893 files changed, 8052 insertions, 6647 deletions

diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
new file mode 100644
index 000000000..cc0be3b3d
--- /dev/null
+++ b/.git-blame-ignore-revs
@@ -0,0 +1,2 @@
+# move whitelist/blacklist to allow/deny
+fe0f975f447d59977d90c3226cc8c623b31b20b3
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 07ab1431e..141e43168 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -24,9 +24,9 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: install dependencies
-      run: sudo apt-get install gcc-10 libapparmor-dev libselinux1-dev expect xzdec
+      run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec
     - name: configure
-      run: CC=gcc-10 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
+      run: CC=gcc-11 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
     - name: make
       run: make
     - name: make install
diff --git a/Makefile.in b/Makefile.in
index 6be62cb6e..17bd76464 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -31,7 +31,7 @@ SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfil
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.5
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
 SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
diff --git a/README b/README
index 522fdc34a..c6eedbe5f 100644
--- a/README
+++ b/README
@@ -80,6 +80,8 @@ Akhil Hans Maulloo (https://github.com/kouul)
 Albin Kauffmann (https://github.com/albinou)
         - Firefox and Chromium profile fixes
         - info to allow screen sharing in profiles
+Alex Leahu (https://github.com/alxjsn)
+        - fix screen sharing configuration on Wayland
 Alexey Kuznetsov (kuznet@ms2.inr.ac.ru)
         - src/lib/libnetlink.c extracted from iproute2 software package
 Aleksey Manevich (https://github.com/manevich)
@@ -109,6 +111,7 @@ Amin Vakil (https://github.com/aminvakil)
         - whois profile fix
         - added profile for strawberry
         - w3m profile fix
+        - disable seccomp in wireshark profile
 Andreas Hunkeler (https://github.com/Karneades)
         - Add profile for offical Linux Teams application
 Andrey Alekseenko (https://github.com/al42and)
@@ -203,6 +206,7 @@ Bundy01 (https://github.com/Bundy01)
         - fixup geary
         - add gradio profile
         - update virtualbox.profile
+        - Quodlibet profile
 BytesTuner (https://github.com/BytesTuner)
         - provided keepassxc profile
 caoliver (https://github.com/caoliver)
@@ -326,6 +330,7 @@ Florian Begusch (https://github.com/florianbegusch)
         - (la)tex profiles
         - fixed transmission-common.profile
         - fixed standardnotes-desktop.profile
+        - fix jailprober.py
 floxo (https://github.com/floxo)
         - fixed qml disk cache issue
 Franco (nextime) Lanza (https://github.com/nextime)
@@ -435,6 +440,8 @@ hamzadis (https://github.com/hamzadis)
         - added --overlay-named=name and --overlay-path=path
 Hans-Christoph Steiner (https://github.com/eighthave)
         - added xournal profile
+Harald Kubota (https://github.com/haraldkubota)
+        - zsh completion
 hawkey116477 (https://github.com/hawkeye116477)
         - added Waterfox profile
         - updated Cyberfox profile
@@ -467,6 +474,8 @@ irregulator (https://github.com/irregulator)
 Irvine (https://github.com/Irvinehimself)
         - added conky profile
         - added ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch) profiles
+Ivan (https://github.com/ordinary-dev)
+        - fix telegram profile
 Ivan Kozik (https://github.com/ivan)
         - speed up sandbox exit
 Jaykishan Mutkawoa (https://github.com/jmutkawoa)
@@ -496,6 +505,7 @@ Jean-Philippe Eisenbarth (https://github.com/jpeisenbarth)
         - fixed spotify.profile
 Jeff Squyres (https://github.com/jsquyres)
         - various manpage fixes
+        - cmdline.c: optionally quote the resulting command line
 Jericho (https://github.com/attritionorg)
         - spelling
 Jesse Smith (https://github.com/slicer69)
@@ -520,6 +530,7 @@ Jose Riha (https://github.com/jose1711)
         - Add davfs2 secrets file to blacklist
         - Add profile for udiskie
         - fix udiskie.profile
+        - improve hints for allowing browser access to Gnome extensions connector
 jrabe (https://github.com/jrabe)
         - disallow access to kdbx files
         - Epiphany profile
@@ -555,6 +566,7 @@ Kishore96in (https://github.com/Kishore96in)
         -  jitsi-meet-desktop profile
         - konversatin profile fix
         - added Neochat profile
+        - added whitelist-1793-workaround.inc
 KOLANICH (https://github.com/KOLANICH)
         - added symlink fixer fix_private-bin.py in contrib section
         - update fix_private-bin.py
@@ -564,6 +576,10 @@ kortewegdevries (https://github.com/kortewegdevries)
         - whitelisting evolution, kmail
 Kristóf Marussy (https://github.com/kris7t)
         - dns support
+kuesji koesnu (https://github.com/kuesji)
+        - unit suffixes for rlimit-fsize and rlimit-as
+        - util.c and firejail.h fixes
+        - better parser for size strings
 Kunal Mehta (https://github.com/legoktm)
         - converted all links to https in manpages
 laniakea64 (https://github.com/laniakea64)
@@ -587,6 +603,8 @@ Lukáš Krejčí (https://github.com/lskrejci)
         - fixed parsing of --keep-var-tmp
 luzpaz (https://github.com/luzpaz)
         - code spelling fixes
+lxeiqr (https://github.com/lxeiqr)
+        - fix sndio support
 Mace Muilman (https://github.com/mace015)
         - google-chrome{,beta,unstable} flags
 maces (https://github.com/maces)
@@ -610,6 +628,8 @@ Mattias Wadman (https://github.com/wader)
         - seccomp errno filter support
 Matthew Gyurgyik (https://github.com/pyther)
         - rpm spec and several fixes
+Matthew Cline (https://github.com/matthew-cline)
+        - steam profile and dropbox profile fixes
 matu3ba (https://github.com/matu3ba)
         - evince hardening, dbus removed
         - fix dia profile
@@ -643,18 +663,28 @@ Neo00001 (https://github.com/Neo00001)
         - update telegram profile
         - add spectacle profile
         - add kdiff3 profile
+NetSysFire (https://github.com/NetSysFire)
+        - update weechat profile
 Nick Fox (https://github.com/njfox)
         - add a profile alias for code-oss
         - add code-oss config directory
         - fix wire-desktop.profile on arch
 NickMolloy (https://github.com/NickMolloy)
         - ARP address length fix
+Nico (https://github.com/dr460nf1r3)
+        - added FireDragon profile
+Nicola Davide Mannarelli (https://github.com/nidamanx)
+        - fix "Could not create AF_NETLINK socket"
+        - added nextcloud profiles
+        - Firefox, KeepassXC, Telegram fixes
 Niklas Haas (https://github.com/haasn)
         - blacklisting for keybase.io's client
 Niklas Goerke (https://github.com/Niklas974)
         - update QOwnNotes profile
 Nikos Chantziaras (https://github.com/realnc)
         - fix audio support for Discord
+nolanl (https://github.com/nolanl)
+        - added localtime to signal-desktop's profile
 nyancat18 (https://github.com/nyancat18)
         - added ardour4, dooble, karbon, krita profiles
 Ondra Nekola (https://github.com/satai)
@@ -702,6 +732,8 @@ Petter Reinholdtsen (pere@hungry.com)
 PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
         - fix quiterss profile
         - added profile for gnome-ring
+pholodniak (https://github.com/pholodniak)
+        - profstats fixes
 pianoslum (https://github.com/pianoslum)
         - nodbus breaking evince two-page-view warning
 pirate486743186 (https://github.com/pirate486743186)
@@ -709,6 +741,18 @@ pirate486743186 (https://github.com/pirate486743186)
         - mpsyt profile
         - fix youtube-dl and mpv
         - fix gnome-mpv profile
+        - fix gunzip profile
+        - reorganizing youtube-viewers
+        - fix pluma profile
+        - whitelist /var/lib/aspell
+        - mcomix fixes
+        - fixing engrampa profile
+        - adding qcomicbook and pipe-viewer in disable-programs
+        - newsboat/newsbeuter profiles
+        - fix atril profile
+        - reorganizing links browsers
+        - added rtv, alpine, mcomix, qcomicbook, googler, ddgr profiles
+        - w3m, zahura, profile.template fixes
 Pixel Fairy (https://github.com/xahare)
         - added fjclip.py, fjdisplay.py and fjresize.py in contrib section
 PizzaDude (https://github.com/pizzadude)
@@ -745,6 +789,7 @@ Rahul Golam (https://github.com/technoLord)
 RandomVoid (https://github.com/RandomVoid)
         - fix building C# projects in Godot
         - fix Lutris profile
+        - fix running games with enabled Feral GameMode in Lutris
 Raphaël Droz (https://github.com/drzraf)
         - zoom profile fixes
 realaltffour (https://github.com/realaltffour)
@@ -786,6 +831,8 @@ rusty-snake (https://github.com/rusty-snake)
         - some typo fixes
         - added profile templates
         - added sort.py to contrib
+sak96 (https://github.com/sak96)
+        - discord profile fixes
 Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
         - fixed ktorrent profile
 sarneaud (https://github.com/sarneaud)
@@ -814,6 +861,8 @@ sinkuu (https://github.com/sinkuu)
         - fix symlink invocation for programs placing symlinks in $PATH
 Simo Piiroinen (https://github.com/spiiroin)
         - Jolla/SailfishOS patches
+slowpeek (https://github.com/slowpeek)
+        - refine appimage example in docs
 smitsohu (https://github.com/smitsohu)
         - read-only kde4 services directory
         - enhanced mediathekview profile
@@ -939,6 +988,10 @@ Topi Miettinen (https://github.com/topimiettinen)
         - improve loading of seccomp filter and memory-deny-write-execute feature
         - private-lib feature
         - make --nodbus block also system D-Bus socket
+Ted Robertson  (https://github.com/tredondo)
+        - webstorm profile fixes
+        - added bcompare profile
+        - various documentation fixes
 user1024 (user1024@tut.by)
         - electron profile whitelisting
         - fixed Rocket.Chat profile
@@ -1003,6 +1056,10 @@ Vladimir Schowalter (https://github.com/VladimirSchowalter20)
         - apparmor profile enhancements
         - various KDE profile enhancements
         read-only kde5 services directory
+Vladislav Nepogodin (https://github.com/vnepogodin)
+        - added Librewolf profiles
+        - added Sway profile
+        - fix CLion profile
 xee5ch (https://github.com/xee5ch)
         - skypeforlinux profile
 Ypnose (https://github.com/Ypnose)
diff --git a/README.md b/README.md
index e9e8f8c37..c635bf811 100644
--- a/README.md
+++ b/README.md
@@ -126,18 +126,18 @@ $ cd firejail
 $ ./configure && make && sudo make install-strip
 `````
 On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor
-development libraries and pkg-config are required when using --apparmor
+development libraries and pkg-config are required when using `--apparmor`
 ./configure option:
 `````
 $ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
 `````
-For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
+For `--selinux` option, add libselinux1-dev (libselinux-devel for Fedora).
 
 Detailed information on using firejail from git is available on the [wiki](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git).
 
 ## Running the sandbox
 
-To start the sandbox, prefix your command with “firejail”:
+To start the sandbox, prefix your command with `firejail`:
 
 `````
 $ firejail firefox            # starting Mozilla Firefox
@@ -145,7 +145,7 @@ $ firejail transmission-gtk   # starting Transmission BitTorrent
 $ firejail vlc                # starting VideoLAN Client
 $ sudo firejail /etc/init.d/nginx start
 `````
-Run "firejail --list" in a terminal to list all active sandboxes. Example:
+Run `firejail --list` in a terminal to list all active sandboxes. Example:
 `````
 $ firejail --list
 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr
@@ -188,110 +188,19 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 You can also use this tool to get a list of syscalls needed by a program: [contrib/syscalls.sh](contrib/syscalls.sh).
 
 We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
-`````
 
-`````
-## Latest released version: 0.9.64
+## Latest released version: 0.9.66
 
-## Current development version: 0.9.65
+## Current development version: 0.9.67
 
 Milestone page: https://github.com/netblue30/firejail/milestone/1
 Release discussion: https://github.com/netblue30/firejail/issues/3696
 
-### jailcheck
-`````
-JAILCHECK(1)                  JAILCHECK man page                  JAILCHECK(1)
-
-NAME
-       jailcheck - Simple utility program to test running sandboxes
-
-SYNOPSIS
-       sudo jailcheck [OPTIONS] [directory]
-
-DESCRIPTION
-       jailcheck attaches itself to all sandboxes started by the user and per‐
-       forms some basic tests on the sandbox filesystem:
-
-       1. Virtual directories
-              jailcheck extracts a list with the main virtual directories  in‐
-              stalled by the sandbox.  These directories are build by firejail
-              at startup using --private* and --whitelist commands.
-
-       2. Noexec test
-              jailcheck inserts executable programs in  /home/username,  /tmp,
-              and  /var/tmp  directories and tries to run them from inside the
-              sandbox, thus testing if the directory is executable or not.
-
-       3. Read access test
-              jailcheck creates test files in the directories specified by the
-              user and tries to read them from inside the sandbox.
-
-       4. AppArmor test
-
-       5. Seccomp test
-
-       The program is started as root using sudo.
-
-OPTIONS
-       --debug
-              Print debug messages.
-
-       -?, --help
-              Print options and exit.
-
-       --version
-              Print program version and exit.
+Moving from whitelist/blacklist to allow/deny is under way! We are still open to other options, so it might change!
 
-       [directory]
-              One  or  more  directories in user home to test for read access.
-              ~/.ssh and ~/.gnupg are tested by default.
-
-OUTPUT
-       For each sandbox detected we print the following line:
-
-            PID:USER:Sandbox Name:Command
-
-       It is followed by relevant sandbox information, such as the virtual di‐
-       rectories and various warnings.
-
-EXAMPLE
-       $ sudo jailcheck
-       2014:netblue::firejail /usr/bin/gimp
-          Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
-          Warning: I can run programs in /home/netblue
-
-       2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
-          Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
-          Warning: I can read ~/.ssh
-
-       2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐
-       pimage
-          Virtual dirs: /tmp, /var/tmp, /dev,
-
-       26090:netblue::/usr/bin/firejail /opt/firefox/firefox
-          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
-                        /run/user/1000,
-
-       26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
-          Warning: AppArmor not enabled
-          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
-                        /usr/share, /run/user/1000,
-          Warning: I can run programs in /home/netblue
-
-LICENSE
-       This program is free software; you can redistribute it and/or modify it
-       under  the  terms of the GNU General Public License as published by the
-       Free Software Foundation; either version 2 of the License, or (at  your
-       option) any later version.
-
-       Homepage: https://firejail.wordpress.com
-
-SEE ALSO
-       firejail(1),  firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐
-       gin(5), firejail-users(5),
-
-0.9.65                             May 2021                       JAILCHECK(1)
-`````
+The old whitelist/blacklist will remain as aliasses for the next one or two releases
+in order to give users a chance to switch their local profiles.
+The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379
 
 ### Profile Statistics
 
@@ -300,39 +209,30 @@ A small tool to print profile statistics. Compile as usual and run in /etc/profi
 $ sudo cp src/profstats/profstats /etc/firejail/.
 $ cd /etc/firejail
 $ ./profstats *.profile
-Stats:
-    profiles                    1135
-    include local profile       1135   (include profile-name.local)
-    include globals             1106   (include globals.local)
-    blacklist ~/.ssh            1009   (include disable-common.inc)
-    seccomp                     1035
-    capabilities                1130
-    noexec                      1011   (include disable-exec.inc)
-    noroot                      944
-    memory-deny-write-execute   242
-    apparmor                    667
-    private-bin                 635
-    private-dev                 992
-    private-etc                 508
-    private-tmp                 866
-    whitelist home directory    542
-    whitelist var               799   (include whitelist-var-common.inc)
-    whitelist run/user          597   (include whitelist-runuser-common.inc
+    profiles                    1150
+    include local profile       1150   (include profile-name.local)
+    include globals             1120   (include globals.local)
+    blacklist ~/.ssh            1026   (include disable-common.inc)
+    seccomp                     1050
+    capabilities                1146
+    noexec                      1030   (include disable-exec.inc)
+    noroot                      959
+    memory-deny-write-execute   253
+    apparmor                    681
+    private-bin                 667
+    private-dev                 1009
+    private-etc                 523
+    private-tmp                 883
+    whitelist home directory    547
+    whitelist var               818   (include whitelist-var-common.inc)
+    whitelist run/user          616   (include whitelist-runuser-common.inc
                                         or blacklist ${RUNUSER})
-    whitelist usr/share         569   (include whitelist-usr-share-common.inc
-    net none                    389
-    dbus-user none              619
+    whitelist usr/share         591   (include whitelist-usr-share-common.inc
+    net none                    391
+    dbus-user none              641
     dbus-user filter            105
-    dbus-system none            770
+    dbus-system none            792
     dbus-system filter          7
 ```
 
 ### New profiles:
-
-vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
-avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop,
-pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, cksum, md5sum, sha1sum, sha224sum,
-sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper,
-ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper,
-pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon
-neochat, node, nvm, cargo
diff --git a/RELNOTES b/RELNOTES
index 117a019e3..905c25096 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,4 +1,18 @@
-firejail (0.9.65) baseline; urgency=low
+firejail (0.9.67) baseline; urgency=low
+  * work in progress
+  * deprecated --disable-whitelist at compile time
+  * deprecated whitelist=yes/no in /etc/firejail/firejail.config
+ -- netblue30 <netblue30@yahoo.com>  Mon, 28 Jun 2021 09:00:00 -0500
+
+firejail (0.9.66) baseline; urgency=low
+  * deprecated --audit options, relpaced by jailcheck utility
+  * deprecated follow-symlink-as-user from firejail.config
+  * new firejail.config settings: private-bin, private-etc
+  * new firejail.config settings: private-opt, private-srv
+  * new firejail.config settings: whitelist-disable-topdir
+  * new firejail.config settings: seccomp-filter-add
+  * removed kcmp syscall from seccomp default filter
+  * rename --noautopulse to keep-config-pulse
   * filtering environment variables
   * zsh completion
   * command line: --mkdir, --mkfile
@@ -7,7 +21,6 @@ firejail (0.9.65) baseline; urgency=low
   * private-lib rework
   * whitelist rework
   * jailtest utility for testing running sandboxes
-  * removed --audit options, relpaced by jailtest
   * capabilities list update
   * faccessat2 syscall support
   * --private-dev keeps /dev/input
@@ -18,6 +31,7 @@ firejail (0.9.65) baseline; urgency=low
   * compile time: --enable-lts
   * subdirs support in private-etc
   * input devices support in private-dev, --no-input
+  * support trailing comments on profile lines
   * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng
   * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
   * avidemux, calligragemini, vmware-player, vmware-workstation
@@ -29,8 +43,9 @@ firejail (0.9.65) baseline; urgency=low
   * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium,
   * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon
   * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, neochat,
-  * cargo
- -- netblue30 <netblue30@yahoo.com>  Tue, 9 Feb 2021 09:00:00 -0500
+  * cargo, LibreCAD, blobby, funnyboat, pipe-viewer, gtk-pipe-viewer
+  * links2, xlinks2, googler, ddgr, tin
+ -- netblue30 <netblue30@yahoo.com>  Mon, 28 Jun 2021 09:00:00 -0500
 
 firejail (0.9.64.4) baseline; urgency=low
   * disabled overlayfs, pending multiple fixes (CVE-2021-26910)
diff --git a/configure b/configure
index 2acf04634..9e883191a 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.65.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.67.
 #
 # Report bugs to <netblue30@protonmail.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.65'
-PACKAGE_STRING='firejail 0.9.65'
+PACKAGE_VERSION='0.9.67'
+PACKAGE_STRING='firejail 0.9.67'
 PACKAGE_BUGREPORT='netblue30@protonmail.com'
 PACKAGE_URL='https://firejail.wordpress.com'
 
@@ -634,7 +634,6 @@ HAVE_GCOV
 BUSYBOX_WORKAROUND
 HAVE_FATAL_WARNINGS
 HAVE_SUID
-HAVE_WHITELIST
 HAVE_FILE_TRANSFER
 HAVE_X11
 HAVE_USERNS
@@ -726,7 +725,6 @@ enable_network
 enable_userns
 enable_x11
 enable_file_transfer
-enable_whitelist
 enable_suid
 enable_fatal_warnings
 enable_busybox_workaround
@@ -1299,7 +1297,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.65 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.67 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1361,7 +1359,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.65:";;
+     short | recursive ) echo "Configuration of firejail 0.9.67:";;
    esac
   cat <<\_ACEOF
 
@@ -1369,7 +1367,7 @@ Optional Features:
   --disable-option-checking  ignore unrecognized --enable/--with options
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
-  --enable-analyzer       enable GCC 10 static analyzer
+  --enable-analyzer       enable GCC static analyzer
   --enable-apparmor       enable apparmor
   --enable-selinux        SELinux labeling support
   --disable-dbusproxy     disable dbus proxy
@@ -1385,7 +1383,6 @@ Optional Features:
   --disable-userns        disable user namespace
   --disable-x11           disable X11 sandboxing support
   --disable-file-transfer disable file transfer
-  --disable-whitelist     disable whitelist
   --disable-suid          install as a non-SUID executable
   --enable-fatal-warnings -W -Wall -Werror
   --enable-busybox-workaround
@@ -1481,7 +1478,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.65
+firejail configure 0.9.67
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1783,7 +1780,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.65, which was
+It was created by firejail $as_me 0.9.67, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3171,7 +3168,7 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mindirect_branch_thunk" >&5
 $as_echo "$ax_cv_check_cflags___mindirect_branch_thunk" >&6; }
 if test "x$ax_cv_check_cflags___mindirect_branch_thunk" = xyes; then :
-  HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mindirect-branch=thunk"
+  HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"
 
 else
   :
@@ -3207,7 +3204,7 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5
 $as_echo "$ax_cv_check_cflags___mretpoline" >&6; }
 if test "x$ax_cv_check_cflags___mretpoline" = xyes; then :
-  HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mretpoline"
+  HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
 
 else
   :
@@ -3243,7 +3240,7 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_clash_protection" >&5
 $as_echo "$ax_cv_check_cflags___fstack_clash_protection" >&6; }
 if test "x$ax_cv_check_cflags___fstack_clash_protection" = xyes; then :
-  HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-clash-protection"
+  HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"
 
 else
   :
@@ -3279,7 +3276,7 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_strong" >&5
 $as_echo "$ax_cv_check_cflags___fstack_protector_strong" >&6; }
 if test "x$ax_cv_check_cflags___fstack_protector_strong" = xyes; then :
-  HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-protector-strong"
+  HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"
 
 else
   :
@@ -3293,7 +3290,7 @@ fi
 
 if test "x$enable_analyzer" = "xyes"; then :
 
-        EXTRA_CFLAGS+=" -fanalyzer"
+        EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak"
 
 fi
 
@@ -3515,7 +3512,7 @@ else
         AA_LIBS=$pkg_cv_AA_LIBS
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-        EXTRA_CFLAGS+=" $AA_CFLAGS" && EXTRA_LDFLAGS+=" $AA_LIBS"
+        EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS"
 fi
 
 
@@ -3530,7 +3527,7 @@ fi
 if test "x$enable_selinux" = "xyes"; then :
 
         HAVE_SELINUX="-DHAVE_SELINUX"
-        EXTRA_LDFLAGS+=" -lselinux "
+        EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux "
 
 
 fi
@@ -3747,19 +3744,6 @@ if test "x$enable_file_transfer" != "xno"; then :
 
 fi
 
-HAVE_WHITELIST=""
-# Check whether --enable-whitelist was given.
