installed with
+\-\-seccomp.32.keep.
 .br
 
 .br
@@ -2123,6 +2396,20 @@ $ firejail --seccomp.print=browser
  0049: 06 00 01 00000000   ret KILL
 .br
 $
+
+.TP
+\fB\-\-seccomp-error-action= kill | ERRNO
+By default, if a seccomp filter blocks a system call, the process gets
+EPERM as the error. With \-\-seccomp-error-action=error, another error
+number can be returned, for example ENOSYS or EACCES. The process can
+also be killed (like in versions <0.9.63 of Firejail) by using
+\-\-seccomp-error-action=kill syntax, or the attempt may be logged
+with \-\-seccomp-error-action=log. Not killing the process weakens
+Firejail slightly when trying to contain intrusion, but it may also
+allow tighter filters if the only alternative is to allow a system
+call.
+.br
+
 .TP
 \fB\-\-shell=none
 Run the program directly, without a user shell.
@@ -2334,6 +2621,10 @@ the same top directory. For user home, both the link and the real file should be
 .br
 
 .br
+File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+.br
+
+.br
 Example:
 .br
 $ firejail \-\-noprofile \-\-whitelist=~/.mozilla
@@ -2341,6 +2632,8 @@ $ firejail \-\-noprofile \-\-whitelist=~/.mozilla
 $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
 .br
 $ firejail "\-\-whitelist=/home/username/My Virtual Machines"
+.br
+$ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
 
 .TP
 \fB\-\-writable-etc
@@ -2694,7 +2987,11 @@ List all sandboxed processes.
 
 .SH FILE GLOBBING
 .TP
-Globbing is the operation that expands a wildcard pattern into the list of pathnames matching the pattern. Matching is defined by:
+Globbing is the operation that expands a wildcard pattern into the
+list of pathnames matching the pattern.  This pattern is matched at
+firejail \fBstart\fR, and is NOT UPDATED at runtime.  \fBFiles matching
+a blacklist, but created after firejail start will be accessible within
+the jail.\fR Matching is defined by:
 .br
 
 .br
@@ -2705,12 +3002,15 @@ Globbing is the operation that expands a wildcard pattern into the list of pathn
 - '[' denotes a range of characters
 .br
 .TP
-The globbing feature is implemented using glibc glob command. For more information on the wildcard syntax see man 7 glob.
+The globbing feature is implemented using glibc glob command. For
+more information on the wildcard syntax see man 7 glob.
 .br
 
 .br
 .TP
-The following command line options are supported: \-\-blacklist, \-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write, and \-\-tmpfs.
+The following command line options are supported: \-\-blacklist,
+\-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write,
+\-\-tmpfs, and \-\-whitelist.
 .br
 
 .br
@@ -2959,5 +3259,9 @@ Homepage: https://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-profile\fR\|(5),
-\&\flfirejail-login\fR\|(5)
-\&\flfirejail-users\fR\|(5)
+\&\flfirejail-login\fR\|(5),
+\&\flfirejail-users\fR\|(5),
+.UR https://github.com/netblue30/firejail/wiki 
+.UE ,
+.UR https://github.com/netblue30/firejail 
+.UE
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in
new file mode 100644
index 000000000..2beaa3ed6
--- /dev/null
+++ b/src/profstats/Makefile.in
@@ -0,0 +1,14 @@
+all: profstats
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+profstats: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+clean:; rm -fr *.o profstats *.gcov *.gcda *.gcno *.plist
+
+distclean: clean
+        rm -fr Makefile
diff --git a/src/profstats/main.c b/src/profstats/main.c
new file mode 100644
index 000000000..a75ad8e29
--- /dev/null
+++ b/src/profstats/main.c
@@ -0,0 +1,304 @@
+ /*
+ * Copyright (C) 2014-2020 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+#define MAXBUF 2048
+// stats
+static int cnt_profiles = 0;
+static int cnt_apparmor = 0;
+static int cnt_seccomp = 0;
+static int cnt_caps = 0;
+static int cnt_dotlocal = 0;
+static int cnt_globalsdotlocal = 0;
+static int cnt_netnone = 0;
+static int cnt_noexec = 0;      // include disable-exec.inc
+static int cnt_privatebin = 0;
+static int cnt_privatedev = 0;
+static int cnt_privatetmp = 0;
+static int cnt_privateetc = 0;
+static int cnt_whitelistvar = 0;        // include whitelist-var-common.inc
+static int cnt_whitelistrunuser = 0;    // include whitelist-runuser-common.inc
+static int cnt_whitelistusrshare = 0;   // include whitelist-usr-share-common.inc
+static int cnt_ssh = 0;
+static int cnt_mdwx = 0;
+
+static int level = 0;
+static int arg_debug = 0;
+static int arg_apparmor = 0;
+static int arg_caps = 0;
+static int arg_seccomp = 0;
+static int arg_noexec = 0;
+static int arg_privatebin = 0;
+static int arg_privatedev = 0;
+static int arg_privatetmp = 0;
+static int arg_privateetc = 0;
+static int arg_whitelistvar = 0;
+static int arg_whitelistrunuser = 0;
+static int arg_whitelistusrshare = 0;
+static int arg_ssh = 0;
+static int arg_mdwx = 0;
+
+static char *profile = NULL;
+
+
+static void usage(void) {
+        printf("proftool - print profile statistics\n");
+        printf("Usage: proftool [options] file[s]\n");
+        printf("Options:\n");
+        printf("   --apparmor - print profiles without apparmor\n");
+        printf("   --caps - print profiles without caps\n");
+        printf("   --ssh - print profiles without \"include disable-common.inc\"\n");
+        printf("   --noexec - print profiles without \"include disable-exec.inc\"\n");
+        printf("   --private-bin - print profiles without private-bin\n");
+        printf("   --private-dev - print profiles without private-dev\n");
+        printf("   --private-etc - print profiles without private-etc\n");
+        printf("   --private-tmp - print profiles without private-tmp\n");
+        printf("   --seccomp - print profiles without seccomp\n");
+        printf("   --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n");
+        printf("   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
+        printf("   --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n");
+        printf("   --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n");
+        printf("   --debug\n");
+        printf("\n");
+}
+
+void process_file(const char *fname) {
+        assert(fname);
+
+        if (arg_debug)
+                printf("processing #%s#\n", fname);
+        level++;
+        assert(level < 32); // to do - check in firejail code
+
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Warning: cannot open %s, while processing %s\n", fname, profile);
+                level--;
+                return;
+        }
+
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                ptr = buf;
+
+                while (*ptr == ' ' || *ptr == '\t')
+                        ptr++;
+                if (*ptr == '\n' || *ptr == '#')
+                        continue;
+
+                if (strncmp(ptr, "seccomp", 7) == 0)
+                        cnt_seccomp++;
+                else if (strncmp(ptr, "caps", 4) == 0)
+                        cnt_caps++;
+                else if (strncmp(ptr, "include disable-exec.inc", 24) == 0)
+                        cnt_noexec++;
+                else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0)
+                        cnt_whitelistvar++;
+                else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 ||
+                        strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0)
+                        cnt_whitelistrunuser++;
+                else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 38) == 0)
+                        cnt_whitelistusrshare++;
+                else if (strncmp(ptr, "include disable-common.inc", 26) == 0)
+                        cnt_ssh++;
+                else if (strncmp(ptr, "memory-deny-write-execute", 25) == 0)
+                        cnt_mdwx++;
+                else if (strncmp(ptr, "net none", 8) == 0)
+                        cnt_netnone++;
+                else if (strncmp(ptr, "apparmor", 8) == 0)
+                        cnt_apparmor++;
+                else if (strncmp(ptr, "private-bin", 11) == 0)
+                        cnt_privatebin++;
+                else if (strncmp(ptr, "private-dev", 11) == 0)
+                        cnt_privatedev++;
+                else if (strncmp(ptr, "private-tmp", 11) == 0)
+                        cnt_privatetmp++;
+                else if (strncmp(ptr, "private-etc", 11) == 0)
+                        cnt_privateetc++;
+                else if (strncmp(ptr, "include ", 8) == 0) {
+                        // not processing .local files
+                        if (strstr(ptr, ".local")) {
+//printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8);
+                                if (strstr(ptr, "globals.local"))
+                                        cnt_globalsdotlocal++;
+                                else
+                                        cnt_dotlocal++;
+                                continue;
+                        }
+                        process_file(buf + 8);
+                }
+        }
+
+        fclose(fp);
+        level--;
+}
+
+int main(int argc, char **argv) {
+        if (argc <= 1) {
+                usage();
+                return 1;
+        }
+
+        int start = 1;
+        int i;
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
+                else if (strcmp(argv[i], "--apparmor") == 0)
+                        arg_apparmor = 1;
+                else if (strcmp(argv[i], "--caps") == 0)
+                        arg_caps = 1;
+                else if (strcmp(argv[i], "--seccomp") == 0)
+                        arg_seccomp = 1;
+                else if (strcmp(argv[i], "--memory-deny-write-execute") == 0)
+                        arg_mdwx = 1;