-if test "${enable_whitelist+set}" = set; then :
-  enableval=$enable_whitelist;
-fi
-
-if test "x$enable_whitelist" != "xno"; then :
-
-        HAVE_WHITELIST="-DHAVE_WHITELIST"
-
-
-fi
-
 HAVE_SUID=""
 # Check whether --enable-suid was given.
 if test "${enable_suid+set}" = set; then :
@@ -3810,7 +3794,7 @@ fi
 if test "x$enable_gcov" = "xyes"; then :
 
         HAVE_GCOV="--coverage -DHAVE_GCOV "
-        EXTRA_LDFLAGS+=" -lgcov --coverage "
+        EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage "
 
 
 fi
@@ -4910,7 +4894,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.65, which was
+This file was extended by firejail $as_me 0.9.67, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4964,7 +4948,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.65
+firejail config.status 0.9.67
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -5560,47 +5544,48 @@ $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
 fi
 
 
-echo
-echo "Configuration options:"
-echo "   prefix: $prefix"
-echo "   sysconfdir: $sysconfdir"
-echo "   apparmor: $HAVE_APPARMOR"
-echo "   SELinux labeling support: $HAVE_SELINUX"
-echo "   global config: $HAVE_GLOBALCFG"
-echo "   chroot: $HAVE_CHROOT"
-echo "   network: $HAVE_NETWORK"
-echo "   user namespace: $HAVE_USERNS"
-echo "   X11 sandboxing support: $HAVE_X11"
-echo "   whitelisting: $HAVE_WHITELIST"
-echo "   private home support: $HAVE_PRIVATE_HOME"
-echo "   file transfer support: $HAVE_FILE_TRANSFER"
-echo "   overlayfs support: $HAVE_OVERLAYFS"
-echo "   DBUS proxy support: $HAVE_DBUSPROXY"
-echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
-echo "   enable --ouput logging: $HAVE_OUTPUT"
-echo "   Manpage support: $HAVE_MAN"
-echo "   firetunnel support: $HAVE_FIRETUNNEL"
-echo "   busybox workaround: $BUSYBOX_WORKAROUND"
-echo "   Spectre compiler patch: $HAVE_SPECTRE"
-echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
-echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
-echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
-echo "   Gcov instrumentation: $HAVE_GCOV"
-echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   Install as a SUID executable: $HAVE_SUID"
-echo "   LTS: $HAVE_LTS"
-echo "   Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
-echo
-
+cat <<EOF
+
+Configuration options:
+   prefix: $prefix
+   sysconfdir: $sysconfdir
+   apparmor: $HAVE_APPARMOR
+   SELinux labeling support: $HAVE_SELINUX
+   global config: $HAVE_GLOBALCFG
+   chroot: $HAVE_CHROOT
+   network: $HAVE_NETWORK
+   user namespace: $HAVE_USERNS
+   X11 sandboxing support: $HAVE_X11
+   private home support: $HAVE_PRIVATE_HOME
+   file transfer support: $HAVE_FILE_TRANSFER
+   overlayfs support: $HAVE_OVERLAYFS
+   DBUS proxy support: $HAVE_DBUSPROXY
+   allow tmpfs as regular user: $HAVE_USERTMPFS
+   enable --ouput logging: $HAVE_OUTPUT
+   Manpage support: $HAVE_MAN
+   firetunnel support: $HAVE_FIRETUNNEL
+   busybox workaround: $BUSYBOX_WORKAROUND
+   Spectre compiler patch: $HAVE_SPECTRE
+   EXTRA_LDFLAGS: $EXTRA_LDFLAGS
+   EXTRA_CFLAGS: $EXTRA_CFLAGS
+   fatal warnings: $HAVE_FATAL_WARNINGS
+   Gcov instrumentation: $HAVE_GCOV
+   Install contrib scripts: $HAVE_CONTRIB_INSTALL
+   Install as a SUID executable: $HAVE_SUID
+   LTS: $HAVE_LTS
+   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+
+EOF
 
 if test "$HAVE_LTS" = -DHAVE_LTS; then
-        echo
-        echo
-        echo "*********************************************************"
-        echo "*    Warning: Long-term support (LTS) was enabled!      *"
-        echo "*    Most compile-time options have bean rewritten!     *"
-        echo "*********************************************************"
-        echo
-        echo
-fi
+        cat <<\EOF
+
 
+*********************************************************
+*    Warning: Long-term support (LTS) was enabled!      *
+*    Most compile-time options have bean rewritten!     *
+*********************************************************
+
+
+EOF
+fi
diff --git a/configure.ac b/configure.ac
index 036b62484..1f8e802b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -12,7 +12,7 @@
 #
 
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.65, netblue30@protonmail.com, , https://firejail.wordpress.com)
+AC_INIT([firejail],[0.9.67],[netblue30@protonmail.com],[],[https://firejail.wordpress.com])
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 
 AC_CONFIG_MACRO_DIR([m4])
@@ -24,25 +24,25 @@ AC_PROG_RANLIB
 HAVE_SPECTRE="no"
 AX_CHECK_COMPILE_FLAG(
     [-mindirect-branch=thunk],
-    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mindirect-branch=thunk"]
+    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"]
 )
 AX_CHECK_COMPILE_FLAG(
     [-mretpoline],
-    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mretpoline"]
+    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"]
 )
 AX_CHECK_COMPILE_FLAG(
     [-fstack-clash-protection],
-    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-clash-protection"]
+    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"]
 )
 AX_CHECK_COMPILE_FLAG(
     [-fstack-protector-strong],
-    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-protector-strong"]
+    [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"]
 )
 
 AC_ARG_ENABLE([analyzer],
-    AS_HELP_STRING([--enable-analyzer], [enable GCC 10 static analyzer]))
+    AS_HELP_STRING([--enable-analyzer], [enable GCC static analyzer]))
 AS_IF([test "x$enable_analyzer" = "xyes"], [
-        EXTRA_CFLAGS+=" -fanalyzer"
+        EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak"
 ])
 
 HAVE_APPARMOR=""
@@ -50,7 +50,8 @@ AC_ARG_ENABLE([apparmor],
     AS_HELP_STRING([--enable-apparmor], [enable apparmor]))
 AS_IF([test "x$enable_apparmor" = "xyes"], [
         HAVE_APPARMOR="-DHAVE_APPARMOR"
-        PKG_CHECK_MODULES([AA], libapparmor, [EXTRA_CFLAGS+=" $AA_CFLAGS" && EXTRA_LDFLAGS+=" $AA_LIBS"])
+        PKG_CHECK_MODULES([AA], libapparmor,
+            [EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS"])
         AC_SUBST(HAVE_APPARMOR)
 ])
 
@@ -59,7 +60,7 @@ AC_ARG_ENABLE([selinux],
     AS_HELP_STRING([--enable-selinux], [SELinux labeling support]))
 AS_IF([test "x$enable_selinux" = "xyes"], [
         HAVE_SELINUX="-DHAVE_SELINUX"
-        EXTRA_LDFLAGS+=" -lselinux "
+        EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux "
         AC_SUBST(HAVE_SELINUX)
 ])
 
@@ -176,14 +177,6 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [
         AC_SUBST(HAVE_FILE_TRANSFER)
 ])
 
-HAVE_WHITELIST=""
-AC_ARG_ENABLE([whitelist],
-    AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
-AS_IF([test "x$enable_whitelist" != "xno"], [
-        HAVE_WHITELIST="-DHAVE_WHITELIST"
-        AC_SUBST(HAVE_WHITELIST)
-])
-
 HAVE_SUID=""
 AC_ARG_ENABLE([suid],
     AS_HELP_STRING([--disable-suid], [install as a non-SUID executable]))
@@ -215,7 +208,7 @@ AC_ARG_ENABLE([gcov],
     AS_HELP_STRING([--enable-gcov], [Gcov instrumentation]))
 AS_IF([test "x$enable_gcov" = "xyes"], [
         HAVE_GCOV="--coverage -DHAVE_GCOV "
-        EXTRA_LDFLAGS+=" -lgcov --coverage "
+        EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage "
         AC_SUBST(HAVE_GCOV)
 ])
 
@@ -303,53 +296,55 @@ if test "$prefix" = /usr; then
 fi
 
 AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
-AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
+AC_CONFIG_FILES([Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
 src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
-src/jailcheck/Makefile)
-
-echo
-echo "Configuration options:"
-echo "   prefix: $prefix"
-echo "   sysconfdir: $sysconfdir"
-echo "   apparmor: $HAVE_APPARMOR"
-echo "   SELinux labeling support: $HAVE_SELINUX"
-echo "   global config: $HAVE_GLOBALCFG"
-echo "   chroot: $HAVE_CHROOT"
-echo "   network: $HAVE_NETWORK"
-echo "   user namespace: $HAVE_USERNS"
-echo "   X11 sandboxing support: $HAVE_X11"
-echo "   whitelisting: $HAVE_WHITELIST"
-echo "   private home support: $HAVE_PRIVATE_HOME"
-echo "   file transfer support: $HAVE_FILE_TRANSFER"
-echo "   overlayfs support: $HAVE_OVERLAYFS"
-echo "   DBUS proxy support: $HAVE_DBUSPROXY"
-echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
-echo "   enable --ouput logging: $HAVE_OUTPUT"
-echo "   Manpage support: $HAVE_MAN"
-echo "   firetunnel support: $HAVE_FIRETUNNEL"
-echo "   busybox workaround: $BUSYBOX_WORKAROUND"
-echo "   Spectre compiler patch: $HAVE_SPECTRE"
-echo "   EXTRA_LDFLAGS: $EXTRA_LDFLAGS"
-echo "   EXTRA_CFLAGS: $EXTRA_CFLAGS"
-echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
-echo "   Gcov instrumentation: $HAVE_GCOV"
-echo "   Install contrib scripts: $HAVE_CONTRIB_INSTALL"
-echo "   Install as a SUID executable: $HAVE_SUID"
-echo "   LTS: $HAVE_LTS"
-echo "   Always enforce filters: $HAVE_FORCE_NONEWPRIVS"
-echo
-
+src/jailcheck/Makefile])
+AC_OUTPUT
+
+cat <<EOF
+
+Configuration options:
+   prefix: $prefix
+   sysconfdir: $sysconfdir
+   apparmor: $HAVE_APPARMOR
+   SELinux labeling support: $HAVE_SELINUX
+   global config: $HAVE_GLOBALCFG
+   chroot: $HAVE_CHROOT
+   network: $HAVE_NETWORK
+   user namespace: $HAVE_USERNS
+   X11 sandboxing support: $HAVE_X11
+   private home support: $HAVE_PRIVATE_HOME
+   file transfer support: $HAVE_FILE_TRANSFER
+   overlayfs support: $HAVE_OVERLAYFS
+   DBUS proxy support: $HAVE_DBUSPROXY
+   allow tmpfs as regular user: $HAVE_USERTMPFS
+   enable --ouput logging: $HAVE_OUTPUT
+   Manpage support: $HAVE_MAN
+   firetunnel support: $HAVE_FIRETUNNEL
+   busybox workaround: $BUSYBOX_WORKAROUND
+   Spectre compiler patch: $HAVE_SPECTRE
+   EXTRA_LDFLAGS: $EXTRA_LDFLAGS
+   EXTRA_CFLAGS: $EXTRA_CFLAGS
+   fatal warnings: $HAVE_FATAL_WARNINGS
+   Gcov instrumentation: $HAVE_GCOV
+   Install contrib scripts: $HAVE_CONTRIB_INSTALL
+   Install as a SUID executable: $HAVE_SUID
+   LTS: $HAVE_LTS
+   Always enforce filters: $HAVE_FORCE_NONEWPRIVS
+
+EOF
 
 if test "$HAVE_LTS" = -DHAVE_LTS; then
-        echo
-        echo
-        echo "*********************************************************"
-        echo "*    Warning: Long-term support (LTS) was enabled!      *"
-        echo "*    Most compile-time options have bean rewritten!     *"
-        echo "*********************************************************"
-        echo
-        echo
-fi
+        cat <<\EOF
 
+
+*********************************************************
+*    Warning: Long-term support (LTS) was enabled!      *
+*    Most compile-time options have bean rewritten!     *
+*********************************************************
+
+
+EOF
+fi
diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py
index 9205d9b3e..f89f97ac4 100755
--- a/contrib/jail_prober.py
+++ b/contrib/jail_prober.py
@@ -70,6 +70,19 @@ def get_args(profile_path):
     return profile
 
 
+def absolute_include(word):
+    home = os.environ['HOME']
+    path = home + '/.config/firejail/'
+
+    option, filename = word.split('=')
+    absolute_filename = path + filename
+
+    if not os.path.isfile(absolute_filename):
+        absolute_filename = '${CFG}/' + filename
+
+    return option + '=' + absolute_filename
+
+
 def arg_converter(arg_list, style):
     """
     Convert between firejail command-line arguments (--example=something) and
@@ -94,9 +107,12 @@ def arg_converter(arg_list, style):
     if style == 'to_profile':
         new_args = [word[2:] for word in new_args]
 
-    # Remove invalid '--include' args if converting to command-line form
     elif style == 'to_commandline':
-        new_args = [word for word in new_args if 'include' not in word]
+        new_args = [
+            absolute_include(word) if word.startswith('--include')
+            else word
+            for word in new_args
+        ]
 
     return new_args
 
@@ -148,8 +164,12 @@ def run_firejail(program, all_args):
 
 
 def main():
-    profile_path = sys.argv[1]
-    program = sys.argv[2]
+    try:
+        profile_path = sys.argv[1]
+        program = sys.argv[2]
+    except IndexError:
+        print('USAGE: jail_prober.py <PROFILE-PATH> <PROGRAM>')
+        sys.exit()
     # Quick error check and extract arguments
     check_params(profile_path)
     profile = get_args(profile_path)
diff --git a/contrib/vim/ftdetect/firejail.vim b/contrib/vim/ftdetect/firejail.vim
index a8ba5cd75..2edc741da 100644
--- a/contrib/vim/ftdetect/firejail.vim
+++ b/contrib/vim/ftdetect/firejail.vim
@@ -1,6 +1,6 @@
-autocmd BufNewFile,BufRead /etc/firejail/*.profile      set filetype=firejail
-autocmd BufNewFile,BufRead /etc/firejail/*.local        set filetype=firejail
-autocmd BufNewFile,BufRead /etc/firejail/*.inc          set filetype=firejail
-autocmd BufNewFile,BufRead ~/.config/firejail/*.profile set filetype=firejail
-autocmd BufNewFile,BufRead ~/.config/firejail/*.local   set filetype=firejail
-autocmd BufNewFile,BufRead ~/.config/firejail/*.inc     set filetype=firejail
+autocmd BufNewFile,BufRead /etc/firejail/*.profile      setfiletype firejail
+autocmd BufNewFile,BufRead /etc/firejail/*.local        setfiletype firejail
+autocmd BufNewFile,BufRead /etc/firejail/*.inc          setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.profile setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.local   setfiletype firejail
+autocmd BufNewFile,BufRead ~/.config/firejail/*.inc     setfiletype firejail
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index 8775ae71d..d07690ee2 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -20,19 +20,20 @@ syn match fjCapabilityList /,/ nextgroup=fjCapability contained
 syn keyword fjProtocol unix inet inet6 netlink packet nextgroup=fjProtocolList contained
 syn match fjProtocolList /,/ nextgroup=fjProtocol contained
 
-" Syscalls grabbed from: src/include/syscall.h
-" Generate list with: rg -o '"([^"]+)' -r '$1' src/include/syscall.h | sort -u | tr $'\n' ' '
-syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_getres clock_gettime clock_nanosleep clock_settime clone close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsetxattr fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futimesat get_kernel_syms get_mempolicy get_robust_list get_thread_area getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit getrusage getsid getsockname getsockopt gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel io_destroy io_getevents io_setup io_submit ioctl ioperm iopl ioprio_get ioprio_set ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedsend mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open open_by_handle_at openat pause perf_event_open personality pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recvfrom recvmmsg recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_tgsigqueueinfo sched_get_priority_max sched_get_priority_min sched_getaffinity sched_getattr sched_getparam sched_getscheduler sched_rr_get_interval sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop sendfile sendfile64 sendmmsg sendmsg sendto set_mempolicy set_robust_list set_thread_area set_tid_address setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit setsid setsockopt settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range syncfs sysfs sysinfo syslog tee tgkill time timer_create timer_delete timer_getoverrun timer_gettime timer_settime timerfd_create timerfd_gettime timerfd_settime times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
+" Syscalls grabbed from: src/include/syscall*.h
+" Generate list with: sed -ne 's/{\s\+"\([^"]\+\)",.*},/\1/p' src/include/syscall*.h | sort -u | tr $'\n' ' '
+syn keyword fjSyscall _llseek _newselect _sysctl accept accept4 access acct add_key adjtimex afs_syscall alarm arch_prctl arm_fadvise64_64 arm_sync_file_range bdflush bind bpf break brk capget capset chdir chmod chown chown32 chroot clock_adjtime clock_adjtime64 clock_getres clock_getres_time64 clock_gettime clock_gettime64 clock_nanosleep clock_nanosleep_time64 clock_settime clock_settime64 clone clone3 close connect copy_file_range creat create_module delete_module dup dup2 dup3 epoll_create epoll_create1 epoll_ctl epoll_ctl_old epoll_pwait epoll_wait epoll_wait_old eventfd eventfd2 execve execveat exit exit_group faccessat faccessat2 fadvise64 fadvise64_64 fallocate fanotify_init fanotify_mark fchdir fchmod fchmodat fchown fchown32 fchownat fcntl fcntl64 fdatasync fgetxattr finit_module flistxattr flock fork fremovexattr fsconfig fsetxattr fsmount fsopen fspick fstat fstat64 fstatat64 fstatfs fstatfs64 fsync ftime ftruncate ftruncate64 futex futex_time64 futimesat getcpu getcwd getdents getdents64 getegid getegid32 geteuid geteuid32 getgid getgid32 getgroups getgroups32 getitimer get_kernel_syms get_mempolicy getpeername getpgid getpgrp getpid getpmsg getppid getpriority getrandom getresgid getresgid32 getresuid getresuid32 getrlimit get_robust_list getrusage getsid getsockname getsockopt get_thread_area gettid gettimeofday getuid getuid32 getxattr gtty idle init_module inotify_add_watch inotify_init inotify_init1 inotify_rm_watch io_cancel ioctl io_destroy io_getevents ioperm io_pgetevents io_pgetevents_time64 iopl ioprio_get ioprio_set io_setup io_submit io_uring_enter io_uring_register io_uring_setup ipc kcmp kexec_file_load kexec_load keyctl kill lchown lchown32 lgetxattr link linkat listen listxattr llistxattr lock lookup_dcookie lremovexattr lseek lsetxattr lstat lstat64 madvise mbind membarrier memfd_create migrate_pages mincore mkdir mkdirat mknod mknodat mlock mlock2 mlockall mmap mmap2 modify_ldt mount move_mount move_pages mprotect mpx mq_getsetattr mq_notify mq_open mq_timedreceive mq_timedreceive_time64 mq_timedsend mq_timedsend_time64 mq_unlink mremap msgctl msgget msgrcv msgsnd msync munlock munlockall munmap name_to_handle_at nanosleep newfstatat nfsservctl nice oldfstat oldlstat oldolduname oldstat olduname open openat open_by_handle_at open_tree pause pciconfig_iobase pciconfig_read pciconfig_write perf_event_open personality pidfd_open pidfd_send_signal pipe pipe2 pivot_root pkey_alloc pkey_free pkey_mprotect poll ppoll ppoll_time64 prctl pread64 preadv preadv2 prlimit64 process_vm_readv process_vm_writev prof profil pselect6 pselect6_time64 ptrace putpmsg pwrite64 pwritev pwritev2 query_module quotactl read readahead readdir readlink readlinkat readv reboot recv recvfrom recvmmsg recvmmsg_time64 recvmsg remap_file_pages removexattr rename renameat renameat2 request_key restart_syscall rmdir rseq rt_sigaction rt_sigpending rt_sigprocmask rt_sigqueueinfo rt_sigreturn rt_sigsuspend rt_sigtimedwait rt_sigtimedwait_time64 rt_tgsigqueueinfo sched_getaffinity sched_getattr sched_getparam sched_get_priority_max sched_get_priority_min sched_getscheduler sched_rr_get_interval sched_rr_get_interval_time64 sched_setaffinity sched_setattr sched_setparam sched_setscheduler sched_yield seccomp security select semctl semget semop semtimedop semtimedop_time64 send sendfile sendfile64 sendmmsg sendmsg sendto setdomainname setfsgid setfsgid32 setfsuid setfsuid32 setgid setgid32 setgroups setgroups32 sethostname setitimer set_mempolicy setns setpgid setpriority setregid setregid32 setresgid setresgid32 setresuid setresuid32 setreuid setreuid32 setrlimit set_robust_list setsid setsockopt set_thread_area set_tid_address settimeofday setuid setuid32 setxattr sgetmask shmat shmctl shmdt shmget shutdown sigaction sigaltstack signal signalfd signalfd4 sigpending sigprocmask sigreturn sigsuspend socket socketcall socketpair splice ssetmask stat stat64 statfs statfs64 statx stime stty swapoff swapon symlink symlinkat sync sync_file_range sync_file_range2 syncfs syscall sysfs sysinfo syslog tee tgkill time timer_create timer_delete timerfd_create timerfd_gettime timerfd_gettime64 timerfd_settime timerfd_settime64 timer_getoverrun timer_gettime timer_gettime64 timer_settime timer_settime64 times tkill truncate truncate64 tuxcall ugetrlimit ulimit umask umount umount2 uname unlink unlinkat unshare uselib userfaultfd ustat utime utimensat utimensat_time64 utimes vfork vhangup vm86 vm86old vmsplice vserver wait4 waitid waitpid write writev nextgroup=fjSyscallErrno contained
 " Syscall groups grabbed from: src/fseccomp/syscall.c
-" Generate list with: rg -o '"@([^",]+)' -r '$1' src/fseccomp/syscall.c | sort -u | tr $'\n' '|'
-syn match fjSyscall /\v\@(clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|module|obsolete|privileged|raw-io|reboot|resources|swap)>/ nextgroup=fjSyscallErrno contained
+" Generate list with: rg -o '"@([^",]+)' -r '$1' src/lib/syscall.c | sort -u | tr $'\n' '|'
+syn match fjSyscall /\v\@(aio|basic-io|chown|clock|cpu-emulation|debug|default|default-keep|default-nodebuggers|file-system|io-event|ipc|keyring|memlock|module|mount|network-io|obsolete|privileged|process|raw-io|reboot|resources|setuid|signal|swap|sync|system-service|timer)>/ nextgroup=fjSyscallErrno contained
 syn match fjSyscall /\$[0-9]\+/ nextgroup=fjSyscallErrno contained
 " Errnos grabbed from: src/fseccomp/errno.c
-" Generate list with: rg -o '"(E[^"]+)' -r '$1' src/fseccomp/errno.c | sort -u | tr $'\n' '|'
+" Generate list with: rg -o '"(E[^"]+)' -r '$1' src/lib/errno.c | sort -u | tr $'\n' '|'
 syn match fjSyscallErrno /\v(:(E2BIG|EACCES|EADDRINUSE|EADDRNOTAVAIL|EADV|EAFNOSUPPORT|EAGAIN|EALREADY|EBADE|EBADF|EBADFD|EBADMSG|EBADR|EBADRQC|EBADSLT|EBFONT|EBUSY|ECANCELED|ECHILD|ECHRNG|ECOMM|ECONNABORTED|ECONNREFUSED|ECONNRESET|EDEADLK|EDEADLOCK|EDESTADDRREQ|EDOM|EDOTDOT|EDQUOT|EEXIST|EFAULT|EFBIG|EHOSTDOWN|EHOSTUNREACH|EHWPOISON|EIDRM|EILSEQ|EINPROGRESS|EINTR|EINVAL|EIO|EISCONN|EISDIR|EISNAM|EKEYEXPIRED|EKEYREJECTED|EKEYREVOKED|EL2HLT|EL2NSYNC|EL3HLT|EL3RST|ELIBACC|ELIBBAD|ELIBEXEC|ELIBMAX|ELIBSCN|ELNRNG|ELOOP|EMEDIUMTYPE|EMFILE|EMLINK|EMSGSIZE|EMULTIHOP|ENAMETOOLONG|ENAVAIL|ENETDOWN|ENETRESET|ENETUNREACH|ENFILE|ENOANO|ENOATTR|ENOBUFS|ENOCSI|ENODATA|ENODEV|ENOENT|ENOEXEC|ENOKEY|ENOLCK|ENOLINK|ENOMEDIUM|ENOMEM|ENOMSG|ENONET|ENOPKG|ENOPROTOOPT|ENOSPC|ENOSR|ENOSTR|ENOSYS|ENOTBLK|ENOTCONN|ENOTDIR|ENOTEMPTY|ENOTNAM|ENOTRECOVERABLE|ENOTSOCK|ENOTSUP|ENOTTY|ENOTUNIQ|ENXIO|EOPNOTSUPP|EOVERFLOW|EOWNERDEAD|EPERM|EPFNOSUPPORT|EPIPE|EPROTO|EPROTONOSUPPORT|EPROTOTYPE|ERANGE|EREMCHG|EREMOTE|EREMOTEIO|ERESTART|ERFKILL|EROFS|ESHUTDOWN|ESOCKTNOSUPPORT|ESPIPE|ESRCH|ESRMNT|ESTALE|ESTRPIPE|ETIME|ETIMEDOUT|ETOOMANYREFS|ETXTBSY|EUCLEAN|EUNATCH|EUSERS|EWOULDBLOCK|EXDEV|EXFULL)>)?/ nextgroup=fjSyscallList contained
 syn match fjSyscallList /,/ nextgroup=fjSyscall contained
 
 syn keyword fjX11Sandbox none xephyr xorg xpra xvfb contained
+syn keyword fjSeccompAction kill log ERRNO contained
 
 syn match fjEnvVar "[A-Za-z0-9_]\+=" contained
 syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
@@ -40,6 +41,7 @@ syn match fjRmenvVar "[A-Za-z0-9_]\+" contained
 syn keyword fjAll all contained
 syn keyword fjNone none contained
 syn keyword fjLo lo contained
+syn keyword fjFilter filter contained
 
 " Variable names grabbed from: src/firejail/macros.c
 " Generate list with: rg -o '\$\{([^}]+)\}' -r '$1' src/firejail/macros.c | sort -u | tr $'\n' '|'
@@ -47,27 +49,30 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 
 " Commands grabbed from: src/firejail/profile.c
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
-syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
+syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
+syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
 syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
 syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
 syn match fjCommand /protocol / nextgroup=fjProtocol skipwhite contained
-syn match fjCommand /\vseccomp(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
+syn match fjCommand /\vseccomp(\.32)?(\.drop|\.keep)? / nextgroup=fjSyscall skipwhite contained
 syn match fjCommand /x11 / nextgroup=fjX11Sandbox skipwhite contained
 syn match fjCommand /env / nextgroup=fjEnvVar skipwhite contained
 syn match fjCommand /rmenv / nextgroup=fjRmenvVar skipwhite contained
 syn match fjCommand /shell / nextgroup=fjNone skipwhite contained
 syn match fjCommand /net / nextgroup=fjNone,fjLo skipwhite contained
 syn match fjCommand /ip / nextgroup=fjNone skipwhite contained
+syn match fjCommand /seccomp-error-action / nextgroup=fjSeccompAction skipwhite contained
+syn match fjCommand /\vdbus-(user|system) / nextgroup=fjFilter,fjNone skipwhite contained
+syn match fjCommand /\vdbus-(user|system)\.(broadcast|call|own|see|talk) / skipwhite contained
 " Commands that can't be inside a ?CONDITIONAL: statement
 syn match fjCommandNoCond /include / skipwhite contained
 syn match fjCommandNoCond /quiet$/ contained
 
 " Conditionals grabbed from: src/firejail/profile.c
 " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|'
-syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NODBUS) ?:/ nextgroup=fjCommand skipwhite contained
+syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
 
 " A line is either a command, a conditional or a comment
 syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
@@ -88,6 +93,8 @@ hi def link fjRmenvVar Type
 hi def link fjAll Type
 hi def link fjNone Type
 hi def link fjLo Type
+hi def link fjFilter Type
+hi def link fjSeccompAction Type
 
 
 let b:current_syntax = "firejail"
diff --git a/etc/firejail.config b/etc/firejail.config
index 9dd33b5ed..2e355586b 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -35,23 +35,12 @@
 # cannot be overridden by --noblacklist or --ignore.
 # disable-mnt no
 
-# Set the limit for file copy in several --private-* options. The size is set
-# in megabytes. By default we allow up to 500MB.
-# Note: the files are copied in RAM.
-# file-copy-limit 500
-
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
 
 # Enable Firejail green prompt in terminal, default disabled
 # firejail-prompt no
 
-# Follow symlink as user. While using --whitelist feature,
-# symlinks pointing outside home directory are followed only
-# if both the link and the real file are owned by the user.
-# Enabled by default
-# follow-symlink-as-user yes
-
 # Force use of nonewprivs.  This mitigates the possibility of
 # a user abusing firejail's features to trick a privileged (suid
 # or file capabilities) process into loading code or configuration
@@ -83,18 +72,35 @@
 # Enable or disable overlayfs features, default enabled.
 # overlayfs yes
 
+# Set the limit for file copy in several --private-* options. The size is set
+# in megabytes. By default we allow up to 500MB.
+# Note: the files are copied in RAM.
+# file-copy-limit 500
+
+# Enable or disable private-bin feature, default enabled.
+# private-bin yes
+
 # Remove /usr/local directories from private-bin list, default disabled.
 # private-bin-no-local no
 
 # Enable or disable private-cache feature, default enabled
 # private-cache yes
 
+# Enable or disable private-etc feature, default enabled.
+# private-etc yes
+
 # Enable or disable private-home feature, default enabled
 # private-home yes
 
 # Enable or disable private-lib feature, default enabled
 # private-lib yes
 
+# Enable or disable private-opt feature, default enabled.
+# private-opt yes
+
+# Enable or disable private-srv feature, default enabled.
+# private-srv yes
+
 # Enable --quiet as default every time the sandbox is started. Default disabled.
 # quiet-by-default no
 
@@ -107,15 +113,16 @@
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
 
+# Add rules to the default seccomp filter. Same syntax as for --seccomp=
+# None by default; this is an example.
+# seccomp-filter-add !chroot,kcmp,mincore
+
 # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
 # seccomp-error-action EPERM
 
 # Enable or disable user namespace support, default enabled.
 # userns yes
 
-# Enable or disable whitelisting support, default enabled.
-# whitelist yes
-
 # Disable whitelist top level directories, in addition to those
 # that are disabled out of the box. None by default; this is an example.
 # whitelist-disable-topdir /etc,/usr/etc
diff --git a/etc/inc/allow-bin-sh.inc b/etc/inc/allow-bin-sh.inc
index d6c295414..59cd40878 100644
--- a/etc/inc/allow-bin-sh.inc
+++ b/etc/inc/allow-bin-sh.inc
@@ -2,6 +2,6 @@
 # Persistent customizations should go in a .local file.
 include allow-bin-sh.local
 
-noblacklist ${PATH}/bash
-noblacklist ${PATH}/dash
-noblacklist ${PATH}/sh
+nodeny  ${PATH}/bash
+nodeny  ${PATH}/dash
+nodeny  ${PATH}/sh
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index babe46571..71b1483cd 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -3,35 +3,29 @@
 include allow-common-devel.local
 
 # Git
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
 
 # Java
-noblacklist ${HOME}/.gradle
-noblacklist ${HOME}/.java
+nodeny  ${HOME}/.gradle
+nodeny  ${HOME}/.java
 
 # Node.js
-noblacklist ${HOME}/.node-gyp
-noblacklist ${HOME}/.npm
-noblacklist ${HOME}/.npmrc
-noblacklist ${HOME}/.nvm
-noblacklist ${HOME}/.yarn
-noblacklist ${HOME}/.yarn-config
-noblacklist ${HOME}/.yarncache
-noblacklist ${HOME}/.yarnrc
+nodeny  ${HOME}/.node-gyp
+nodeny  ${HOME}/.npm
+nodeny  ${HOME}/.npmrc
+nodeny  ${HOME}/.nvm
+nodeny  ${HOME}/.yarn
+nodeny  ${HOME}/.yarn-config
+nodeny  ${HOME}/.yarncache
+nodeny  ${HOME}/.yarnrc
 
 # Python
-noblacklist ${HOME}/.pylint.d
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
+nodeny  ${HOME}/.pylint.d
+nodeny  ${HOME}/.python-history
+nodeny  ${HOME}/.python_history
+nodeny  ${HOME}/.pythonhist
 
 # Rust
-noblacklist ${HOME}/.cargo/advisory-db
-noblacklist ${HOME}/.cargo/config
-noblacklist ${HOME}/.cargo/git
-noblacklist ${HOME}/.cargo/registry
-noblacklist ${HOME}/.cargo/.crates.toml
-noblacklist ${HOME}/.cargo/.crates2.json
-noblacklist ${HOME}/.cargo/.package-cache
+nodeny  ${HOME}/.cargo/*
diff --git a/etc/inc/allow-gjs.inc b/etc/inc/allow-gjs.inc
index c1366e093..2e2490079 100644
--- a/etc/inc/allow-gjs.inc
+++ b/etc/inc/allow-gjs.inc
@@ -2,11 +2,11 @@
 # Persistent customizations should go in a .local file.
 include allow-gjs.local
 
-noblacklist ${PATH}/gjs
-noblacklist ${PATH}/gjs-console
-noblacklist /usr/lib/gjs
-noblacklist /usr/lib/libgjs*
-noblacklist /usr/lib/libmozjs-*
-noblacklist /usr/lib64/gjs
-noblacklist /usr/lib64/libgjs*
-noblacklist /usr/lib64/libmozjs-*
+nodeny  ${PATH}/gjs
+nodeny  ${PATH}/gjs-console
+nodeny  /usr/lib/gjs
+nodeny  /usr/lib/libgjs*
+nodeny  /usr/lib/libmozjs-*
+nodeny  /usr/lib64/gjs
+nodeny  /usr/lib64/libgjs*
+nodeny  /usr/lib64/libmozjs-*
diff --git a/etc/inc/allow-java.inc b/etc/inc/allow-java.inc
index 24d18fb77..af44f3664 100644
--- a/etc/inc/allow-java.inc
+++ b/etc/inc/allow-java.inc
@@ -2,8 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-java.local
 
-noblacklist ${HOME}/.java
-noblacklist ${PATH}/java
-noblacklist /etc/java
-noblacklist /usr/lib/java
-noblacklist /usr/share/java
+nodeny  ${HOME}/.java
+nodeny  ${PATH}/java
+nodeny  /etc/java
+nodeny  /usr/lib/java
+nodeny  /usr/share/java
diff --git a/etc/inc/allow-lua.inc b/etc/inc/allow-lua.inc
index 9c47e7a3b..3d0a1997b 100644
--- a/etc/inc/allow-lua.inc
+++ b/etc/inc/allow-lua.inc
@@ -2,11 +2,11 @@
 # Persistent customizations should go in a .local file.
 include allow-lua.local
 
-noblacklist ${PATH}/lua*
-noblacklist /usr/include
-noblacklist /usr/lib/liblua*
-noblacklist /usr/lib/lua
-noblacklist /usr/lib64/liblua*
-noblacklist /usr/lib64/lua
-noblacklist /usr/share/lua
-noblacklist /usr/share/lua*
+nodeny  ${PATH}/lua*
+nodeny  /usr/include
+nodeny  /usr/lib/liblua*
+nodeny  /usr/lib/lua
+nodeny  /usr/lib64/liblua*
+nodeny  /usr/lib64/lua
+nodeny  /usr/share/lua
+nodeny  /usr/share/lua*
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
index 351c94ab8..e915b3866 100644
--- a/etc/inc/allow-nodejs.inc
+++ b/etc/inc/allow-nodejs.inc
@@ -2,8 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-nodejs.local
 
-noblacklist ${PATH}/node
-noblacklist /usr/include/node
+nodeny  ${PATH}/node
+nodeny  /usr/include/node
 
 # Allow python for node-gyp (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/inc/allow-opengl-game.inc b/etc/inc/allow-opengl-game.inc
index b5ff1bd50..00e35e983 100644
--- a/etc/inc/allow-opengl-game.inc
+++ b/etc/inc/allow-opengl-game.inc
@@ -1,3 +1,7 @@
-noblacklist ${PATH}/bash
-whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-opengl-game.local
+
+nodeny  ${PATH}/bash
+allow  /usr/share/opengl-games-utils/opengl-game-functions.sh
 private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
diff --git a/etc/inc/allow-perl.inc b/etc/inc/allow-perl.inc
index 5a1952c94..134d27239 100644
--- a/etc/inc/allow-perl.inc
+++ b/etc/inc/allow-perl.inc
@@ -2,11 +2,11 @@
 # Persistent customizations should go in a .local file.
 include allow-perl.local
 
-noblacklist ${PATH}/core_perl
-noblacklist ${PATH}/cpan*
-noblacklist ${PATH}/perl
-noblacklist ${PATH}/site_perl
-noblacklist ${PATH}/vendor_perl
-noblacklist /usr/lib/perl*
-noblacklist /usr/lib64/perl*
-noblacklist /usr/share/perl*
+nodeny  ${PATH}/core_perl
+nodeny  ${PATH}/cpan*
+nodeny  ${PATH}/perl
+nodeny  ${PATH}/site_perl
+nodeny  ${PATH}/vendor_perl
+nodeny  /usr/lib/perl*
+nodeny  /usr/lib64/perl*
+nodeny  /usr/share/perl*
diff --git a/etc/inc/allow-php.inc b/etc/inc/allow-php.inc
index a0950dc26..520c2019e 100644
--- a/etc/inc/allow-php.inc
+++ b/etc/inc/allow-php.inc
@@ -2,6 +2,6 @@
 # Persistent customizations should go in a .local file.
 include allow-php.local
 
-noblacklist ${PATH}/php*
-noblacklist /usr/lib/php*
-noblacklist /usr/share/php*
+nodeny  ${PATH}/php*
+nodeny  /usr/lib/php*
+nodeny  /usr/share/php*
diff --git a/etc/inc/allow-python2.inc b/etc/inc/allow-python2.inc
index b0525e2e1..f1830043a 100644
--- a/etc/inc/allow-python2.inc
+++ b/etc/inc/allow-python2.inc
@@ -2,8 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-python2.local
 
-noblacklist ${PATH}/python2*
-noblacklist /usr/include/python2*
-noblacklist /usr/lib/python2*
-noblacklist /usr/local/lib/python2*
-noblacklist /usr/share/python2*
+nodeny  ${PATH}/python2*
+nodeny  /usr/include/python2*
+nodeny  /usr/lib/python2*
+nodeny  /usr/local/lib/python2*
+nodeny  /usr/share/python2*
diff --git a/etc/inc/allow-python3.inc b/etc/inc/allow-python3.inc
index d968886b0..e4b6ed1a9 100644
--- a/etc/inc/allow-python3.inc
+++ b/etc/inc/allow-python3.inc
@@ -2,9 +2,9 @@
 # Persistent customizations should go in a .local file.
 include allow-python3.local
 
-noblacklist ${PATH}/python3*
-noblacklist /usr/include/python3*
-noblacklist /usr/lib/python3*
-noblacklist /usr/lib64/python3*
-noblacklist /usr/local/lib/python3*
-noblacklist /usr/share/python3*
+nodeny  ${PATH}/python3*
+nodeny  /usr/include/python3*
+nodeny  /usr/lib/python3*
+nodeny  /usr/lib64/python3*
+nodeny  /usr/local/lib/python3*
+nodeny  /usr/share/python3*
diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc
index a8c701219..d949bbc84 100644
--- a/etc/inc/allow-ruby.inc
+++ b/etc/inc/allow-ruby.inc
@@ -2,5 +2,5 @@
 # Persistent customizations should go in a .local file.
 include allow-ruby.local
 
-noblacklist ${PATH}/ruby
-noblacklist /usr/lib/ruby
+nodeny  ${PATH}/ruby
+nodeny  /usr/lib/ruby
diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index 67c78a483..44957bf32 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -2,7 +2,7 @@