+                else if (strcmp(argv[i], "--noexec") == 0)
+                        arg_noexec = 1;
+                else if (strcmp(argv[i], "--private-bin") == 0)
+                        arg_privatebin = 1;
+                else if (strcmp(argv[i], "--private-dev") == 0)
+                        arg_privatedev = 1;
+                else if (strcmp(argv[i], "--private-tmp") == 0)
+                        arg_privatetmp = 1;
+                else if (strcmp(argv[i], "--private-etc") == 0)
+                        arg_privateetc = 1;
+                else if (strcmp(argv[i], "--whitelist-var") == 0)
+                        arg_whitelistvar = 1;
+                else if (strcmp(argv[i], "--whitelist-runuser") == 0)
+                        arg_whitelistrunuser = 1;
+                else if (strcmp(argv[i], "--whitelist-usrshare") == 0)
+                        arg_whitelistusrshare = 1;
+                else if (strcmp(argv[i], "--ssh") == 0)
+                        arg_ssh = 1;
+                else if (*argv[i] == '-') {
+                        fprintf(stderr, "Error: invalid option %s\n", argv[i]);
+                        return 1;
+                 }
+                 else
+                        break;
+        }
+
+        start = i;
+        if (i == argc) {
+                fprintf(stderr, "Error: no profile file specified\n");
+                return 1;
+        }
+
+        for (i = start; i < argc; i++) {
+                cnt_profiles++;
+
+                // watch seccomp
+                int seccomp = cnt_seccomp;
+                int caps = cnt_caps;
+                int apparmor = cnt_apparmor;
+                int noexec = cnt_noexec;
+                int privatebin = cnt_privatebin;
+                int privatetmp = cnt_privatetmp;
+                int privatedev = cnt_privatedev;
+                int privateetc = cnt_privateetc;
+                int dotlocal = cnt_dotlocal;
+                int globalsdotlocal = cnt_globalsdotlocal;
+                int whitelistvar = cnt_whitelistvar;
+                int whitelistrunuser = cnt_whitelistrunuser;
+                int whitelistusrshare = cnt_whitelistusrshare;
+                int ssh = cnt_ssh;
+                int mdwx = cnt_mdwx;
+
+                // process file
+                profile = argv[i];
+                process_file(argv[i]);
+
+                // warnings
+                if ((caps + 2) <= cnt_caps) {
+                        printf("Warning: multiple caps in %s\n", argv[i]);
+                        cnt_caps = caps + 1;
+                }
+
+                // fix redirections
+                if (cnt_dotlocal > (dotlocal + 1))
+                        cnt_dotlocal = dotlocal + 1;
+                if (cnt_globalsdotlocal > (globalsdotlocal + 1))
+                        cnt_globalsdotlocal = globalsdotlocal + 1;
+                if (cnt_whitelistrunuser > (whitelistrunuser + 1))
+                        cnt_whitelistrunuser = whitelistrunuser + 1;
+
+                if (arg_apparmor && apparmor == cnt_apparmor)
+                        printf("No apparmor found in %s\n", argv[i]);
+                if (arg_caps && caps == cnt_caps)
+                        printf("No caps found in %s\n", argv[i]);
+                if (arg_seccomp && seccomp == cnt_seccomp)
+                        printf("No seccomp found in %s\n", argv[i]);
+                if (arg_noexec && noexec == cnt_noexec)
+                        printf("No include disable-exec.inc found in %s\n", argv[i]);
+                if (arg_privatedev && privatedev == cnt_privatedev)
+                        printf("No private-dev found in %s\n", argv[i]);
+                if (arg_privatebin && privatebin == cnt_privatebin)
+                        printf("No private-bin found in %s\n", argv[i]);
+                if (arg_privatetmp && privatetmp == cnt_privatetmp)
+                        printf("No private-tmp found in %s\n", argv[i]);
+                if (arg_privateetc && privateetc == cnt_privateetc)
+                        printf("No private-etc found in %s\n", argv[i]);
+                if (arg_whitelistvar && whitelistvar == cnt_whitelistvar)
+                        printf("No include whitelist-var-common.inc found in %s\n", argv[i]);
+                if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser)
+                        printf("No include whitelist-runuser-common.inc found in %s\n", argv[i]);
+                if (arg_whitelistusrshare && whitelistusrshare == cnt_whitelistusrshare)
+                        printf("No include whitelist-usr-share-common.inc found in %s\n", argv[i]);
+                if (arg_ssh && ssh == cnt_ssh)
+                        printf("No include disable-common.inc found in %s\n", argv[i]);
+                if (arg_mdwx && mdwx == cnt_mdwx)
+                        printf("No memory-deny-write-execute found in %s\n", argv[i]);
+
+                assert(level == 0);
+        }
+
+        printf("\n");
+        printf("Stats:\n");
+        printf("    profiles\t\t\t%d\n", cnt_profiles);
+        printf("    include local profile\t%d   (include profile-name.local)\n", cnt_dotlocal);
+        printf("    include globals\t\t%d   (include globals.local)\n", cnt_dotlocal);
+        printf("    blacklist ~/.ssh\t\t%d   (include disable-common.inc)\n", cnt_ssh);
+        printf("    seccomp\t\t\t%d\n", cnt_seccomp);
+        printf("    capabilities\t\t%d\n", cnt_caps);
+        printf("    noexec\t\t\t%d   (include disable-exec.inc)\n", cnt_noexec);
+        printf("    memory-deny-write-execute\t%d\n", cnt_mdwx);
+        printf("    apparmor\t\t\t%d\n", cnt_apparmor);
+        printf("    private-bin\t\t\t%d\n", cnt_privatebin);
+        printf("    private-dev\t\t\t%d\n", cnt_privatedev);
+        printf("    private-etc\t\t\t%d\n", cnt_privateetc);
+        printf("    private-tmp\t\t\t%d\n", cnt_privatetmp);
+        printf("    whitelist var\t\t%d   (include whitelist-var-common.inc)\n", cnt_whitelistvar);
+        printf("    whitelist run/user\t\t%d   (include whitelist-runuser-common.inc\n", cnt_whitelistrunuser);
+        printf("\t\t\t\t\tor blacklist ${RUNUSER})\n");
+        printf("    whitelist usr/share\t\t%d   (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare);
+        printf("    net none\t\t\t%d\n", cnt_netnone);
+        printf("\n");
+        return 0;
+}
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index ccf37dc40..2f9e0ece6 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -10,7 +10,7 @@ arr[4]="TEST 4: compile firetunnel disabled"
 arr[5]="TEST 5: compile user namespace disabled"
 arr[6]="TEST 6: compile network disabled"
 arr[7]="TEST 7: compile X11 disabled"
-arr[8]="deprecated: TEST 8: compile network restricted"
+arr[8]="TEST 8: compile selinux"
 arr[9]="TEST 9: compile file transfer disabled"
 arr[10]="TEST 10: compile disable whitelist"
 arr[11]="TEST 11: compile disable global config"
@@ -183,6 +183,23 @@ cp output-configure oc7
 cp output-make om7
 rm output-configure output-make
 