 # Persistent customizations should go in a .local file.
 include allow-ssh.local
 
-noblacklist ${HOME}/.ssh
-noblacklist /etc/ssh
-noblacklist /etc/ssh/ssh_config
-noblacklist /tmp/ssh-*
+nodeny  ${HOME}/.ssh
+nodeny  /etc/ssh
+nodeny  /etc/ssh/ssh_config
+nodeny  /tmp/ssh-*
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 2dc53d311..1283a3a3d 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -5,63 +5,63 @@ include disable-common.local
 # The following block breaks trash functionality in file managers
 #read-only ${HOME}/.local
 #read-write ${HOME}/.local/share
-blacklist ${HOME}/.local/share/Trash
+deny  ${HOME}/.local/share/Trash
 
 # History files in $HOME and clipboard managers
-blacklist-nolog ${HOME}/.*_history
-blacklist-nolog ${HOME}/.adobe
-blacklist-nolog ${HOME}/.cache/greenclip*
-blacklist-nolog ${HOME}/.histfile
-blacklist-nolog ${HOME}/.history
-blacklist-nolog ${HOME}/.kde/share/apps/klipper
-blacklist-nolog ${HOME}/.kde4/share/apps/klipper
-blacklist-nolog ${HOME}/.local/share/fish/fish_history
-blacklist-nolog ${HOME}/.local/share/klipper
-blacklist-nolog ${HOME}/.macromedia
-blacklist-nolog ${HOME}/.mupdf.history
-blacklist-nolog ${HOME}/.python-history
-blacklist-nolog ${HOME}/.python_history
-blacklist-nolog ${HOME}/.pythonhist
-blacklist-nolog ${HOME}/.lesshst
-blacklist-nolog ${HOME}/.viminfo
-blacklist-nolog /tmp/clipmenu*
+deny-nolog  ${HOME}/.*_history
+deny-nolog  ${HOME}/.adobe
+deny-nolog  ${HOME}/.cache/greenclip*
+deny-nolog  ${HOME}/.histfile
+deny-nolog  ${HOME}/.history
+deny-nolog  ${HOME}/.kde/share/apps/klipper
+deny-nolog  ${HOME}/.kde4/share/apps/klipper
+deny-nolog  ${HOME}/.local/share/fish/fish_history
+deny-nolog  ${HOME}/.local/share/klipper
+deny-nolog  ${HOME}/.macromedia
+deny-nolog  ${HOME}/.mupdf.history
+deny-nolog  ${HOME}/.python-history
+deny-nolog  ${HOME}/.python_history
+deny-nolog  ${HOME}/.pythonhist
+deny-nolog  ${HOME}/.lesshst
+deny-nolog  ${HOME}/.viminfo
+deny-nolog  /tmp/clipmenu*
 
 # X11 session autostart
 # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
-blacklist ${HOME}/.Xsession
-blacklist ${HOME}/.blackbox
-blacklist ${HOME}/.config/autostart
-blacklist ${HOME}/.config/autostart-scripts
-blacklist ${HOME}/.config/awesome
-blacklist ${HOME}/.config/i3
-blacklist ${HOME}/.config/sway
-blacklist ${HOME}/.config/lxsession/LXDE/autostart
-blacklist ${HOME}/.config/openbox
-blacklist ${HOME}/.config/plasma-workspace
-blacklist ${HOME}/.config/startupconfig
-blacklist ${HOME}/.config/startupconfigkeys
-blacklist ${HOME}/.fluxbox
-blacklist ${HOME}/.gnomerc
-blacklist ${HOME}/.kde/Autostart
-blacklist ${HOME}/.kde/env
-blacklist ${HOME}/.kde/share/autostart
-blacklist ${HOME}/.kde/share/config/startupconfig
-blacklist ${HOME}/.kde/share/config/startupconfigkeys
-blacklist ${HOME}/.kde/shutdown
-blacklist ${HOME}/.kde4/env
-blacklist ${HOME}/.kde4/Autostart
-blacklist ${HOME}/.kde4/share/autostart
-blacklist ${HOME}/.kde4/shutdown
-blacklist ${HOME}/.kde4/share/config/startupconfig
-blacklist ${HOME}/.kde4/share/config/startupconfigkeys
-blacklist ${HOME}/.local/share/autostart
-blacklist ${HOME}/.xinitrc
-blacklist ${HOME}/.xprofile
-blacklist ${HOME}/.xserverrc
-blacklist ${HOME}/.xsession
-blacklist ${HOME}/.xsessionrc
-blacklist /etc/X11/Xsession.d
-blacklist /etc/xdg/autostart
+deny  ${HOME}/.Xsession
+deny  ${HOME}/.blackbox
+deny  ${HOME}/.config/autostart
+deny  ${HOME}/.config/autostart-scripts
+deny  ${HOME}/.config/awesome
+deny  ${HOME}/.config/i3
+deny  ${HOME}/.config/sway
+deny  ${HOME}/.config/lxsession/LXDE/autostart
+deny  ${HOME}/.config/openbox
+deny  ${HOME}/.config/plasma-workspace
+deny  ${HOME}/.config/startupconfig
+deny  ${HOME}/.config/startupconfigkeys
+deny  ${HOME}/.fluxbox
+deny  ${HOME}/.gnomerc
+deny  ${HOME}/.kde/Autostart
+deny  ${HOME}/.kde/env
+deny  ${HOME}/.kde/share/autostart
+deny  ${HOME}/.kde/share/config/startupconfig
+deny  ${HOME}/.kde/share/config/startupconfigkeys
+deny  ${HOME}/.kde/shutdown
+deny  ${HOME}/.kde4/env
+deny  ${HOME}/.kde4/Autostart
+deny  ${HOME}/.kde4/share/autostart
+deny  ${HOME}/.kde4/shutdown
+deny  ${HOME}/.kde4/share/config/startupconfig
+deny  ${HOME}/.kde4/share/config/startupconfigkeys
+deny  ${HOME}/.local/share/autostart
+deny  ${HOME}/.xinitrc
+deny  ${HOME}/.xprofile
+deny  ${HOME}/.xserverrc
+deny  ${HOME}/.xsession
+deny  ${HOME}/.xsessionrc
+deny  /etc/X11/Xsession.d
+deny  /etc/xdg/autostart
 read-only ${HOME}/.Xauthority
 
 # Session manager
@@ -70,46 +70,46 @@ read-only ${HOME}/.Xauthority
 #?HAS_X11: blacklist /tmp/.ICE-unix
 
 # KDE config
-blacklist ${HOME}/.cache/konsole
-blacklist ${HOME}/.config/khotkeysrc
-blacklist ${HOME}/.config/krunnerrc
-blacklist ${HOME}/.config/kscreenlockerrc
-blacklist ${HOME}/.config/ksslcertificatemanager
-blacklist ${HOME}/.config/kwalletrc
-blacklist ${HOME}/.config/kwinrc
-blacklist ${HOME}/.config/kwinrulesrc
-blacklist ${HOME}/.config/plasma-locale-settings.sh
-blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
-blacklist ${HOME}/.config/plasmashellrc
-blacklist ${HOME}/.config/plasmavaultrc
-blacklist ${HOME}/.kde/share/apps/kwin
-blacklist ${HOME}/.kde/share/apps/plasma
-blacklist ${HOME}/.kde/share/apps/solid
-blacklist ${HOME}/.kde/share/config/khotkeysrc
-blacklist ${HOME}/.kde/share/config/krunnerrc
-blacklist ${HOME}/.kde/share/config/kscreensaverrc
-blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
-blacklist ${HOME}/.kde/share/config/kwalletrc
-blacklist ${HOME}/.kde/share/config/kwinrc
-blacklist ${HOME}/.kde/share/config/kwinrulesrc
-blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
-blacklist ${HOME}/.kde4/share/apps/kwin
-blacklist ${HOME}/.kde4/share/apps/plasma
-blacklist ${HOME}/.kde4/share/apps/solid
-blacklist ${HOME}/.kde4/share/config/khotkeysrc
-blacklist ${HOME}/.kde4/share/config/krunnerrc
-blacklist ${HOME}/.kde4/share/config/kscreensaverrc
-blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
-blacklist ${HOME}/.kde4/share/config/kwalletrc
-blacklist ${HOME}/.kde4/share/config/kwinrc
-blacklist ${HOME}/.kde4/share/config/kwinrulesrc
-blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
-blacklist ${HOME}/.local/share/kglobalaccel
-blacklist ${HOME}/.local/share/kwin
-blacklist ${HOME}/.local/share/plasma
-blacklist ${HOME}/.local/share/plasmashell
-blacklist ${HOME}/.local/share/solid
-blacklist /tmp/konsole-*.history
+deny  ${HOME}/.cache/konsole
+deny  ${HOME}/.config/khotkeysrc
+deny  ${HOME}/.config/krunnerrc
+deny  ${HOME}/.config/kscreenlockerrc
+deny  ${HOME}/.config/ksslcertificatemanager
+deny  ${HOME}/.config/kwalletrc
+deny  ${HOME}/.config/kwinrc
+deny  ${HOME}/.config/kwinrulesrc
+deny  ${HOME}/.config/plasma-locale-settings.sh
+deny  ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
+deny  ${HOME}/.config/plasmashellrc
+deny  ${HOME}/.config/plasmavaultrc
+deny  ${HOME}/.kde/share/apps/kwin
+deny  ${HOME}/.kde/share/apps/plasma
+deny  ${HOME}/.kde/share/apps/solid
+deny  ${HOME}/.kde/share/config/khotkeysrc
+deny  ${HOME}/.kde/share/config/krunnerrc
+deny  ${HOME}/.kde/share/config/kscreensaverrc
+deny  ${HOME}/.kde/share/config/ksslcertificatemanager
+deny  ${HOME}/.kde/share/config/kwalletrc
+deny  ${HOME}/.kde/share/config/kwinrc
+deny  ${HOME}/.kde/share/config/kwinrulesrc
+deny  ${HOME}/.kde/share/config/plasma-desktop-appletsrc
+deny  ${HOME}/.kde4/share/apps/kwin
+deny  ${HOME}/.kde4/share/apps/plasma
+deny  ${HOME}/.kde4/share/apps/solid
+deny  ${HOME}/.kde4/share/config/khotkeysrc
+deny  ${HOME}/.kde4/share/config/krunnerrc
+deny  ${HOME}/.kde4/share/config/kscreensaverrc
+deny  ${HOME}/.kde4/share/config/ksslcertificatemanager
+deny  ${HOME}/.kde4/share/config/kwalletrc
+deny  ${HOME}/.kde4/share/config/kwinrc
+deny  ${HOME}/.kde4/share/config/kwinrulesrc
+deny  ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
+deny  ${HOME}/.local/share/kglobalaccel
+deny  ${HOME}/.local/share/kwin
+deny  ${HOME}/.local/share/plasma
+deny  ${HOME}/.local/share/plasmashell
+deny  ${HOME}/.local/share/solid
+deny  /tmp/konsole-*.history
 read-only ${HOME}/.cache/ksycoca5_*
 read-only ${HOME}/.config/*notifyrc
 read-only ${HOME}/.config/kdeglobals
@@ -138,124 +138,139 @@ read-only ${HOME}/.local/share/kservices5
 read-only ${HOME}/.local/share/kssl
 
 # KDE sockets
-blacklist ${RUNUSER}/*.slave-socket
-blacklist ${RUNUSER}/kdeinit5__*
-blacklist ${RUNUSER}/kdesud_*
+deny  ${RUNUSER}/*.slave-socket
+deny  ${RUNUSER}/kdeinit5__*
+deny  ${RUNUSER}/kdesud_*
 # see #3358
 #?HAS_NODBUS: blacklist ${RUNUSER}/ksocket-*
 #?HAS_NODBUS: blacklist /tmp/ksocket-*
 
 # gnome
 # contains extensions, last used times of applications, and notifications
-blacklist ${HOME}/.local/share/gnome-shell
+deny  ${HOME}/.local/share/gnome-shell
 # contains recently used files and serials of static/removable storage
-blacklist ${HOME}/.local/share/gvfs-metadata
+deny  ${HOME}/.local/share/gvfs-metadata
 # no direct modification of dconf database
 read-only ${HOME}/.config/dconf
-blacklist ${RUNUSER}/gnome-session-leader-fifo
-blacklist ${RUNUSER}/gnome-shell
-blacklist ${RUNUSER}/gsconnect
+deny  ${RUNUSER}/gnome-session-leader-fifo
+deny  ${RUNUSER}/gnome-shell
+deny  ${RUNUSER}/gsconnect
 
 # systemd
-blacklist ${HOME}/.config/systemd
-blacklist ${HOME}/.local/share/systemd
-blacklist /var/lib/systemd
-blacklist ${PATH}/systemd-run
-blacklist ${RUNUSER}/systemd
+deny  ${HOME}/.config/systemd
+deny  ${HOME}/.local/share/systemd
+deny  /var/lib/systemd
+deny  ${PATH}/systemd-run
+deny  ${RUNUSER}/systemd
+deny  ${PATH}/systemctl
+deny  /etc/systemd/system
+deny  /etc/systemd/network
 # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf
 #blacklist /var/run/systemd
 
 # openrc
-blacklist /etc/runlevels/
-blacklist /etc/init.d/
-blacklist /etc/rc.conf
+deny  /etc/runlevels/
+deny  /etc/init.d/
+deny  /etc/rc.conf
 
 # VirtualBox
-blacklist ${HOME}/.VirtualBox
-blacklist ${HOME}/.config/VirtualBox
-blacklist ${HOME}/VirtualBox VMs
+deny  ${HOME}/.VirtualBox
+deny  ${HOME}/.config/VirtualBox
+deny  ${HOME}/VirtualBox VMs
 
 # GNOME Boxes
-blacklist ${HOME}/.config/gnome-boxes
-blacklist ${HOME}/.local/share/gnome-boxes
+deny  ${HOME}/.config/gnome-boxes
+deny  ${HOME}/.local/share/gnome-boxes
 
 # libvirt
-blacklist ${HOME}/.cache/libvirt
-blacklist ${HOME}/.config/libvirt
-blacklist ${RUNUSER}/libvirt
-blacklist /var/cache/libvirt
-blacklist /var/lib/libvirt
-blacklist /var/log/libvirt
+deny  ${HOME}/.cache/libvirt
+deny  ${HOME}/.config/libvirt
+deny  ${RUNUSER}/libvirt
+deny  /var/cache/libvirt
+deny  /var/lib/libvirt
+deny  /var/log/libvirt
 
 # OCI-Containers / Podman
-blacklist ${RUNUSER}/containers
-blacklist ${RUNUSER}/crun
-blacklist ${RUNUSER}/libpod
-blacklist ${RUNUSER}/runc
-blacklist ${RUNUSER}/toolbox
+deny  ${RUNUSER}/containers
+deny  ${RUNUSER}/crun
+deny  ${RUNUSER}/libpod
+deny  ${RUNUSER}/runc
+deny  ${RUNUSER}/toolbox
 
 # VeraCrypt
-blacklist ${HOME}/.VeraCrypt
-blacklist ${PATH}/veracrypt
-blacklist ${PATH}/veracrypt-uninstall.sh
-blacklist /usr/share/applications/veracrypt.*
-blacklist /usr/share/pixmaps/veracrypt.*
-blacklist /usr/share/veracrypt
+deny  ${HOME}/.VeraCrypt
+deny  ${PATH}/veracrypt
+deny  ${PATH}/veracrypt-uninstall.sh
+deny  /usr/share/applications/veracrypt.*
+deny  /usr/share/pixmaps/veracrypt.*
+deny  /usr/share/veracrypt
 
 # TrueCrypt
-blacklist ${HOME}/.TrueCrypt
-blacklist ${PATH}/truecrypt
-blacklist ${PATH}/truecrypt-uninstall.sh
-blacklist /usr/share/applications/truecrypt.*
-blacklist /usr/share/pixmaps/truecrypt.*
-blacklist /usr/share/truecrypt
+deny  ${HOME}/.TrueCrypt
+deny  ${PATH}/truecrypt
+deny  ${PATH}/truecrypt-uninstall.sh
+deny  /usr/share/applications/truecrypt.*
+deny  /usr/share/pixmaps/truecrypt.*
+deny  /usr/share/truecrypt
 
 # zuluCrypt
-blacklist ${HOME}/.zuluCrypt
-blacklist ${HOME}/.zuluCrypt-socket
-blacklist ${PATH}/zuluCrypt-cli
-blacklist ${PATH}/zuluMount-cli
+deny  ${HOME}/.zuluCrypt
+deny  ${HOME}/.zuluCrypt-socket
+deny  ${PATH}/zuluCrypt-cli
+deny  ${PATH}/zuluMount-cli
 
 # var
-blacklist /var/cache/apt
-blacklist /var/cache/pacman
-blacklist /var/lib/apt
-blacklist /var/lib/clamav
-blacklist /var/lib/dkms
-blacklist /var/lib/mysql/mysql.sock
-blacklist /var/lib/mysqld/mysql.sock
-blacklist /var/lib/pacman
-blacklist /var/lib/upower
+deny  /var/cache/apt
+deny  /var/cache/pacman
+deny  /var/lib/apt
+deny  /var/lib/clamav
+deny  /var/lib/dkms
+deny  /var/lib/mysql/mysql.sock
+deny  /var/lib/mysqld/mysql.sock
+deny  /var/lib/pacman
+deny  /var/lib/upower
 # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for
 # every sandbox, unless --writable-var-log switch is activated
-blacklist /var/mail
-blacklist /var/opt
-blacklist /var/run/acpid.socket
-blacklist /var/run/docker.sock
-blacklist /var/run/minissdpd.sock
-blacklist /var/run/mysql/mysqld.sock
-blacklist /var/run/mysqld/mysqld.sock
-blacklist /var/run/rpcbind.sock
-blacklist /var/run/screens
-blacklist /var/spool/anacron
-blacklist /var/spool/cron
-blacklist /var/spool/mail
+deny  /var/mail
+deny  /var/opt
+deny  /var/run/acpid.socket
+deny  /var/run/docker.sock
+deny  /var/run/minissdpd.sock
+deny  /var/run/mysql/mysqld.sock
+deny  /var/run/mysqld/mysqld.sock
+deny  /var/run/rpcbind.sock
+deny  /var/run/screens
+deny  /var/spool/anacron
+deny  /var/spool/cron
+deny  /var/spool/mail
 
 # etc
-blacklist /etc/anacrontab
-blacklist /etc/cron*
-blacklist /etc/profile.d
-blacklist /etc/rc.local
+deny  /etc/anacrontab
+deny  /etc/cron*
+deny  /etc/profile.d
+deny  /etc/rc.local
 # rc1.d, rc2.d, ...
-blacklist /etc/rc?.d
-blacklist /etc/kernel*
-blacklist /etc/grub*
-blacklist /etc/dkms
-blacklist /etc/apparmor*
-blacklist /etc/selinux
-blacklist /etc/modules*
-blacklist /etc/logrotate*
-blacklist /etc/adduser.conf
+deny  /etc/rc?.d
+deny  /etc/kernel*
+deny  /etc/grub*
+deny  /etc/dkms
+deny  /etc/apparmor*
+deny  /etc/selinux
+deny  /etc/modules*
+deny  /etc/logrotate*
+deny  /etc/adduser.conf
+
+# hide config for various intrusion detection systems
+deny  /etc/rkhunter.conf
+deny  /var/lib/rkhunter
+deny  /etc/chkrootkit.conf
+deny  /etc/lynis
+deny  /etc/aide
+deny  /etc/logcheck
+deny  /etc/tripwire
+deny  /etc/snort
+deny  /etc/fail2ban.conf
+deny  /etc/suricata
 
 # Startup files
 read-only ${HOME}/.antigen
@@ -292,13 +307,13 @@ read-only ${HOME}/.zshrc
 read-only ${HOME}/.zshrc.local
 
 # Remote access
-blacklist ${HOME}/.rhosts
-blacklist ${HOME}/.shosts
-blacklist ${HOME}/.ssh/authorized_keys
-blacklist ${HOME}/.ssh/authorized_keys2
-blacklist ${HOME}/.ssh/environment
-blacklist ${HOME}/.ssh/rc
-blacklist /etc/hosts.equiv
+deny  ${HOME}/.rhosts
+deny  ${HOME}/.shosts
+deny  ${HOME}/.ssh/authorized_keys
+deny  ${HOME}/.ssh/authorized_keys2
+deny  ${HOME}/.ssh/environment
+deny  ${HOME}/.ssh/rc
+deny  /etc/hosts.equiv
 read-only ${HOME}/.ssh/config
 read-only ${HOME}/.ssh/config.d
 
@@ -359,200 +374,200 @@ read-only ${HOME}/.local/share/mime
 read-only ${HOME}/.local/share/thumbnailers
 
 # prevent access to ssh-agent
-blacklist /tmp/ssh-*
+deny  /tmp/ssh-*
 
 # top secret
-blacklist ${HOME}/*.kdb
-blacklist ${HOME}/*.kdbx
-blacklist ${HOME}/*.key
-blacklist ${HOME}/.Private
-blacklist ${HOME}/.caff
-blacklist ${HOME}/.cargo/credentials
-blacklist ${HOME}/.cargo/credentials.toml
-blacklist ${HOME}/.cert
-blacklist ${HOME}/.config/keybase
-blacklist ${HOME}/.davfs2/secrets
-blacklist ${HOME}/.ecryptfs
-blacklist ${HOME}/.fetchmailrc
-blacklist ${HOME}/.fscrypt
-blacklist ${HOME}/.git-credential-cache
-blacklist ${HOME}/.git-credentials
-blacklist ${HOME}/.gnome2/keyrings
-blacklist ${HOME}/.gnupg
-blacklist ${HOME}/.config/hub
-blacklist ${HOME}/.kde/share/apps/kwallet
-blacklist ${HOME}/.kde4/share/apps/kwallet
-blacklist ${HOME}/.local/share/keyrings
-blacklist ${HOME}/.local/share/kwalletd
-blacklist ${HOME}/.local/share/plasma-vault
-blacklist ${HOME}/.msmtprc
-blacklist ${HOME}/.mutt
-blacklist ${HOME}/.muttrc
-blacklist ${HOME}/.netrc
-blacklist ${HOME}/.nyx
-blacklist ${HOME}/.pki
-blacklist ${HOME}/.local/share/pki
-blacklist ${HOME}/.smbcredentials
-blacklist ${HOME}/.ssh
-blacklist ${HOME}/.vaults
-blacklist /.fscrypt
-blacklist /etc/davfs2/secrets
-blacklist /etc/group+
-blacklist /etc/group-
-blacklist /etc/gshadow
-blacklist /etc/gshadow+
-blacklist /etc/gshadow-
-blacklist /etc/passwd+
-blacklist /etc/passwd-
-blacklist /etc/shadow
-blacklist /etc/shadow+
-blacklist /etc/shadow-
-blacklist /etc/ssh
-blacklist /etc/ssh/*
-blacklist /home/.ecryptfs
-blacklist /home/.fscrypt
-blacklist /var/backup
+deny  ${HOME}/*.kdb
+deny  ${HOME}/*.kdbx
+deny  ${HOME}/*.key
+deny  ${HOME}/.Private
+deny  ${HOME}/.caff
+deny  ${HOME}/.cargo/credentials
+deny  ${HOME}/.cargo/credentials.toml
+deny  ${HOME}/.cert
+deny  ${HOME}/.config/keybase
+deny  ${HOME}/.davfs2/secrets
+deny  ${HOME}/.ecryptfs
+deny  ${HOME}/.fetchmailrc
+deny  ${HOME}/.fscrypt
+deny  ${HOME}/.git-credential-cache
+deny  ${HOME}/.git-credentials
+deny  ${HOME}/.gnome2/keyrings
+deny  ${HOME}/.gnupg
+deny  ${HOME}/.config/hub
+deny  ${HOME}/.kde/share/apps/kwallet
+deny  ${HOME}/.kde4/share/apps/kwallet
+deny  ${HOME}/.local/share/keyrings
+deny  ${HOME}/.local/share/kwalletd
+deny  ${HOME}/.local/share/plasma-vault
+deny  ${HOME}/.msmtprc
+deny  ${HOME}/.mutt
+deny  ${HOME}/.muttrc
+deny  ${HOME}/.netrc
+deny  ${HOME}/.nyx
+deny  ${HOME}/.pki
+deny  ${HOME}/.local/share/pki
+deny  ${HOME}/.smbcredentials
+deny  ${HOME}/.ssh
+deny  ${HOME}/.vaults
+deny  /.fscrypt
+deny  /etc/davfs2/secrets
+deny  /etc/group+
+deny  /etc/group-
+deny  /etc/gshadow
+deny  /etc/gshadow+
+deny  /etc/gshadow-
+deny  /etc/passwd+
+deny  /etc/passwd-
+deny  /etc/shadow
+deny  /etc/shadow+
+deny  /etc/shadow-
+deny  /etc/ssh
+deny  /etc/ssh/*
+deny  /home/.ecryptfs
+deny  /home/.fscrypt
+deny  /var/backup
 
 # cloud provider configuration
-blacklist ${HOME}/.aws
-blacklist ${HOME}/.boto
-blacklist ${HOME}/.config/gcloud
-blacklist ${HOME}/.kube
-blacklist ${HOME}/.passwd-s3fs
-blacklist ${HOME}/.s3cmd
-blacklist /etc/boto.cfg
+deny  ${HOME}/.aws
+deny  ${HOME}/.boto
+deny  ${HOME}/.config/gcloud
+deny  ${HOME}/.kube
+deny  ${HOME}/.passwd-s3fs
+deny  ${HOME}/.s3cmd
+deny  /etc/boto.cfg
 
 # system directories
-blacklist /sbin
-blacklist /usr/local/sbin
-blacklist /usr/sbin
+deny  /sbin
+deny  /usr/local/sbin
+deny  /usr/sbin
 
 # system management
-blacklist ${PATH}/at
-blacklist ${PATH}/busybox
-blacklist ${PATH}/chage
-blacklist ${PATH}/chfn
-blacklist ${PATH}/chsh
-blacklist ${PATH}/crontab
-blacklist ${PATH}/evtest
-blacklist ${PATH}/expiry
-blacklist ${PATH}/fusermount
-blacklist ${PATH}/gksu
-blacklist ${PATH}/gksudo
-blacklist ${PATH}/gpasswd
-blacklist ${PATH}/kdesudo
-blacklist ${PATH}/ksu
-blacklist ${PATH}/mount
-blacklist ${PATH}/mount.ecryptfs_private
-blacklist ${PATH}/nc
-blacklist ${PATH}/ncat
-blacklist ${PATH}/nmap
-blacklist ${PATH}/newgidmap
-blacklist ${PATH}/newgrp
-blacklist ${PATH}/newuidmap
-blacklist ${PATH}/ntfs-3g
-blacklist ${PATH}/pkexec
-blacklist ${PATH}/procmail
-blacklist ${PATH}/sg
-blacklist ${PATH}/strace
-blacklist ${PATH}/su
-blacklist ${PATH}/sudo
-blacklist ${PATH}/tcpdump
-blacklist ${PATH}/umount
-blacklist ${PATH}/unix_chkpwd
-blacklist ${PATH}/xev
-blacklist ${PATH}/xinput
+deny  ${PATH}/at
+deny  ${PATH}/busybox
+deny  ${PATH}/chage
+deny  ${PATH}/chfn
+deny  ${PATH}/chsh
+deny  ${PATH}/crontab
+deny  ${PATH}/evtest
+deny  ${PATH}/expiry
+deny  ${PATH}/fusermount
+deny  ${PATH}/gksu
+deny  ${PATH}/gksudo
+deny  ${PATH}/gpasswd
+deny  ${PATH}/kdesudo
+deny  ${PATH}/ksu
+deny  ${PATH}/mount
+deny  ${PATH}/mount.ecryptfs_private
+deny  ${PATH}/nc
+deny  ${PATH}/ncat
+deny  ${PATH}/nmap
+deny  ${PATH}/newgidmap
+deny  ${PATH}/newgrp
+deny  ${PATH}/newuidmap
+deny  ${PATH}/ntfs-3g
+deny  ${PATH}/pkexec
+deny  ${PATH}/procmail
+deny  ${PATH}/sg
+deny  ${PATH}/strace
+deny  ${PATH}/su
+deny  ${PATH}/sudo
+deny  ${PATH}/tcpdump
+deny  ${PATH}/umount
+deny  ${PATH}/unix_chkpwd
+deny  ${PATH}/xev
+deny  ${PATH}/xinput
 
 # other SUID binaries
-blacklist /usr/lib/virtualbox
-blacklist /usr/lib64/virtualbox
+deny  /usr/lib/virtualbox
+deny  /usr/lib64/virtualbox
 
 # prevent lxterminal connecting to an existing lxterminal session
-blacklist /tmp/.lxterminal-socket*
+deny  /tmp/.lxterminal-socket*
 # prevent tmux connecting to an existing session
-blacklist /tmp/tmux-*
+deny  /tmp/tmux-*
 
 # disable terminals running as server resulting in sandbox escape
-blacklist ${PATH}/lxterminal
-blacklist ${PATH}/gnome-terminal
-blacklist ${PATH}/gnome-terminal.wrapper
-blacklist ${PATH}/lilyterm
-blacklist ${PATH}/mate-terminal
-blacklist ${PATH}/mate-terminal.wrapper
-blacklist ${PATH}/pantheon-terminal
-blacklist ${PATH}/roxterm
-blacklist ${PATH}/roxterm-config
-blacklist ${PATH}/terminix
-blacklist ${PATH}/tilix
-blacklist ${PATH}/urxvtc
-blacklist ${PATH}/urxvtcd
-blacklist ${PATH}/xfce4-terminal
-blacklist ${PATH}/xfce4-terminal.wrapper
+deny  ${PATH}/lxterminal
+deny  ${PATH}/gnome-terminal
+deny  ${PATH}/gnome-terminal.wrapper
+deny  ${PATH}/lilyterm
+deny  ${PATH}/mate-terminal
+deny  ${PATH}/mate-terminal.wrapper
+deny  ${PATH}/pantheon-terminal
+deny  ${PATH}/roxterm
+deny  ${PATH}/roxterm-config
+deny  ${PATH}/terminix
+deny  ${PATH}/tilix
+deny  ${PATH}/urxvtc
+deny  ${PATH}/urxvtcd
+deny  ${PATH}/xfce4-terminal
+deny  ${PATH}/xfce4-terminal.wrapper
 # blacklist ${PATH}/konsole
 # konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
 
 # kernel files
-blacklist /initrd*
-blacklist /vmlinuz*
+deny  /initrd*
+deny  /vmlinuz*
 
 # snapshot files
-blacklist /.snapshots
+deny  /.snapshots
 
 # flatpak
-blacklist ${HOME}/.cache/flatpak
-blacklist ${HOME}/.config/flatpak
-noblacklist ${HOME}/.local/share/flatpak/exports
+deny  ${HOME}/.cache/flatpak
+deny  ${HOME}/.config/flatpak
+nodeny  ${HOME}/.local/share/flatpak/exports
 read-only ${HOME}/.local/share/flatpak/exports
-blacklist ${HOME}/.local/share/flatpak/*
-blacklist ${HOME}/.var
-blacklist ${RUNUSER}/app
-blacklist ${RUNUSER}/doc
-blacklist ${RUNUSER}/.dbus-proxy
-blacklist ${RUNUSER}/.flatpak
-blacklist ${RUNUSER}/.flatpak-cache
-blacklist ${RUNUSER}/.flatpak-helper
-blacklist /usr/share/flatpak
-noblacklist /var/lib/flatpak/exports
-blacklist /var/lib/flatpak/*
+deny  ${HOME}/.local/share/flatpak/*
+deny  ${HOME}/.var
+deny  ${RUNUSER}/app
+deny  ${RUNUSER}/doc
+deny  ${RUNUSER}/.dbus-proxy
+deny  ${RUNUSER}/.flatpak
+deny  ${RUNUSER}/.flatpak-cache
+deny  ${RUNUSER}/.flatpak-helper
+deny  /usr/share/flatpak
+nodeny  /var/lib/flatpak/exports
+deny  /var/lib/flatpak/*
 # most of the time bwrap is SUID binary
-blacklist ${PATH}/bwrap
+deny  ${PATH}/bwrap
 
 # snap
-blacklist ${RUNUSER}/snapd-session-agent.socket
+deny  ${RUNUSER}/snapd-session-agent.socket
 
 # mail directories used by mutt
-blacklist ${HOME}/.Mail
-blacklist ${HOME}/.mail
-blacklist ${HOME}/.signature
-blacklist ${HOME}/Mail
-blacklist ${HOME}/mail
-blacklist ${HOME}/postponed
-blacklist ${HOME}/sent
+deny  ${HOME}/.Mail
+deny  ${HOME}/.mail
+deny  ${HOME}/.signature
+deny  ${HOME}/Mail
+deny  ${HOME}/mail
+deny  ${HOME}/postponed
+deny  ${HOME}/sent
 
 # kernel configuration
-blacklist /proc/config.gz
+deny  /proc/config.gz
 
 # prevent DNS malware attempting to communicate with the server
 # using regular DNS tools
-blacklist ${PATH}/dig
-blacklist ${PATH}/dlint
-blacklist ${PATH}/dns2tcp
-blacklist ${PATH}/dnssec-*
-blacklist ${PATH}/dnswalk
-blacklist ${PATH}/drill
-blacklist ${PATH}/host
-blacklist ${PATH}/iodine
-blacklist ${PATH}/kdig
-blacklist ${PATH}/khost
-blacklist ${PATH}/knsupdate
-blacklist ${PATH}/ldns-*
-blacklist ${PATH}/ldnsd
-blacklist ${PATH}/nslookup
-blacklist ${PATH}/resolvectl
-blacklist ${PATH}/unbound-host
+deny  ${PATH}/dig
+deny  ${PATH}/dlint
+deny  ${PATH}/dns2tcp
+deny  ${PATH}/dnssec-*
+deny  ${PATH}/dnswalk
+deny  ${PATH}/drill
+deny  ${PATH}/host
+deny  ${PATH}/iodine
+deny  ${PATH}/kdig
+deny  ${PATH}/khost
+deny  ${PATH}/knsupdate
+deny  ${PATH}/ldns-*
+deny  ${PATH}/ldnsd
+deny  ${PATH}/nslookup
+deny  ${PATH}/resolvectl
+deny  ${PATH}/unbound-host
 
 # rest of ${RUNUSER}
-blacklist ${RUNUSER}/*.lock
-blacklist ${RUNUSER}/inaccessible
-blacklist ${RUNUSER}/pk-debconf-socket
-blacklist ${RUNUSER}/update-notifier.pid
+deny  ${RUNUSER}/*.lock
+deny  ${RUNUSER}/inaccessible
+deny  ${RUNUSER}/pk-debconf-socket
+deny  ${RUNUSER}/update-notifier.pid
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index e74b1b40b..a893eb3f3 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -5,65 +5,65 @@ include disable-devel.local
 # development tools
 
 # clang/llvm
-blacklist ${PATH}/clang*
-blacklist ${PATH}/lldb*
-blacklist ${PATH}/llvm*
+deny  ${PATH}/clang*
+deny  ${PATH}/lldb*
+deny  ${PATH}/llvm*
 # see issue #2106 - it disables hardware acceleration in Firefox on Radeon GPU
 # blacklist /usr/lib/llvm*
 
 # GCC
-blacklist ${PATH}/as
-blacklist ${PATH}/cc
-blacklist ${PATH}/c++*
-blacklist ${PATH}/c8*
-blacklist ${PATH}/c9*
-blacklist ${PATH}/cpp*
-blacklist ${PATH}/g++*
-blacklist ${PATH}/gcc*
-blacklist ${PATH}/gdb
-blacklist ${PATH}/ld
-blacklist ${PATH}/*-gcc*
-blacklist ${PATH}/*-g++*
-blacklist ${PATH}/*-gcc*
-blacklist ${PATH}/*-g++*
+deny  ${PATH}/as
+deny  ${PATH}/cc
+deny  ${PATH}/c++*
+deny  ${PATH}/c8*
+deny  ${PATH}/c9*
+deny  ${PATH}/cpp*
+deny  ${PATH}/g++*
+deny  ${PATH}/gcc*
+deny  ${PATH}/gdb
+deny  ${PATH}/ld
+deny  ${PATH}/*-gcc*
+deny  ${PATH}/*-g++*
+deny  ${PATH}/*-gcc*
+deny  ${PATH}/*-g++*
 # seems to create problems on Gentoo
 #blacklist /usr/lib/gcc
 
 #Go
-blacklist ${PATH}/gccgo
-blacklist ${PATH}/go
-blacklist ${PATH}/gofmt
+deny  ${PATH}/gccgo
+deny  ${PATH}/go
+deny  ${PATH}/gofmt
 
 # Java
-blacklist ${PATH}/java
-blacklist ${PATH}/javac
-blacklist /etc/java
-blacklist /usr/lib/java
-blacklist /usr/share/java
+deny  ${PATH}/java
+deny  ${PATH}/javac
+deny  /etc/java
+deny  /usr/lib/java
+deny  /usr/share/java
 
 #OpenSSL
-blacklist ${PATH}/openssl
-blacklist ${PATH}/openssl-1.0
+deny  ${PATH}/openssl
+deny  ${PATH}/openssl-1.0
 
 #Rust
-blacklist ${PATH}/rust-gdb
-blacklist ${PATH}/rust-lldb
-blacklist ${PATH}/rustc
-blacklist ${HOME}/.rustup
+deny  ${PATH}/rust-gdb
+deny  ${PATH}/rust-lldb
+deny  ${PATH}/rustc
+deny  ${HOME}/.rustup
 
 # tcc - Tiny C Compiler
-blacklist ${PATH}/tcc
-blacklist ${PATH}/x86_64-tcc
-blacklist /usr/lib/tcc
+deny  ${PATH}/tcc
+deny  ${PATH}/x86_64-tcc
+deny  /usr/lib/tcc
 
 # Valgrind
-blacklist ${PATH}/valgrind*
-blacklist /usr/lib/valgrind
+deny  ${PATH}/valgrind*
+deny  /usr/lib/valgrind
 
 
 # Source-Code
 
-blacklist /usr/src
-blacklist /usr/local/src
-blacklist /usr/include
-blacklist /usr/local/include
+deny  /usr/src
+deny  /usr/local/src
+deny  /usr/include
+deny  /usr/local/include
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 5d8a236fb..c77d9a490 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -3,66 +3,66 @@
 include disable-interpreters.local
 
 # gjs
-blacklist ${PATH}/gjs
-blacklist ${PATH}/gjs-console
-blacklist /usr/lib/gjs
-blacklist /usr/lib/libgjs*
-blacklist /usr/lib64/gjs
-blacklist /usr/lib64/libgjs*
+deny  ${PATH}/gjs
+deny  ${PATH}/gjs-console
+deny  /usr/lib/gjs
+deny  /usr/lib/libgjs*
+deny  /usr/lib64/gjs
+deny  /usr/lib64/libgjs*
 
 # Lua
-blacklist ${PATH}/lua*
-blacklist /usr/include/lua*
-blacklist /usr/lib/liblua*
-blacklist /usr/lib/lua
-blacklist /usr/lib64/liblua*
-blacklist /usr/lib64/lua
-blacklist /usr/share/lua*
+deny  ${PATH}/lua*
+deny  /usr/include/lua*
+deny  /usr/lib/liblua*
+deny  /usr/lib/lua
+deny  /usr/lib64/liblua*
+deny  /usr/lib64/lua
+deny  /usr/share/lua*
 
 # mozjs
-blacklist /usr/lib/libmozjs-*
-blacklist /usr/lib64/libmozjs-*
+deny  /usr/lib/libmozjs-*
+deny  /usr/lib64/libmozjs-*
 
 # Node.js
-blacklist ${PATH}/node
-blacklist /usr/include/node
+deny  ${PATH}/node
+deny  /usr/include/node
 
 # nvm
-blacklist ${HOME}/.nvm
+deny  ${HOME}/.nvm
 
 # Perl
-blacklist ${PATH}/core_perl
-blacklist ${PATH}/cpan*
-blacklist ${PATH}/perl
-blacklist ${PATH}/site_perl
-blacklist ${PATH}/vendor_perl
-blacklist /usr/lib/perl*
-blacklist /usr/lib64/perl*
-blacklist /usr/share/perl*
+deny  ${PATH}/core_perl
+deny  ${PATH}/cpan*
+deny  ${PATH}/perl
+deny  ${PATH}/site_perl
+deny  ${PATH}/vendor_perl
+deny  /usr/lib/perl*
+deny  /usr/lib64/perl*
+deny  /usr/share/perl*
 
 # PHP
-blacklist ${PATH}/php*
-blacklist /usr/lib/php*
-blacklist /usr/share/php*
+deny  ${PATH}/php*
+deny  /usr/lib/php*
+deny  /usr/share/php*
 
 # Ruby
-blacklist ${PATH}/ruby
-blacklist /usr/lib/ruby
+deny  ${PATH}/ruby
+deny  /usr/lib/ruby
 
 # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
 # Python 2
-blacklist ${PATH}/python2*
-blacklist /usr/include/python2*
-blacklist /usr/lib/python2*
-blacklist /usr/local/lib/python2*
-blacklist /usr/share/python2*
+deny  ${PATH}/python2*
+deny  /usr/include/python2*
+deny  /usr/lib/python2*
+deny  /usr/local/lib/python2*
+deny  /usr/share/python2*
 
 # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026)
 
 # Python 3
-blacklist ${PATH}/python3*
-blacklist /usr/include/python3*
-blacklist /usr/lib/python3*
-blacklist /usr/lib64/python3*
-blacklist /usr/local/lib/python3*
-blacklist /usr/share/python3*
+deny  ${PATH}/python3*
+deny  /usr/include/python3*
+deny  /usr/lib/python3*
+deny  /usr/lib64/python3*
+deny  /usr/local/lib/python3*
+deny  /usr/share/python3*
diff --git a/etc/inc/disable-passwdmgr.inc b/etc/inc/disable-passwdmgr.inc
index 3ed9a1b14..0a61bc46f 100644
--- a/etc/inc/disable-passwdmgr.inc
+++ b/etc/inc/disable-passwdmgr.inc
@@ -2,18 +2,18 @@
 # Persistent customizations should go in a .local file.
 include disable-passwdmgr.local
 
-blacklist ${HOME}/.config/Bitwarden
-blacklist ${HOME}/.config/KeePass
-blacklist ${HOME}/.config/keepass
-blacklist ${HOME}/.config/keepassx
-blacklist ${HOME}/.config/keepassxc
-blacklist ${HOME}/.config/KeePassXCrc
-blacklist ${HOME}/.config/Sinew Software Systems
-blacklist ${HOME}/.fpm
-blacklist ${HOME}/.keepass
-blacklist ${HOME}/.keepassx
-blacklist ${HOME}/.keepassxc
-blacklist ${HOME}/.lastpass
-blacklist ${HOME}/.local/share/KeePass
-blacklist ${HOME}/.local/share/keepass
-blacklist ${HOME}/.password-store
+deny  ${HOME}/.config/Bitwarden
+deny  ${HOME}/.config/KeePass
+deny  ${HOME}/.config/keepass
+deny  ${HOME}/.config/keepassx
+deny  ${HOME}/.config/keepassxc
+deny  ${HOME}/.config/KeePassXCrc
+deny  ${HOME}/.config/Sinew Software Systems
+deny  ${HOME}/.fpm
+deny  ${HOME}/.keepass
+deny  ${HOME}/.keepassx
+deny  ${HOME}/.keepassxc
+deny  ${HOME}/.lastpass
+deny  ${HOME}/.local/share/KeePass
+deny  ${HOME}/.local/share/keepass
+deny  ${HOME}/.password-store
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 90abe1d3e..5fe2f8c28 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -2,1083 +2,1097 @@
 # Persistent customizations should go in a .local file.
 include disable-programs.local
 
-blacklist ${HOME}/Arduino
-blacklist ${HOME}/i2p
-blacklist ${HOME}/Monero/wallets
-blacklist ${HOME}/Nextcloud
-blacklist ${HOME}/Nextcloud/Notes
-blacklist ${HOME}/SoftMaker
-blacklist ${HOME}/Standard Notes Backups
-blacklist ${HOME}/TeamSpeak3-Client-linux_x86
-blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
-blacklist ${HOME}/hyperrogue.ini
-blacklist ${HOME}/mps
-blacklist ${HOME}/wallet.dat
-blacklist ${HOME}/.*coin
-blacklist ${HOME}/.8pecxstudios
-blacklist ${HOME}/.AndroidStudio*
-blacklist ${HOME}/.Atom
-blacklist ${HOME}/.CLion*
-blacklist ${HOME}/.FBReader
-blacklist ${HOME}/.FontForge
-blacklist ${HOME}/.IdeaIC*
-blacklist ${HOME}/.LuminanceHDR
-blacklist ${HOME}/.Mathematica
-blacklist ${HOME}/.Natron
-blacklist ${HOME}/.PlayOnLinux
-blacklist ${HOME}/.PyCharm*
-blacklist ${HOME}/.Sayonara
-blacklist ${HOME}/.Steam
-blacklist ${HOME}/.Steampath
-blacklist ${HOME}/.Steampid
-blacklist ${HOME}/.TelegramDesktop
-blacklist ${HOME}/.VSCodium
-blacklist ${HOME}/.ViberPC
-blacklist ${HOME}/.VirtualBox
-blacklist ${HOME}/.WebStorm*
-blacklist ${HOME}/.Wolfram Research
-blacklist ${HOME}/.ZAP
-blacklist ${HOME}/.abook
-blacklist ${HOME}/.aMule
-blacklist ${HOME}/.android
-blacklist ${HOME}/.anydesk
-blacklist ${HOME}/.arduino15
-blacklist ${HOME}/.aria2
-blacklist ${HOME}/.arm
-blacklist ${HOME}/.asunder_album_artist
-blacklist ${HOME}/.asunder_album_genre
-blacklist ${HOME}/.asunder_album_title
-blacklist ${HOME}/.atom
-blacklist ${HOME}/.attic
-blacklist ${HOME}/.audacity-data
-blacklist ${HOME}/.avidemux6
-blacklist ${HOME}/.ballbuster.hs
-blacklist ${HOME}/.balsa
-blacklist ${HOME}/.bcast5
-blacklist ${HOME}/.bibletime
-blacklist ${HOME}/.bitcoin
-blacklist ${HOME}/.bogofilter
-blacklist ${HOME}/.bzf
-blacklist ${HOME}/.cargo/advisory-db
-blacklist ${HOME}/.cargo/config
-blacklist ${HOME}/.cargo/git
-blacklist ${HOME}/.cargo/registry
-blacklist ${HOME}/.cargo/.crates.toml
-blacklist ${HOME}/.cargo/.crates2.json
-blacklist ${HOME}/.cargo/.package-cache
-blacklist ${HOME}/.claws-mail
-blacklist ${HOME}/.cliqz
-blacklist ${HOME}/.clonk
-blacklist ${HOME}/.config/0ad
-blacklist ${HOME}/.config/2048-qt
-blacklist ${HOME}/.config/Atom
-blacklist ${HOME}/.config/Audaciousrc
-blacklist ${HOME}/.config/Authenticator
-blacklist ${HOME}/.config/Beaker Browser
-blacklist ${HOME}/.config/Bitcoin
-blacklist ${HOME}/.config/Bitwarden
-blacklist ${HOME}/.config/Brackets
-blacklist ${HOME}/.config/BraveSoftware
-blacklist ${HOME}/.config/Clementine
-blacklist ${HOME}/.config/Code
-blacklist ${HOME}/.config/Code - OSS
-blacklist ${HOME}/.config/Code Industry
-blacklist ${HOME}/.config/Cryptocat
-blacklist ${HOME}/.config/Debauchee/Barrier.conf
-blacklist ${HOME}/.config/Dharkael
-blacklist ${HOME}/.config/Element
-blacklist ${HOME}/.config/Element (Riot)
-blacklist ${HOME}/.config/ENCOM
-blacklist ${HOME}/.config/Enox
-blacklist ${HOME}/.config/Epic
-blacklist ${HOME}/.config/Ferdi
-blacklist ${HOME}/.config/Flavio Tordini
-blacklist ${HOME}/.config/Franz
-blacklist ${HOME}/.config/FreeCAD
-blacklist ${HOME}/.config/FreeTube
-blacklist ${HOME}/.config/Fritzing
-blacklist ${HOME}/.config/GIMP
-blacklist ${HOME}/.config/GitHub Desktop
-blacklist ${HOME}/.config/Gitter
-blacklist ${HOME}/.config/Google
-blacklist ${HOME}/.config/Google Play Music Desktop Player
-blacklist ${HOME}/.config/Gpredict
-blacklist ${HOME}/.config/INRIA
-blacklist ${HOME}/.config/InSilmaril
-blacklist ${HOME}/.config/Jitsi Meet
-blacklist ${HOME}/.config/KDE/neochat
-blacklist ${HOME}/.config/Kid3
-blacklist ${HOME}/.config/Kingsoft
-blacklist ${HOME}/.config/Loop_Hero
-blacklist ${HOME}/.config/Luminance
-blacklist ${HOME}/.config/LyX
-blacklist ${HOME}/.config/Mattermost
-blacklist ${HOME}/.config/Meltytech
-blacklist ${HOME}/.config/Mendeley Ltd.