+#*****************************************************************
+# TEST 8
+#*****************************************************************
+# - enable selinux
+#*****************************************************************
+print_title "${arr[8]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --enable-selinux --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test8
+grep Error output-configure output-make >> ./report-test8
+cp output-configure oc8
+cp output-make om8
+rm output-configure output-make
 
 #*****************************************************************
 # TEST 9
diff --git a/test/environment/rlimit-profile.exp b/test/environment/rlimit-profile.exp
index 721e2196e..6dd7cb3b5 100755
--- a/test/environment/rlimit-profile.exp
+++ b/test/environment/rlimit-profile.exp
@@ -30,7 +30,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
-        "Max address space         123456789012         123456789012"
+        "Max address space         1234567890         1234567890"
 }
 expect {
         timeout {puts "TESTING ERROR 1.5\n";exit}
diff --git a/test/environment/rlimit.exp b/test/environment/rlimit.exp
index 757faf1f9..ed3f08e20 100755
--- a/test/environment/rlimit.exp
+++ b/test/environment/rlimit.exp
@@ -8,7 +8,7 @@ cd /home
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200 --rlimit-as=123456789012\r"
+send -- "firejail --rlimit-fsize=1024 --rlimit-nproc=1000 --rlimit-nofile=500 --rlimit-sigpending=200 --rlimit-as=1234567890\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
         "Child process initialized"
@@ -30,7 +30,7 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 1.4\n";exit}
-        "Max address space         123456789012         123456789012"
+        "Max address space         1234567890         1234567890"
 }
 expect {
         timeout {puts "TESTING ERROR 1.5\n";exit}
diff --git a/test/environment/rlimit.profile b/test/environment/rlimit.profile
index a569edc6d..2f1134e6c 100644
--- a/test/environment/rlimit.profile
+++ b/test/environment/rlimit.profile
@@ -2,4 +2,4 @@ rlimit-fsize 1024
 rlimit-nproc 1000
 rlimit-nofile 500
 rlimit-sigpending 200
-rlimit-as 123456789012
+rlimit-as 1234567890
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c
index 797e7881d..e68176b42 100644
--- a/test/filters/memwrexe.c
+++ b/test/filters/memwrexe.c
@@ -65,7 +65,7 @@ int main(int argc, char **argv) {
                 }
 
                 void *p = mmap (0, size, PROT_READ, MAP_SHARED, fd, 0);
-                if (!p) {
+                if (p == MAP_FAILED) {
                         fprintf(stderr, "TESTING ERROR: cannot map file for mprotect test\n");
                         return 1;
                 }
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp
index 8a7ac9d97..59005e1a2 100755
--- a/test/fs/mkdir.exp
+++ b/test/fs/mkdir.exp
@@ -17,10 +17,32 @@ expect {
 send -- "rm -rf ~/.firejail_test\r"
 after 100
 
+send -- "firejail --profile=mkdir.profile find /tmp/.firejail_test\r"
+expect {
+        timeout {puts "TESTING ERROR 2.1\n";exit}
+        "Warning: cannot create" { puts "TESTING ERROR 2.2\n";exit}
+        "No such file or directory" { puts "TESTING ERROR 2.3\n";exit}
+        "/tmp/.firejail_test/a/b/c/d.txt"
+}
+send -- "rm -rf /tmp/.firejail_test\r"
+after 100
+
+set UID [exec id -u]
+send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r"
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "Warning: cannot create" { puts "TESTING ERROR 3.2\n";exit}
+        "No such file or directory" { puts "TESTING ERROR 3.3\n";exit}
+        "/run/user/$UID/.firejail_test/a/b/c/d.txt"
+}
+send -- "rm -rf /run/user/$UID/.firejail_test\r"
+after 100
+
+
 send -- "firejail --profile=mkdir2.profile\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
-        "only directories in user home or /tmp"
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "only files or directories in user home, /tmp, or /run/user/<UID>"
 }
 after 100
 
diff --git a/test/fs/mkdir.profile b/test/fs/mkdir.profile
index 61b44c9ac..35c27c872 100644
--- a/test/fs/mkdir.profile
+++ b/test/fs/mkdir.profile
@@ -1,2 +1,6 @@
 mkdir ~/.firejail_test/a/b/c
 mkfile ~/.firejail_test/a/b/c/d.txt
+mkdir /tmp/.firejail_test/a/b/c
+mkfile /tmp/.firejail_test/a/b/c/d.txt
+mkdir ${RUNUSER}/.firejail_test/a/b/c
+mkfile ${RUNUSER}/.firejail_test/a/b/c/d.txt
diff --git a/test/fs/mkdir_mkfile.exp b/test/fs/mkdir_mkfile.exp
index 109984035..82dab1ddf 100755
--- a/test/fs/mkdir_mkfile.exp
+++ b/test/fs/mkdir_mkfile.exp
@@ -22,23 +22,23 @@ expect {
         "_firejail_test_dir"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
         "_firejail_test_dir/dir1"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
         "_firejail_test_dir/dir1/dir2"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
         "_firejail_test_dir/dir1/dir2/dir3"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "_firejail_test_dir/dir1/dir2/dir3/file1"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 6\n";exit}
         "_firejail_test_file"
 }
 after 100
@@ -47,8 +47,8 @@ after 100
 