-blacklist ${HOME}/.config/Min
-blacklist ${HOME}/.config/ModTheSpire
-blacklist ${HOME}/.config/Mousepad
-blacklist ${HOME}/.config/Mumble
-blacklist ${HOME}/.config/MusE
-blacklist ${HOME}/.config/MuseScore
-blacklist ${HOME}/.config/MusicBrainz
-blacklist ${HOME}/.config/Nathan Osman
-blacklist ${HOME}/.config/Nextcloud
-blacklist ${HOME}/.config/Nylas Mail
-blacklist ${HOME}/.config/PacmanLogViewer
-blacklist ${HOME}/.config/PawelStolowski
-blacklist ${HOME}/.config/PBE
-blacklist ${HOME}/.config/Philipp Schmieder
-blacklist ${HOME}/.config/QGIS
-blacklist ${HOME}/.config/QMediathekView
-blacklist ${HOME}/.config/Qlipper
-blacklist ${HOME}/.config/QuiteRss
-blacklist ${HOME}/.config/QuiteRssrc
-blacklist ${HOME}/.config/Quotient
-blacklist ${HOME}/.config/Rambox
-blacklist ${HOME}/.config/Riot
-blacklist ${HOME}/.config/Rocket.Chat
-blacklist ${HOME}/.config/RogueLegacy
-blacklist ${HOME}/.config/RogueLegacyStorageContainer
-blacklist ${HOME}/.config/Signal
-blacklist ${HOME}/.config/Sinew Software Systems
-blacklist ${HOME}/.config/Slack
-blacklist ${HOME}/.config/Standard Notes
-blacklist ${HOME}/.config/SubDownloader
-blacklist ${HOME}/.config/Thunar
-blacklist ${HOME}/.config/Twitch
-blacklist ${HOME}/.config/Unknown Organization
-blacklist ${HOME}/.config/VirtualBox
-blacklist ${HOME}/.config/Wire
-blacklist ${HOME}/.config/Youtube
-blacklist ${HOME}/.config/Zeal
-blacklist ${HOME}/.config/ZeGrapher Project
-blacklist ${HOME}/.config/aacs
-blacklist ${HOME}/.config/abiword
-blacklist ${HOME}/.config/agenda
-blacklist ${HOME}/.config/akonadi*
-blacklist ${HOME}/.config/akregatorrc
-blacklist ${HOME}/.config/alacritty
-blacklist ${HOME}/.config/ardour4
-blacklist ${HOME}/.config/ardour5
-blacklist ${HOME}/.config/aria2
-blacklist ${HOME}/.config/arkrc
-blacklist ${HOME}/.config/artha.conf
-blacklist ${HOME}/.config/artha.log
-blacklist ${HOME}/.config/asunder
-blacklist ${HOME}/.config/atril
-blacklist ${HOME}/.config/audacious
-blacklist ${HOME}/.config/autokey
-blacklist ${HOME}/.config/avidemux3_qt5rc
-blacklist ${HOME}/.config/aweather
-blacklist ${HOME}/.config/backintime
-blacklist ${HOME}/.config/baloofilerc
-blacklist ${HOME}/.config/baloorc
-blacklist ${HOME}/.config/bcompare
-blacklist ${HOME}/.config/blender
-blacklist ${HOME}/.config/bless
-blacklist ${HOME}/.config/bnox
-blacklist ${HOME}/.config/borg
-blacklist ${HOME}/.config/brasero
-blacklist ${HOME}/.config/brave
-blacklist ${HOME}/.config/brave-flags.conf
-blacklist ${HOME}/.config/caja
-blacklist ${HOME}/.config/calibre
-blacklist ${HOME}/.config/cantata
-blacklist ${HOME}/.config/catfish
-blacklist ${HOME}/.config/cawbird
-blacklist ${HOME}/.config/celluloid
-blacklist ${HOME}/.config/cherrytree
-blacklist ${HOME}/.config/chrome-beta-flags.conf
-blacklist ${HOME}/.config/chrome-beta-flags.config
-blacklist ${HOME}/.config/chrome-flags.conf
-blacklist ${HOME}/.config/chrome-flags.config
-blacklist ${HOME}/.config/chrome-unstable-flags.conf
-blacklist ${HOME}/.config/chrome-unstable-flags.config
-blacklist ${HOME}/.config/chromium
-blacklist ${HOME}/.config/chromium-dev
-blacklist ${HOME}/.config/chromium-flags.conf
-blacklist ${HOME}/.config/clipit
-blacklist ${HOME}/.config/cliqz
-blacklist ${HOME}/.config/cmus
-blacklist ${HOME}/.config/com.github.bleakgrey.tootle
-blacklist ${HOME}/.config/corebird
-blacklist ${HOME}/.config/cower
-blacklist ${HOME}/.config/coyim
-blacklist ${HOME}/.config/darktable
-blacklist ${HOME}/.config/deadbeef
-blacklist ${HOME}/.config/deluge
-blacklist ${HOME}/.config/devilspie2
-blacklist ${HOME}/.config/digikam
-blacklist ${HOME}/.config/digikamrc
-blacklist ${HOME}/.config/discord
-blacklist ${HOME}/.config/discordcanary
-blacklist ${HOME}/.config/dkl
-blacklist ${HOME}/.config/dnox
-blacklist ${HOME}/.config/dolphin-emu
-blacklist ${HOME}/.config/dolphinrc
-blacklist ${HOME}/.config/dragonplayerrc
-blacklist ${HOME}/.config/draw.io
-blacklist ${HOME}/.config/d-feet
-blacklist ${HOME}/.config/electron-mail
-blacklist ${HOME}/.config/emaildefaults
-blacklist ${HOME}/.config/emailidentities
-blacklist ${HOME}/.config/emilia
-blacklist ${HOME}/.config/enchant
-blacklist ${HOME}/.config/eog
-blacklist ${HOME}/.config/epiphany
-blacklist ${HOME}/.config/equalx
-blacklist ${HOME}/.config/evince
-blacklist ${HOME}/.config/evolution
-blacklist ${HOME}/.config/falkon
-blacklist ${HOME}/.config/filezilla
-blacklist ${HOME}/.config/flameshot
-blacklist ${HOME}/.config/flaska.net
-blacklist ${HOME}/.config/flowblade
-blacklist ${HOME}/.config/font-manager
-blacklist ${HOME}/.config/freecol
-blacklist ${HOME}/.config/gajim
-blacklist ${HOME}/.config/galculator
-blacklist ${HOME}/.config/gconf
-blacklist ${HOME}/.config/geany
-blacklist ${HOME}/.config/geary
-blacklist ${HOME}/.config/gedit
-blacklist ${HOME}/.config/geeqie
-blacklist ${HOME}/.config/ghb
-blacklist ${HOME}/.config/ghostwriter
-blacklist ${HOME}/.config/git
-blacklist ${HOME}/.config/git-cola
-blacklist ${HOME}/.config/glade.conf
-blacklist ${HOME}/.config/globaltime
-blacklist ${HOME}/.config/gmpc
-blacklist ${HOME}/.config/gnome-builder
-blacklist ${HOME}/.config/gnome-chess
-blacklist ${HOME}/.config/gnome-control-center
-blacklist ${HOME}/.config/gnome-initial-setup-done
-blacklist ${HOME}/.config/gnome-latex
-blacklist ${HOME}/.config/gnome-mplayer
-blacklist ${HOME}/.config/gnome-mpv
-blacklist ${HOME}/.config/gnome-pie
-blacklist ${HOME}/.config/gnome-session
-blacklist ${HOME}/.config/gnote
-blacklist ${HOME}/.config/godot
-blacklist ${HOME}/.config/google-chrome
-blacklist ${HOME}/.config/google-chrome-beta
-blacklist ${HOME}/.config/google-chrome-unstable
-blacklist ${HOME}/.config/gpicview
-blacklist ${HOME}/.config/gthumb
-blacklist ${HOME}/.config/gummi
-blacklist ${HOME}/.config/guvcview2
-blacklist ${HOME}/.config/gwenviewrc
-blacklist ${HOME}/.config/hexchat
-blacklist ${HOME}/.config/homebank
-blacklist ${HOME}/.config/i2p
-blacklist ${HOME}/.config/inkscape
-blacklist ${HOME}/.config/inox
-blacklist ${HOME}/.config/iridium
-blacklist ${HOME}/.config/itch
-blacklist ${HOME}/.config/jami
-blacklist ${HOME}/.config/jd-gui.cfg
-blacklist ${HOME}/.config/k3brc
-blacklist ${HOME}/.config/kaffeinerc
-blacklist ${HOME}/.config/kalgebrarc
-blacklist ${HOME}/.config/katemetainfos
-blacklist ${HOME}/.config/katepartrc
-blacklist ${HOME}/.config/katerc
-blacklist ${HOME}/.config/kateschemarc
-blacklist ${HOME}/.config/katesyntaxhighlightingrc
-blacklist ${HOME}/.config/katevirc
-blacklist ${HOME}/.config/kazam
-blacklist ${HOME}/.config/kdeconnect
-blacklist ${HOME}/.config/kdenliverc
-blacklist ${HOME}/.config/kdiff3fileitemactionrc
-blacklist ${HOME}/.config/kdiff3rc
-blacklist ${HOME}/.config/kfindrc
-blacklist ${HOME}/.config/kgetrc
-blacklist ${HOME}/.config/kid3rc
-blacklist ${HOME}/.config/klavaro
-blacklist ${HOME}/.config/klipperrc
-blacklist ${HOME}/.config/kmail2rc
-blacklist ${HOME}/.config/kmailsearchindexingrc
-blacklist ${HOME}/.config/kmplayerrc
-blacklist ${HOME}/.config/knotesrc
-blacklist ${HOME}/.config/konversationrc
-blacklist ${HOME}/.config/konversation.notifyrc
-blacklist ${HOME}/.config/kritarc
-blacklist ${HOME}/.config/ktorrentrc
-blacklist ${HOME}/.config/ktouch2rc
-blacklist ${HOME}/.config/kube
-blacklist ${HOME}/.config/kwriterc
-blacklist ${HOME}/.config/leafpad
-blacklist ${HOME}/.config/libreoffice
-blacklist ${HOME}/.config/liferea
-blacklist ${HOME}/.config/linphone
-blacklist ${HOME}/.config/lugaru
-blacklist ${HOME}/.config/lutris
-blacklist ${HOME}/.config/lximage-qt
-blacklist ${HOME}/.config/mailtransports
-blacklist ${HOME}/.config/mana
-blacklist ${HOME}/.config/mate-calc
-blacklist ${HOME}/.config/mate/eom
-blacklist ${HOME}/.config/mate/mate-dictionary
-blacklist ${HOME}/.config/matrix-mirage
-blacklist ${HOME}/.config/mcomix
-blacklist ${HOME}/.config/meld
-blacklist ${HOME}/.config/meteo-qt
-blacklist ${HOME}/.config/menulibre.cfg
-blacklist ${HOME}/.config/mfusion
-blacklist ${HOME}/.config/Microsoft
-blacklist ${HOME}/.config/microsoft-edge-dev
-blacklist ${HOME}/.config/midori
-blacklist ${HOME}/.config/mirage
-blacklist ${HOME}/.config/mono
-blacklist ${HOME}/.config/mpDris2
-blacklist ${HOME}/.config/mpd
-blacklist ${HOME}/.config/mps-youtube
-blacklist ${HOME}/.config/mpv
-blacklist ${HOME}/.config/mupen64plus
-blacklist ${HOME}/.config/mutt
-blacklist ${HOME}/.config/mutter
-blacklist ${HOME}/.config/mypaint
-blacklist ${HOME}/.config/nano
-blacklist ${HOME}/.config/nautilus
-blacklist ${HOME}/.config/nemo
-blacklist ${HOME}/.config/neochatrc
-blacklist ${HOME}/.config/neochat.notifyrc
-blacklist ${HOME}/.config/neomutt
-blacklist ${HOME}/.config/netsurf
-blacklist ${HOME}/.config/newsbeuter
-blacklist ${HOME}/.config/newsboat
-blacklist ${HOME}/.config/newsflash
-blacklist ${HOME}/.config/nheko
-blacklist ${HOME}/.config/NitroShare
-blacklist ${HOME}/.config/nomacs
-blacklist ${HOME}/.config/nuclear
-blacklist ${HOME}/.config/obs-studio
-blacklist ${HOME}/.config/okularpartrc
-blacklist ${HOME}/.config/okularrc
-blacklist ${HOME}/.config/onboard
-blacklist ${HOME}/.config/onionshare
-blacklist ${HOME}/.config/onlyoffice
-blacklist ${HOME}/.config/openmw
-blacklist ${HOME}/.config/opera
-blacklist ${HOME}/.config/opera-beta
-blacklist ${HOME}/.config/orage
-blacklist ${HOME}/.config/org.gabmus.gfeeds.json
-blacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
-blacklist ${HOME}/.config/org.kde.gwenviewrc
-blacklist ${HOME}/.config/otter
-blacklist ${HOME}/.config/pavucontrol-qt
-blacklist ${HOME}/.config/pavucontrol.ini
-blacklist ${HOME}/.config/pcmanfm
-blacklist ${HOME}/.config/pdfmod
-blacklist ${HOME}/.config/Pinta
-blacklist ${HOME}/.config/pipe-viewer
-blacklist ${HOME}/.config/pitivi
-blacklist ${HOME}/.config/pix
-blacklist ${HOME}/.config/pluma
-blacklist ${HOME}/.config/ppsspp
-blacklist ${HOME}/.config/pragha
-blacklist ${HOME}/.config/profanity
-blacklist ${HOME}/.config/psi
-blacklist ${HOME}/.config/psi+
-blacklist ${HOME}/.config/qBittorrent
-blacklist ${HOME}/.config/qBittorrentrc
-blacklist ${HOME}/.config/qnapi.ini
-blacklist ${HOME}/.config/qpdfview
-blacklist ${HOME}/.config/quodlibet
-blacklist ${HOME}/.config/qupzilla
-blacklist ${HOME}/.config/qutebrowser
-blacklist ${HOME}/.config/ranger
-blacklist ${HOME}/.config/redshift
-blacklist ${HOME}/.config/redshift.conf
-blacklist ${HOME}/.config/remmina
-blacklist ${HOME}/.config/ristretto
-blacklist ${HOME}/.config/rtv
-blacklist ${HOME}/.config/scribus
-blacklist ${HOME}/.config/scribusrc
-blacklist ${HOME}/.config/sinew.in
-blacklist ${HOME}/.config/sink
-blacklist ${HOME}/.config/skypeforlinux
-blacklist ${HOME}/.config/slimjet
-blacklist ${HOME}/.config/smplayer
-blacklist ${HOME}/.config/smtube
-blacklist ${HOME}/.config/smuxi
-blacklist ${HOME}/.config/snox
-blacklist ${HOME}/.config/sound-juicer
-blacklist ${HOME}/.config/specialmailcollectionsrc
-blacklist ${HOME}/.config/spectaclerc
-blacklist ${HOME}/.config/spotify
-blacklist ${HOME}/.config/sqlitebrowser
-blacklist ${HOME}/.config/stellarium
-blacklist ${HOME}/.config/strawberry
-blacklist ${HOME}/.config/straw-viewer
-blacklist ${HOME}/.config/supertuxkart
-blacklist ${HOME}/.config/synfig
-blacklist ${HOME}/.config/teams
-blacklist ${HOME}/.config/teams-for-linux
-blacklist ${HOME}/.config/telepathy-account-widgets
-blacklist ${HOME}/.config/torbrowser
-blacklist ${HOME}/.config/totem
-blacklist ${HOME}/.config/tox
-blacklist ${HOME}/.config/transgui
-blacklist ${HOME}/.config/transmission
-blacklist ${HOME}/.config/truecraft
-blacklist ${HOME}/.config/tuta_integration
-blacklist ${HOME}/.config/tutanota-desktop
-blacklist ${HOME}/.config/tvbrowser
-blacklist ${HOME}/.config/uGet
-blacklist ${HOME}/.config/ungoogled-chromium
-blacklist ${HOME}/.config/uzbl
-blacklist ${HOME}/.config/viewnior
-blacklist ${HOME}/.config/vivaldi
-blacklist ${HOME}/.config/vivaldi-snapshot
-blacklist ${HOME}/.config/vlc
-blacklist ${HOME}/.config/wesnoth
-blacklist ${HOME}/.config/wormux
-blacklist ${HOME}/.config/Whalebird
-blacklist ${HOME}/.config/wireshark
-blacklist ${HOME}/.config/xchat
-blacklist ${HOME}/.config/xed
-blacklist ${HOME}/.config/xfburn
-blacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
-blacklist ${HOME}/.config/xfce4/xfce4-notes.rc
-blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
-blacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-blacklist ${HOME}/.config/xfce4-dict
-blacklist ${HOME}/.config/xiaoyong
-blacklist ${HOME}/.config/xmms2
-blacklist ${HOME}/.config/xplayer
-blacklist ${HOME}/.config/xreader
-blacklist ${HOME}/.config/xviewer
-blacklist ${HOME}/.config/yandex-browser
-blacklist ${HOME}/.config/yandex-browser-beta
-blacklist ${HOME}/.config/yelp
-blacklist ${HOME}/.config/youtube-dl
-blacklist ${HOME}/.config/youtube-dlg
-blacklist ${HOME}/.config/youtubemusic-nativefier-040164
-blacklist ${HOME}/.config/youtube-music-desktop-app
-blacklist ${HOME}/.config/youtube-viewer
-blacklist ${HOME}/.config/zathura
-blacklist ${HOME}/.config/zoomus.conf
-blacklist ${HOME}/.config/Zulip
-blacklist ${HOME}/.conkeror.mozdev.org
-blacklist ${HOME}/.crawl
-blacklist ${HOME}/.cups
-blacklist ${HOME}/.curl-hsts
-blacklist ${HOME}/.curlrc
-blacklist ${HOME}/.dashcore
-blacklist ${HOME}/.devilspie
-blacklist ${HOME}/.dia
-blacklist ${HOME}/.digrc
-blacklist ${HOME}/.dillo
-blacklist ${HOME}/.dooble
-blacklist ${HOME}/.dosbox
-blacklist ${HOME}/.dropbox*
-blacklist ${HOME}/.easystroke
-blacklist ${HOME}/.electron-cache
-blacklist ${HOME}/.electrum*
-blacklist ${HOME}/.elinks
-blacklist ${HOME}/.emacs
-blacklist ${HOME}/.emacs.d
-blacklist ${HOME}/.equalx
-blacklist ${HOME}/.ethereum
-blacklist ${HOME}/.etr
-blacklist ${HOME}/.filezilla
-blacklist ${HOME}/.firedragon
-blacklist ${HOME}/.flowblade
-blacklist ${HOME}/.fltk
-blacklist ${HOME}/.fossamail
-blacklist ${HOME}/.freeciv
-blacklist ${HOME}/.freecol
-blacklist ${HOME}/.freemind
-blacklist ${HOME}/.frogatto
-blacklist ${HOME}/.frozen-bubble
-blacklist ${HOME}/.gimp*
-blacklist ${HOME}/.gist
-blacklist ${HOME}/.gitconfig
-blacklist ${HOME}/.gl-117
-blacklist ${HOME}/.glaxiumrc
-blacklist ${HOME}/.gnome/gnome-schedule
-blacklist ${HOME}/.googleearth
-blacklist ${HOME}/.gradle
-blacklist ${HOME}/.gramps
-blacklist ${HOME}/.guayadeque
-blacklist ${HOME}/.hashcat
-blacklist ${HOME}/.hex-a-hop
-blacklist ${HOME}/.hedgewars
-blacklist ${HOME}/.hugin
-blacklist ${HOME}/.i2p
-blacklist ${HOME}/.icedove
-blacklist ${HOME}/.imagej
-blacklist ${HOME}/.inkscape
-blacklist ${HOME}/.itch
-blacklist ${HOME}/.jack-server
-blacklist ${HOME}/.jack-settings
-blacklist ${HOME}/.jak
-blacklist ${HOME}/.java
-blacklist ${HOME}/.jd
-blacklist ${HOME}/.jitsi
-blacklist ${HOME}/.jumpnbump
-blacklist ${HOME}/.kde/share/apps/digikam
-blacklist ${HOME}/.kde/share/apps/gwenview
-blacklist ${HOME}/.kde/share/apps/kaffeine
-blacklist ${HOME}/.kde/share/apps/kcookiejar
-blacklist ${HOME}/.kde/share/apps/kget
-blacklist ${HOME}/.kde/share/apps/khtml
-blacklist ${HOME}/.kde/share/apps/klatexformula
-blacklist ${HOME}/.kde/share/apps/konqsidebartng
-blacklist ${HOME}/.kde/share/apps/konqueror
-blacklist ${HOME}/.kde/share/apps/kopete
-blacklist ${HOME}/.kde/share/apps/ktorrent
-blacklist ${HOME}/.kde/share/apps/okular
-blacklist ${HOME}/.kde/share/config/baloofilerc
-blacklist ${HOME}/.kde/share/config/baloorc
-blacklist ${HOME}/.kde/share/config/digikam
-blacklist ${HOME}/.kde/share/config/gwenviewrc
-blacklist ${HOME}/.kde/share/config/k3brc
-blacklist ${HOME}/.kde/share/config/kaffeinerc
-blacklist ${HOME}/.kde/share/config/kcookiejarrc
-blacklist ${HOME}/.kde/share/config/kfindrc
-blacklist ${HOME}/.kde/share/config/kgetrc
-blacklist ${HOME}/.kde/share/config/khtmlrc
-blacklist ${HOME}/.kde/share/config/klipperrc
-blacklist ${HOME}/.kde/share/config/kmplayerrc
-blacklist ${HOME}/.kde/share/config/konq_history
-blacklist ${HOME}/.kde/share/config/konqsidebartngrc
-blacklist ${HOME}/.kde/share/config/konquerorrc
-blacklist ${HOME}/.kde/share/config/konversationrc
-blacklist ${HOME}/.kde/share/config/kopeterc
-blacklist ${HOME}/.kde/share/config/ktorrentrc
-blacklist ${HOME}/.kde/share/config/okularpartrc
-blacklist ${HOME}/.kde/share/config/okularrc
-blacklist ${HOME}/.kde4/share/apps/digikam
-blacklist ${HOME}/.kde4/share/apps/gwenview
-blacklist ${HOME}/.kde4/share/apps/kaffeine
-blacklist ${HOME}/.kde4/share/apps/kcookiejar
-blacklist ${HOME}/.kde4/share/apps/kget
-blacklist ${HOME}/.kde4/share/apps/khtml
-blacklist ${HOME}/.kde4/share/apps/konqsidebartng
-blacklist ${HOME}/.kde4/share/apps/konqueror
-blacklist ${HOME}/.kde4/share/apps/kopete
-blacklist ${HOME}/.kde4/share/apps/ktorrent
-blacklist ${HOME}/.kde4/share/apps/okular
-blacklist ${HOME}/.kde4/share/config/baloofilerc
-blacklist ${HOME}/.kde4/share/config/baloorc
-blacklist ${HOME}/.kde4/share/config/digikam
-blacklist ${HOME}/.kde4/share/config/gwenviewrc
-blacklist ${HOME}/.kde4/share/config/k3brc
-blacklist ${HOME}/.kde4/share/config/kaffeinerc
-blacklist ${HOME}/.kde4/share/config/kcookiejarrc
-blacklist ${HOME}/.kde4/share/config/kfindrc
-blacklist ${HOME}/.kde4/share/config/kgetrc
-blacklist ${HOME}/.kde4/share/config/khtmlrc
-blacklist ${HOME}/.kde4/share/config/klipperrc
-blacklist ${HOME}/.kde4/share/config/konq_history
-blacklist ${HOME}/.kde4/share/config/konqsidebartngrc
-blacklist ${HOME}/.kde4/share/config/konquerorrc
-blacklist ${HOME}/.kde4/share/config/konversationrc
-blacklist ${HOME}/.kde4/share/config/kopeterc
-blacklist ${HOME}/.kde4/share/config/ktorrentrc
-blacklist ${HOME}/.kde4/share/config/okularpartrc
-blacklist ${HOME}/.kde4/share/config/okularrc
-blacklist ${HOME}/.killingfloor
-blacklist ${HOME}/.kingsoft
-blacklist ${HOME}/.kino-history
-blacklist ${HOME}/.kinorc
-blacklist ${HOME}/.klatexformula
-blacklist ${HOME}/.klei
-blacklist ${HOME}/.kodi
-blacklist ${HOME}/.librewolf
-blacklist ${HOME}/.lincity-ng
-blacklist ${HOME}/.links
-blacklist ${HOME}/.linphone-history.db
-blacklist ${HOME}/.linphonerc
-blacklist ${HOME}/.lmmsrc.xml
-blacklist ${HOME}/.local/lib/vivaldi
-blacklist ${HOME}/.local/share/0ad
-blacklist ${HOME}/.local/share/3909/PapersPlease
-blacklist ${HOME}/.local/share/Anki2
-blacklist ${HOME}/.local/share/Dredmor
-blacklist ${HOME}/.local/share/Empathy
-blacklist ${HOME}/.local/share/Enpass
-blacklist ${HOME}/.local/share/Flavio Tordini
-blacklist ${HOME}/.local/share/JetBrains
-blacklist ${HOME}/.local/share/KDE/neochat
-blacklist ${HOME}/.local/share/Kingsoft
-blacklist ${HOME}/.local/share/Mendeley Ltd.
-blacklist ${HOME}/.local/share/Mumble
-blacklist ${HOME}/.local/share/Nextcloud
-blacklist ${HOME}/.local/share/PBE
-blacklist ${HOME}/.local/share/PawelStolowski
-blacklist ${HOME}/.local/share/PillarsOfEternity
-blacklist ${HOME}/.local/share/Psi
-blacklist ${HOME}/.local/share/QGIS
-blacklist ${HOME}/.local/share/QMediathekView
-blacklist ${HOME}/.local/share/QuiteRss
-blacklist ${HOME}/.local/share/Ricochet
-blacklist ${HOME}/.local/share/RogueLegacy
-blacklist ${HOME}/.local/share/RogueLegacyStorageContainer
-blacklist ${HOME}/.local/share/Shortwave
-blacklist ${HOME}/.local/share/Steam
-blacklist ${HOME}/.local/share/SteamWorldDig
-blacklist ${HOME}/.local/share/SteamWorld Dig 2
-blacklist ${HOME}/.local/share/SuperHexagon
-blacklist ${HOME}/.local/share/TelegramDesktop
-blacklist ${HOME}/.local/share/Terraria
-blacklist ${HOME}/.local/share/TpLogger
-blacklist ${HOME}/.local/share/Zeal
-blacklist ${HOME}/.local/share/akonadi*
-blacklist ${HOME}/.local/share/akregator
-blacklist ${HOME}/.local/share/agenda
-blacklist ${HOME}/.local/share/apps/korganizer
-blacklist ${HOME}/.local/share/aspyr-media
-blacklist ${HOME}/.local/share/autokey
-blacklist ${HOME}/.local/share/authenticator-rs
-blacklist ${HOME}/.local/share/backintime
-blacklist ${HOME}/.local/share/baloo
-blacklist ${HOME}/.local/share/barrier
-blacklist ${HOME}/.local/share/bibletime
-blacklist ${HOME}/.local/share/bijiben
-blacklist ${HOME}/.local/share/bohemiainteractive
-blacklist ${HOME}/.local/share/caja-python
-blacklist ${HOME}/.local/share/calligragemini
-blacklist ${HOME}/.local/share/cantata
-blacklist ${HOME}/.local/share/cdprojektred
-blacklist ${HOME}/.local/share/clipit
-blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
-blacklist ${HOME}/.local/share/contacts
-blacklist ${HOME}/.local/share/cor-games
-blacklist ${HOME}/.local/share/data/Mendeley Ltd.
-blacklist ${HOME}/.local/share/data/Mumble
-blacklist ${HOME}/.local/share/data/MusE
-blacklist ${HOME}/.local/share/data/MuseScore
-blacklist ${HOME}/.local/share/data/nomacs
-blacklist ${HOME}/.local/share/data/qBittorrent
-blacklist ${HOME}/.local/share/dino
-blacklist ${HOME}/.local/share/dolphin
-blacklist ${HOME}/.local/share/dolphin-emu
-blacklist ${HOME}/.local/share/emailidentities
-blacklist ${HOME}/.local/share/epiphany
-blacklist ${HOME}/.local/share/evolution
-blacklist ${HOME}/.local/share/FasterThanLight
-blacklist ${HOME}/.local/share/feedreader
-blacklist ${HOME}/.local/share/feral-interactive
-blacklist ${HOME}/.local/share/five-or-more
-blacklist ${HOME}/.local/share/freecol
-blacklist ${HOME}/.local/share/gajim
-blacklist ${HOME}/.local/share/geary
-blacklist ${HOME}/.local/share/geeqie
-blacklist ${HOME}/.local/share/ghostwriter
-blacklist ${HOME}/.local/share/gitg
-blacklist ${HOME}/.local/share/gnome-2048
-blacklist ${HOME}/.local/share/gnome-boxes
-blacklist ${HOME}/.local/share/gnome-builder
-blacklist ${HOME}/.local/share/gnome-chess
-blacklist ${HOME}/.local/share/gnome-klotski
-blacklist ${HOME}/.local/share/gnome-latex
-blacklist ${HOME}/.local/share/gnome-mines
-blacklist ${HOME}/.local/share/gnome-music
-blacklist ${HOME}/.local/share/gnome-nibbles
-blacklist ${HOME}/.local/share/gnome-photos
-blacklist ${HOME}/.local/share/gnome-pomodoro
-blacklist ${HOME}/.local/share/gnome-recipes
-blacklist ${HOME}/.local/share/gnome-ring
-blacklist ${HOME}/.local/share/gnome-sudoku
-blacklist ${HOME}/.local/share/gnome-twitch
-blacklist ${HOME}/.local/share/gnote
-blacklist ${HOME}/.local/share/godot
-blacklist ${HOME}/.local/share/gradio
-blacklist ${HOME}/.local/share/gwenview
-blacklist ${HOME}/.local/share/i2p
-blacklist ${HOME}/.local/share/IntoTheBreach
-blacklist ${HOME}/.local/share/jami
-blacklist ${HOME}/.local/share/kaffeine
-blacklist ${HOME}/.local/share/kalgebra
-blacklist ${HOME}/.local/share/kate
-blacklist ${HOME}/.local/share/kdenlive
-blacklist ${HOME}/.local/share/kget
-blacklist ${HOME}/.local/share/kiwix
-blacklist ${HOME}/.local/share/kiwix-desktop
-blacklist ${HOME}/.local/share/klavaro
-blacklist ${HOME}/.local/share/kmail2
-blacklist ${HOME}/.local/share/kmplayer
-blacklist ${HOME}/.local/share/knotes
-blacklist ${HOME}/.local/share/krita
-blacklist ${HOME}/.local/share/ktorrent
-blacklist ${HOME}/.local/share/ktorrentrc
-blacklist ${HOME}/.local/share/ktouch
-blacklist ${HOME}/.local/share/kube
-blacklist ${HOME}/.local/share/kwrite
-blacklist ${HOME}/.local/share/kxmlgui5/*
-blacklist ${HOME}/.local/share/liferea
-blacklist ${HOME}/.local/share/linphone
-blacklist ${HOME}/.local/share/local-mail
-blacklist ${HOME}/.local/share/lollypop
-blacklist ${HOME}/.local/share/love
-blacklist ${HOME}/.local/share/lugaru
-blacklist ${HOME}/.local/share/lutris
-blacklist ${HOME}/.local/share/man
-blacklist ${HOME}/.local/share/mana
-blacklist ${HOME}/.local/share/maps-places.json
-blacklist ${HOME}/.local/share/matrix-mirage
-blacklist ${HOME}/.local/share/mcomix
-blacklist ${HOME}/.local/share/meld
-blacklist ${HOME}/.local/share/midori
-blacklist ${HOME}/.local/share/minder
-blacklist ${HOME}/.local/share/mirage
-blacklist ${HOME}/.local/share/multimc
-blacklist ${HOME}/.local/share/multimc5
-blacklist ${HOME}/.local/share/mupen64plus
-blacklist ${HOME}/.local/share/mypaint
-blacklist ${HOME}/.local/share/nautilus
-blacklist ${HOME}/.local/share/nautilus-python
-blacklist ${HOME}/.local/share/nemo
-blacklist ${HOME}/.local/share/nemo-python
-blacklist ${HOME}/.local/share/news-flash
-blacklist ${HOME}/.local/share/newsbeuter
-blacklist ${HOME}/.local/share/newsboat
-blacklist ${HOME}/.local/share/nheko
-blacklist ${HOME}/.local/share/nomacs
-blacklist ${HOME}/.local/share/notes
-blacklist ${HOME}/.local/share/ocenaudio
-blacklist ${HOME}/.local/share/okular
-blacklist ${HOME}/.local/share/onlyoffice
-blacklist ${HOME}/.local/share/openmw
-blacklist ${HOME}/.local/share/orage
-blacklist ${HOME}/.local/share/org.kde.gwenview
-blacklist ${HOME}/.local/share/Paradox Interactive
-blacklist ${HOME}/.local/share/pix
-blacklist ${HOME}/.local/share/plasma_notes
-blacklist ${HOME}/.local/share/profanity
-blacklist ${HOME}/.local/share/psi
-blacklist ${HOME}/.local/share/psi+
-blacklist ${HOME}/.local/share/quadrapassel
-blacklist ${HOME}/.local/share/qpdfview
-blacklist ${HOME}/.local/share/qutebrowser
-blacklist ${HOME}/.local/share/remmina
-blacklist ${HOME}/.local/share/rhythmbox
-blacklist ${HOME}/.local/share/rtv
-blacklist ${HOME}/.local/share/scribus
-blacklist ${HOME}/.local/share/shotwell
-blacklist ${HOME}/.local/share/signal-cli
-blacklist ${HOME}/.local/share/sink
-blacklist ${HOME}/.local/share/smuxi
-blacklist ${HOME}/.local/share/spotify
-blacklist ${HOME}/.local/share/steam
-blacklist ${HOME}/.local/share/strawberry
-blacklist ${HOME}/.local/share/supertux2
-blacklist ${HOME}/.local/share/supertuxkart
-blacklist ${HOME}/.local/share/swell-foop
-blacklist ${HOME}/.local/share/telepathy
-blacklist ${HOME}/.local/share/terasology
-blacklist ${HOME}/.local/share/torbrowser
-blacklist ${HOME}/.local/share/totem
-blacklist ${HOME}/.local/share/uzbl
-blacklist ${HOME}/.local/share/vlc
-blacklist ${HOME}/.local/share/vpltd
-blacklist ${HOME}/.local/share/vulkan
-blacklist ${HOME}/.local/share/warsow-2.1
-blacklist ${HOME}/.local/share/wesnoth
-blacklist ${HOME}/.local/share/wormux
-blacklist ${HOME}/.local/share/xplayer
-blacklist ${HOME}/.local/share/xreader
-blacklist ${HOME}/.local/share/zathura
-blacklist ${HOME}/.lv2
-blacklist ${HOME}/.lyx
-blacklist ${HOME}/.magicor
-blacklist ${HOME}/.masterpdfeditor
-blacklist ${HOME}/.mbwarband
-blacklist ${HOME}/.mcabber
-blacklist ${HOME}/.mcabberrc
-blacklist ${HOME}/.mediathek3
-blacklist ${HOME}/.megaglest
-blacklist ${HOME}/.minecraft
-blacklist ${HOME}/.minetest
-blacklist ${HOME}/.mirrormagic
-blacklist ${HOME}/.moc
-blacklist ${HOME}/.moonchild productions/basilisk
-blacklist ${HOME}/.moonchild productions/pale moon
-blacklist ${HOME}/.mozilla
-blacklist ${HOME}/.mp3splt-gtk
-blacklist ${HOME}/.mpd
-blacklist ${HOME}/.mpdconf
-blacklist ${HOME}/.mplayer
-blacklist ${HOME}/.msmtprc
-blacklist ${HOME}/.multimc5
-blacklist ${HOME}/.nanorc
-blacklist ${HOME}/.netactview
-blacklist ${HOME}/.neverball
-blacklist ${HOME}/.newsbeuter
-blacklist ${HOME}/.newsboat
-blacklist ${HOME}/.nicotine
-blacklist ${HOME}/.node-gyp
-blacklist ${HOME}/.npm
-blacklist ${HOME}/.npmrc
-blacklist ${HOME}/.nv
-blacklist ${HOME}/.nvm
-blacklist ${HOME}/.nylas-mail
-blacklist ${HOME}/.openarena
-blacklist ${HOME}/.opencity
-blacklist ${HOME}/.openinvaders
-blacklist ${HOME}/.openshot
-blacklist ${HOME}/.openshot_qt
-blacklist ${HOME}/.openttd
-blacklist ${HOME}/.opera
-blacklist ${HOME}/.opera-beta
-blacklist ${HOME}/.ostrichriders
-blacklist ${HOME}/.paradoxinteractive
-blacklist ${HOME}/.parallelrealities/blobwars
-blacklist ${HOME}/.pcsxr
-blacklist ${HOME}/.penguin-command
-blacklist ${HOME}/.pingus
-blacklist ${HOME}/.pioneer
-blacklist ${HOME}/.purple
-blacklist ${HOME}/.pylint.d
-blacklist ${HOME}/.qemu-launcher
-blacklist ${HOME}/.qgis2
-blacklist ${HOME}/.qmmp
-blacklist ${HOME}/.quodlibet
-blacklist ${HOME}/.redeclipse
-blacklist ${HOME}/.remmina
-blacklist ${HOME}/.repo_.gitconfig.json
-blacklist ${HOME}/.repoconfig
-blacklist ${HOME}/.retroshare
-blacklist ${HOME}/.ripperXrc
-blacklist ${HOME}/.scorched3d
-blacklist ${HOME}/.scribus
-blacklist ${HOME}/.scribusrc
-blacklist ${HOME}/.simutrans
-blacklist ${HOME}/.smartgit/*/passwords
-blacklist ${HOME}/.ssr
-blacklist ${HOME}/.steam
-blacklist ${HOME}/.steampath
-blacklist ${HOME}/.steampid
-blacklist ${HOME}/.stellarium
-blacklist ${HOME}/.subversion
-blacklist ${HOME}/.surf
-blacklist ${HOME}/.suve/colorful
-blacklist ${HOME}/.swb.ini
-blacklist ${HOME}/.sword
-blacklist ${HOME}/.sylpheed-2.0
-blacklist ${HOME}/.synfig
-blacklist ${HOME}/.tb
-blacklist ${HOME}/.tconn
-blacklist ${HOME}/.teeworlds
-blacklist ${HOME}/.texlive20*
-blacklist ${HOME}/.thunderbird
-blacklist ${HOME}/.tilp
-blacklist ${HOME}/.tooling
-blacklist ${HOME}/.tor-browser*
-blacklist ${HOME}/.torcs
-blacklist ${HOME}/.tremulous
-blacklist ${HOME}/.ts3client
-blacklist ${HOME}/.tuxguitar*
-blacklist ${HOME}/.tvbrowser
-blacklist ${HOME}/.unknown-horizons
-blacklist ${HOME}/.viking
-blacklist ${HOME}/.viking-maps
-blacklist ${HOME}/.vim
-blacklist ${HOME}/.vimrc
-blacklist ${HOME}/.vmware
-blacklist ${HOME}/.vscode
-blacklist ${HOME}/.vscode-oss
-blacklist ${HOME}/.vst
-blacklist ${HOME}/.vultures
-blacklist ${HOME}/.w3m
-blacklist ${HOME}/.warzone2100-3.*
-blacklist ${HOME}/.waterfox
-blacklist ${HOME}/.weechat
-blacklist ${HOME}/.wget-hsts
-blacklist ${HOME}/.wgetrc
-blacklist ${HOME}/.widelands
-blacklist ${HOME}/.wine
-blacklist ${HOME}/.wine64
-blacklist ${HOME}/.wireshark
-blacklist ${HOME}/.wordwarvi
-blacklist ${HOME}/.wormux
-blacklist ${HOME}/.xiphos
-blacklist ${HOME}/.xmind
-blacklist ${HOME}/.xmms
-blacklist ${HOME}/.xmr-stak
-blacklist ${HOME}/.xonotic
-blacklist ${HOME}/.xournalpp
-blacklist ${HOME}/.xpdfrc
-blacklist ${HOME}/.yarn
-blacklist ${HOME}/.yarn-config
-blacklist ${HOME}/.yarncache
-blacklist ${HOME}/.yarnrc
-blacklist ${HOME}/.zoom
-blacklist /tmp/akonadi-*
-blacklist /tmp/.wine-*
-blacklist /var/games/nethack
-blacklist /var/games/slashem
-blacklist /var/games/vulturesclaw
-blacklist /var/games/vultureseye
-blacklist /var/lib/games/Maelstrom-Scores
+deny  ${HOME}/.*coin
+deny  ${HOME}/.8pecxstudios
+deny  ${HOME}/.AndroidStudio*
+deny  ${HOME}/.Atom
+deny  ${HOME}/.CLion*
+deny  ${HOME}/.FBReader
+deny  ${HOME}/.FontForge
+deny  ${HOME}/.IdeaIC*
+deny  ${HOME}/.LuminanceHDR
+deny  ${HOME}/.Mathematica
+deny  ${HOME}/.Natron
+deny  ${HOME}/.PlayOnLinux
+deny  ${HOME}/.PyCharm*
+deny  ${HOME}/.Sayonara
+deny  ${HOME}/.Steam
+deny  ${HOME}/.Steampath
+deny  ${HOME}/.Steampid
+deny  ${HOME}/.TelegramDesktop
+deny  ${HOME}/.VSCodium
+deny  ${HOME}/.ViberPC
+deny  ${HOME}/.VirtualBox
+deny  ${HOME}/.WebStorm*
+deny  ${HOME}/.Wolfram Research
+deny  ${HOME}/.ZAP
+deny  ${HOME}/.aMule
+deny  ${HOME}/.abook
+deny  ${HOME}/.addressbook
+deny  ${HOME}/.alpine-smime
+deny  ${HOME}/.android
+deny  ${HOME}/.anydesk
+deny  ${HOME}/.arduino15
+deny  ${HOME}/.aria2
+deny  ${HOME}/.arm
+deny  ${HOME}/.asunder_album_artist
+deny  ${HOME}/.asunder_album_genre
+deny  ${HOME}/.asunder_album_title
+deny  ${HOME}/.atom
+deny  ${HOME}/.attic
+deny  ${HOME}/.audacity-data
+deny  ${HOME}/.avidemux6
+deny  ${HOME}/.ballbuster.hs
+deny  ${HOME}/.balsa
+deny  ${HOME}/.bcast5
+deny  ${HOME}/.bibletime
+deny  ${HOME}/.bitcoin
+deny  ${HOME}/.blobby
+deny  ${HOME}/.bogofilter
+deny  ${HOME}/.bzf
+deny  ${HOME}/.cargo/*
+deny  ${HOME}/.claws-mail
+deny  ${HOME}/.cliqz
+deny  ${HOME}/.clion*
+deny  ${HOME}/.clonk
+deny  ${HOME}/.config/0ad
+deny  ${HOME}/.config/2048-qt
+deny  ${HOME}/.config/Atom
+deny  ${HOME}/.config/Audaciousrc
+deny  ${HOME}/.config/Authenticator
+deny  ${HOME}/.config/Beaker Browser
+deny  ${HOME}/.config/Bitcoin
+deny  ${HOME}/.config/Bitwarden
+deny  ${HOME}/.config/Brackets
+deny  ${HOME}/.config/BraveSoftware
+deny  ${HOME}/.config/Clementine
+deny  ${HOME}/.config/Code
+deny  ${HOME}/.config/Code - OSS
+deny  ${HOME}/.config/Code Industry
+deny  ${HOME}/.config/Cryptocat
+deny  ${HOME}/.config/Debauchee/Barrier.conf
+deny  ${HOME}/.config/Dharkael
+deny  ${HOME}/.config/ENCOM
+deny  ${HOME}/.config/Element
+deny  ${HOME}/.config/Element (Riot)
+deny  ${HOME}/.config/Enox
+deny  ${HOME}/.config/Epic
+deny  ${HOME}/.config/Ferdi
+deny  ${HOME}/.config/Flavio Tordini
+deny  ${HOME}/.config/Franz
+deny  ${HOME}/.config/FreeCAD
+deny  ${HOME}/.config/FreeTube
+deny  ${HOME}/.config/Fritzing
+deny  ${HOME}/.config/GIMP
+deny  ${HOME}/.config/GitHub Desktop
+deny  ${HOME}/.config/Gitter
+deny  ${HOME}/.config/Google
+deny  ${HOME}/.config/Google Play Music Desktop Player
+deny  ${HOME}/.config/Gpredict
+deny  ${HOME}/.config/INRIA
+deny  ${HOME}/.config/InSilmaril
+deny  ${HOME}/.config/Jitsi Meet
+deny  ${HOME}/.config/JetBrains/CLion*
+deny  ${HOME}/.config/KDE/neochat
+deny  ${HOME}/.config/Kid3
+deny  ${HOME}/.config/Kingsoft
+deny  ${HOME}/.config/LibreCAD
+deny  ${HOME}/.config/Loop_Hero
+deny  ${HOME}/.config/Luminance
+deny  ${HOME}/.config/LyX
+deny  ${HOME}/.config/Mattermost
+deny  ${HOME}/.config/Meltytech
+deny  ${HOME}/.config/Mendeley Ltd.