 send -- "firejail --profile=mkfile.profile\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "only files in user home or /tmp"
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "only files or directories in user home, /tmp"
 }
 after 100
 
diff --git a/test/fs/private-lib.exp b/test/fs/private-lib.exp
index ed04de1f9..574ca7ab4 100755
--- a/test/fs/private-lib.exp
+++ b/test/fs/private-lib.exp
@@ -30,8 +30,8 @@ after 100
 send -- "cd /lib; find .\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "modules" {puts "TESTING ERROR 6\n";exit}
-        "firmware" {puts "TESTING ERROR 7\n";exit}
+        "./modules" {puts "TESTING ERROR 6\n";exit}
+        "./firmware" {puts "TESTING ERROR 7\n";exit}
         "libc.so"
 }
 after 100
diff --git a/test/utils/build.exp b/test/utils/build.exp
index ae46ffa6e..ac4f30326 100755
--- a/test/utils/build.exp
+++ b/test/utils/build.exp
@@ -7,22 +7,21 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
+send -- "echo testing > ~/firejail-test-file-7699\r"
+after 100
+
 send -- "firejail --build cat ~/firejail-test-file-7699\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "whitelist ~/firejail-test-file-7699"
-}
-expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
-        "include /etc/firejail/whitelist-common.inc"
+        "whitelist $\{HOME\}/firejail-test-file-7699"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "private-tmp"
+        "include whitelist-common.inc"
 }
 expect {
         timeout {puts "TESTING ERROR 2\n";exit}
-        "private-dev"
+        "blacklist /usr/share"
 }
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
@@ -34,26 +33,40 @@ expect {
 }
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "caps.drop all"
+        "private-dev"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "nonewprivs"
+        "private-etc"
 }
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "seccomp"
+        "private-tmp"
 }
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
-        "net none"
+        "caps.drop all"
 }
 expect {
         timeout {puts "TESTING ERROR 9\n";exit}
+        "nonewprivs"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "seccomp"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "net none"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
         "shell none"
 }
 after 100
 
+
+
 send -- "firejail --build cat /etc/passwd\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
@@ -72,21 +85,6 @@ expect {
 }
 after 100
 
-
-#send -- "firejail --build cat /var/tmp/firejail-test-file-7699\r"
-#expect {
-#       timeout {puts "TESTING ERROR 11\n";exit}
-#       "whitelist /var/tmp/firejail-test-file-7699"
-#}
-#after 100
-
-#send -- "firejail --build man firejail\r"
-#expect {
-#       timeout {puts "TESTING ERROR 12\n";exit}
-#       "whitelist /usr/share/man"
-#}
-#after 100
-
 send -- "firejail --build wget --output-document=~ debian.org\r"
 expect {
         timeout {puts "TESTING ERROR 13\n";exit}
@@ -98,10 +96,4 @@ expect {
 }
 after 100
 
-
-send -- "firejail --build cat /tmp/firejail-test-file-7699\r"
-#todo - bug: it comes back with private-tmp
-sleep 1
-
-
 puts "all done\n"
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index 82ccc82bb..48a8051fa 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -13,14 +13,9 @@ if [ -f /etc/debian_version ]; then
 fi
 export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
 
-echo "testing" > ~/firejail-test-file-7699
-echo "testing" > /tmp/firejail-test-file-7699
-echo "testing" > /var/tmp/firejail-test-file-7699
 echo "TESTING: build (test/utils/build.exp)"
 ./build.exp
 rm -f ~/firejail-test-file-7699
-rm -f /tmp/firejail-test-file-7699
-rm -f /var/tmp/firejail-test-file-7699
 rm -f firejail-test-file-4388
 
 if [ $(readlink /proc/self) -lt 100 ]; then