+deny  ${HOME}/.config/Microsoft
+deny  ${HOME}/.config/Min
+deny  ${HOME}/.config/ModTheSpire
+deny  ${HOME}/.config/Mousepad
+deny  ${HOME}/.config/Mumble
+deny  ${HOME}/.config/MusE
+deny  ${HOME}/.config/MuseScore
+deny  ${HOME}/.config/MusicBrainz
+deny  ${HOME}/.config/Nathan Osman
+deny  ${HOME}/.config/Nextcloud
+deny  ${HOME}/.config/NitroShare
+deny  ${HOME}/.config/Nylas Mail
+deny  ${HOME}/.config/PBE
+deny  ${HOME}/.config/PacmanLogViewer
+deny  ${HOME}/.config/PawelStolowski
+deny  ${HOME}/.config/Philipp Schmieder
+deny  ${HOME}/.config/Pinta
+deny  ${HOME}/.config/QGIS
+deny  ${HOME}/.config/QMediathekView
+deny  ${HOME}/.config/Qlipper
+deny  ${HOME}/.config/QuiteRss
+deny  ${HOME}/.config/QuiteRssrc
+deny  ${HOME}/.config/Quotient
+deny  ${HOME}/.config/Rambox
+deny  ${HOME}/.config/Riot
+deny  ${HOME}/.config/Rocket.Chat
+deny  ${HOME}/.config/RogueLegacy
+deny  ${HOME}/.config/RogueLegacyStorageContainer
+deny  ${HOME}/.config/Signal
+deny  ${HOME}/.config/Sinew Software Systems
+deny  ${HOME}/.config/Slack
+deny  ${HOME}/.config/Standard Notes
+deny  ${HOME}/.config/SubDownloader
+deny  ${HOME}/.config/Thunar
+deny  ${HOME}/.config/Twitch
+deny  ${HOME}/.config/Unknown Organization
+deny  ${HOME}/.config/VirtualBox
+deny  ${HOME}/.config/Whalebird
+deny  ${HOME}/.config/Wire
+deny  ${HOME}/.config/Youtube
+deny  ${HOME}/.config/ZeGrapher Project
+deny  ${HOME}/.config/Zeal
+deny  ${HOME}/.config/Zulip
+deny  ${HOME}/.config/aacs
+deny  ${HOME}/.config/abiword
+deny  ${HOME}/.config/agenda
+deny  ${HOME}/.config/akonadi*
+deny  ${HOME}/.config/akregatorrc
+deny  ${HOME}/.config/alacritty
+deny  ${HOME}/.config/ardour4
+deny  ${HOME}/.config/ardour5
+deny  ${HOME}/.config/aria2
+deny  ${HOME}/.config/arkrc
+deny  ${HOME}/.config/artha.conf
+deny  ${HOME}/.config/artha.log
+deny  ${HOME}/.config/asunder
+deny  ${HOME}/.config/atril
+deny  ${HOME}/.config/audacious
+deny  ${HOME}/.config/autokey
+deny  ${HOME}/.config/avidemux3_qt5rc
+deny  ${HOME}/.config/aweather
+deny  ${HOME}/.config/backintime
+deny  ${HOME}/.config/baloofilerc
+deny  ${HOME}/.config/baloorc
+deny  ${HOME}/.config/bcompare
+deny  ${HOME}/.config/blender
+deny  ${HOME}/.config/bless
+deny  ${HOME}/.config/bnox
+deny  ${HOME}/.config/borg
+deny  ${HOME}/.config/brasero
+deny  ${HOME}/.config/brave
+deny  ${HOME}/.config/brave-flags.conf
+deny  ${HOME}/.config/caja
+deny  ${HOME}/.config/calibre
+deny  ${HOME}/.config/cantata
+deny  ${HOME}/.config/catfish
+deny  ${HOME}/.config/cawbird
+deny  ${HOME}/.config/celluloid
+deny  ${HOME}/.config/cherrytree
+deny  ${HOME}/.config/chrome-beta-flags.conf
+deny  ${HOME}/.config/chrome-beta-flags.config
+deny  ${HOME}/.config/chrome-flags.conf
+deny  ${HOME}/.config/chrome-flags.config
+deny  ${HOME}/.config/chrome-unstable-flags.conf
+deny  ${HOME}/.config/chrome-unstable-flags.config
+deny  ${HOME}/.config/chromium
+deny  ${HOME}/.config/chromium-dev
+deny  ${HOME}/.config/chromium-flags.conf
+deny  ${HOME}/.config/clipit
+deny  ${HOME}/.config/cliqz
+deny  ${HOME}/.config/cmus
+deny  ${HOME}/.config/com.github.bleakgrey.tootle
+deny  ${HOME}/.config/corebird
+deny  ${HOME}/.config/cower
+deny  ${HOME}/.config/coyim
+deny  ${HOME}/.config/d-feet
+deny  ${HOME}/.config/darktable
+deny  ${HOME}/.config/deadbeef
+deny  ${HOME}/.config/deluge
+deny  ${HOME}/.config/devilspie2
+deny  ${HOME}/.config/digikam
+deny  ${HOME}/.config/digikamrc
+deny  ${HOME}/.config/discord
+deny  ${HOME}/.config/discordcanary
+deny  ${HOME}/.config/dkl
+deny  ${HOME}/.config/dnox
+deny  ${HOME}/.config/dolphin-emu
+deny  ${HOME}/.config/dolphinrc
+deny  ${HOME}/.config/dragonplayerrc
+deny  ${HOME}/.config/draw.io
+deny  ${HOME}/.config/electron-mail
+deny  ${HOME}/.config/emaildefaults
+deny  ${HOME}/.config/emailidentities
+deny  ${HOME}/.config/emilia
+deny  ${HOME}/.config/enchant
+deny  ${HOME}/.config/eog
+deny  ${HOME}/.config/epiphany
+deny  ${HOME}/.config/equalx
+deny  ${HOME}/.config/evince
+deny  ${HOME}/.config/evolution
+deny  ${HOME}/.config/falkon
+deny  ${HOME}/.config/filezilla
+deny  ${HOME}/.config/flameshot
+deny  ${HOME}/.config/flaska.net
+deny  ${HOME}/.config/flowblade
+deny  ${HOME}/.config/font-manager
+deny  ${HOME}/.config/freecol
+deny  ${HOME}/.config/gajim
+deny  ${HOME}/.config/galculator
+deny  ${HOME}/.config/gconf
+deny  ${HOME}/.config/geany
+deny  ${HOME}/.config/geary
+deny  ${HOME}/.config/gedit
+deny  ${HOME}/.config/geeqie
+deny  ${HOME}/.config/ghb
+deny  ${HOME}/.config/ghostwriter
+deny  ${HOME}/.config/git
+deny  ${HOME}/.config/git-cola
+deny  ${HOME}/.config/glade.conf
+deny  ${HOME}/.config/globaltime
+deny  ${HOME}/.config/gmpc
+deny  ${HOME}/.config/gnome-builder
+deny  ${HOME}/.config/gnome-chess
+deny  ${HOME}/.config/gnome-control-center
+deny  ${HOME}/.config/gnome-initial-setup-done
+deny  ${HOME}/.config/gnome-latex
+deny  ${HOME}/.config/gnome-mplayer
+deny  ${HOME}/.config/gnome-mpv
+deny  ${HOME}/.config/gnome-pie
+deny  ${HOME}/.config/gnome-session
+deny  ${HOME}/.config/gnote
+deny  ${HOME}/.config/godot
+deny  ${HOME}/.config/google-chrome
+deny  ${HOME}/.config/google-chrome-beta
+deny  ${HOME}/.config/google-chrome-unstable
+deny  ${HOME}/.config/gpicview
+deny  ${HOME}/.config/gthumb
+deny  ${HOME}/.config/gummi
+deny  ${HOME}/.config/guvcview2
+deny  ${HOME}/.config/gwenviewrc
+deny  ${HOME}/.config/hexchat
+deny  ${HOME}/.config/homebank
+deny  ${HOME}/.config/i2p
+deny  ${HOME}/.config/inkscape
+deny  ${HOME}/.config/inox
+deny  ${HOME}/.config/iridium
+deny  ${HOME}/.config/itch
+deny  ${HOME}/.config/jami
+deny  ${HOME}/.config/jd-gui.cfg
+deny  ${HOME}/.config/k3brc
+deny  ${HOME}/.config/kaffeinerc
+deny  ${HOME}/.config/kalgebrarc
+deny  ${HOME}/.config/katemetainfos
+deny  ${HOME}/.config/katepartrc
+deny  ${HOME}/.config/katerc
+deny  ${HOME}/.config/kateschemarc
+deny  ${HOME}/.config/katesyntaxhighlightingrc
+deny  ${HOME}/.config/katevirc
+deny  ${HOME}/.config/kazam
+deny  ${HOME}/.config/kdeconnect
+deny  ${HOME}/.config/kdenliverc
+deny  ${HOME}/.config/kdiff3fileitemactionrc
+deny  ${HOME}/.config/kdiff3rc
+deny  ${HOME}/.config/kfindrc
+deny  ${HOME}/.config/kgetrc
+deny  ${HOME}/.config/kid3rc
+deny  ${HOME}/.config/klavaro
+deny  ${HOME}/.config/klipperrc
+deny  ${HOME}/.config/kmail2rc
+deny  ${HOME}/.config/kmailsearchindexingrc
+deny  ${HOME}/.config/kmplayerrc
+deny  ${HOME}/.config/knotesrc
+deny  ${HOME}/.config/konversation.notifyrc
+deny  ${HOME}/.config/konversationrc
+deny  ${HOME}/.config/kritarc
+deny  ${HOME}/.config/ktorrentrc
+deny  ${HOME}/.config/ktouch2rc
+deny  ${HOME}/.config/kube
+deny  ${HOME}/.config/kwriterc
+deny  ${HOME}/.config/leafpad
+deny  ${HOME}/.config/libreoffice
+deny  ${HOME}/.config/liferea
+deny  ${HOME}/.config/linphone
+deny  ${HOME}/.config/lugaru
+deny  ${HOME}/.config/lutris
+deny  ${HOME}/.config/lximage-qt
+deny  ${HOME}/.config/mailtransports
+deny  ${HOME}/.config/mana
+deny  ${HOME}/.config/mate-calc
+deny  ${HOME}/.config/mate/eom
+deny  ${HOME}/.config/mate/mate-dictionary
+deny  ${HOME}/.config/matrix-mirage
+deny  ${HOME}/.config/mcomix
+deny  ${HOME}/.config/meld
+deny  ${HOME}/.config/menulibre.cfg
+deny  ${HOME}/.config/meteo-qt
+deny  ${HOME}/.config/mfusion
+deny  ${HOME}/.config/microsoft-edge-dev
+deny  ${HOME}/.config/midori
+deny  ${HOME}/.config/mirage
+deny  ${HOME}/.config/mono
+deny  ${HOME}/.config/mpDris2
+deny  ${HOME}/.config/mpd
+deny  ${HOME}/.config/mps-youtube
+deny  ${HOME}/.config/mpv
+deny  ${HOME}/.config/mupen64plus
+deny  ${HOME}/.config/mutt
+deny  ${HOME}/.config/mutter
+deny  ${HOME}/.config/mypaint
+deny  ${HOME}/.config/nano
+deny  ${HOME}/.config/nautilus
+deny  ${HOME}/.config/nemo
+deny  ${HOME}/.config/neochat.notifyrc
+deny  ${HOME}/.config/neochatrc
+deny  ${HOME}/.config/neomutt
+deny  ${HOME}/.config/netsurf
+deny  ${HOME}/.config/newsbeuter
+deny  ${HOME}/.config/newsboat
+deny  ${HOME}/.config/newsflash
+deny  ${HOME}/.config/nheko
+deny  ${HOME}/.config/nomacs
+deny  ${HOME}/.config/nuclear
+deny  ${HOME}/.config/obs-studio
+deny  ${HOME}/.config/okularpartrc
+deny  ${HOME}/.config/okularrc
+deny  ${HOME}/.config/onboard
+deny  ${HOME}/.config/onionshare
+deny  ${HOME}/.config/onlyoffice
+deny  ${HOME}/.config/openmw
+deny  ${HOME}/.config/opera
+deny  ${HOME}/.config/opera-beta
+deny  ${HOME}/.config/orage
+deny  ${HOME}/.config/org.gabmus.gfeeds.json
+deny  ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+deny  ${HOME}/.config/org.kde.gwenviewrc
+deny  ${HOME}/.config/otter
+deny  ${HOME}/.config/pavucontrol-qt
+deny  ${HOME}/.config/pavucontrol.ini
+deny  ${HOME}/.config/pcmanfm
+deny  ${HOME}/.config/pdfmod
+deny  ${HOME}/.config/pipe-viewer
+deny  ${HOME}/.config/pitivi
+deny  ${HOME}/.config/pix
+deny  ${HOME}/.config/pluma
+deny  ${HOME}/.config/ppsspp
+deny  ${HOME}/.config/pragha
+deny  ${HOME}/.config/profanity
+deny  ${HOME}/.config/psi
+deny  ${HOME}/.config/psi+
+deny  ${HOME}/.config/qBittorrent
+deny  ${HOME}/.config/qBittorrentrc
+deny  ${HOME}/.config/qnapi.ini
+deny  ${HOME}/.config/qpdfview
+deny  ${HOME}/.config/quodlibet
+deny  ${HOME}/.config/qupzilla
+deny  ${HOME}/.config/qutebrowser
+deny  ${HOME}/.config/ranger
+deny  ${HOME}/.config/redshift
+deny  ${HOME}/.config/redshift.conf
+deny  ${HOME}/.config/remmina
+deny  ${HOME}/.config/ristretto
+deny  ${HOME}/.config/rtv
+deny  ${HOME}/.config/scribus
+deny  ${HOME}/.config/scribusrc
+deny  ${HOME}/.config/sinew.in
+deny  ${HOME}/.config/sink
+deny  ${HOME}/.config/skypeforlinux
+deny  ${HOME}/.config/slimjet
+deny  ${HOME}/.config/smplayer
+deny  ${HOME}/.config/smtube
+deny  ${HOME}/.config/smuxi
+deny  ${HOME}/.config/snox
+deny  ${HOME}/.config/sound-juicer
+deny  ${HOME}/.config/specialmailcollectionsrc
+deny  ${HOME}/.config/spectaclerc
+deny  ${HOME}/.config/spotify
+deny  ${HOME}/.config/sqlitebrowser
+deny  ${HOME}/.config/stellarium
+deny  ${HOME}/.config/straw-viewer
+deny  ${HOME}/.config/strawberry
+deny  ${HOME}/.config/supertuxkart
+deny  ${HOME}/.config/synfig
+deny  ${HOME}/.config/teams
+deny  ${HOME}/.config/teams-for-linux
+deny  ${HOME}/.config/telepathy-account-widgets
+deny  ${HOME}/.config/torbrowser
+deny  ${HOME}/.config/totem
+deny  ${HOME}/.config/tox
+deny  ${HOME}/.config/transgui
+deny  ${HOME}/.config/transmission
+deny  ${HOME}/.config/truecraft
+deny  ${HOME}/.config/tuta_integration
+deny  ${HOME}/.config/tutanota-desktop
+deny  ${HOME}/.config/tvbrowser
+deny  ${HOME}/.config/uGet
+deny  ${HOME}/.config/ungoogled-chromium
+deny  ${HOME}/.config/uzbl
+deny  ${HOME}/.config/viewnior
+deny  ${HOME}/.config/vivaldi
+deny  ${HOME}/.config/vivaldi-snapshot
+deny  ${HOME}/.config/vlc
+deny  ${HOME}/.config/wesnoth
+deny  ${HOME}/.config/wireshark
+deny  ${HOME}/.config/wormux
+deny  ${HOME}/.config/xchat
+deny  ${HOME}/.config/xed
+deny  ${HOME}/.config/xfburn
+deny  ${HOME}/.config/xfce4-dict
+deny  ${HOME}/.config/xfce4/xfce4-notes.gtkrc
+deny  ${HOME}/.config/xfce4/xfce4-notes.rc
+deny  ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
+deny  ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+deny  ${HOME}/.config/xiaoyong
+deny  ${HOME}/.config/xmms2
+deny  ${HOME}/.config/xplayer
+deny  ${HOME}/.config/xreader
+deny  ${HOME}/.config/xviewer
+deny  ${HOME}/.config/yandex-browser
+deny  ${HOME}/.config/yandex-browser-beta
+deny  ${HOME}/.config/yelp
+deny  ${HOME}/.config/youtube-dl
+deny  ${HOME}/.config/youtube-dlg
+deny  ${HOME}/.config/youtube-music-desktop-app
+deny  ${HOME}/.config/youtube-viewer
+deny  ${HOME}/.config/youtubemusic-nativefier-040164
+deny  ${HOME}/.config/zathura
+deny  ${HOME}/.config/zoomus.conf
+deny  ${HOME}/.conkeror.mozdev.org
+deny  ${HOME}/.crawl
+deny  ${HOME}/.cups
+deny  ${HOME}/.curl-hsts
+deny  ${HOME}/.curlrc
+deny  ${HOME}/.dashcore
+deny  ${HOME}/.devilspie
+deny  ${HOME}/.dia
+deny  ${HOME}/.digrc
+deny  ${HOME}/.dillo
+deny  ${HOME}/.dooble
+deny  ${HOME}/.dosbox
+deny  ${HOME}/.dropbox*
+deny  ${HOME}/.easystroke
+deny  ${HOME}/.electron-cache
+deny  ${HOME}/.electrum*
+deny  ${HOME}/.elinks
+deny  ${HOME}/.emacs
+deny  ${HOME}/.emacs.d
+deny  ${HOME}/.equalx
+deny  ${HOME}/.ethereum
+deny  ${HOME}/.etr
+deny  ${HOME}/.filezilla
+deny  ${HOME}/.firedragon
+deny  ${HOME}/.flowblade
+deny  ${HOME}/.fltk
+deny  ${HOME}/.fossamail
+deny  ${HOME}/.freeciv
+deny  ${HOME}/.freecol
+deny  ${HOME}/.freemind
+deny  ${HOME}/.frogatto
+deny  ${HOME}/.frozen-bubble
+deny  ${HOME}/.funnyboat
+deny  ${HOME}/.gimp*
+deny  ${HOME}/.gist
+deny  ${HOME}/.gitconfig
+deny  ${HOME}/.gl-117
+deny  ${HOME}/.glaxiumrc
+deny  ${HOME}/.gnome/gnome-schedule
+deny  ${HOME}/.googleearth
+deny  ${HOME}/.gradle
+deny  ${HOME}/.gramps
+deny  ${HOME}/.guayadeque
+deny  ${HOME}/.hashcat
+deny  ${HOME}/.hedgewars
+deny  ${HOME}/.hex-a-hop
+deny  ${HOME}/.hugin
+deny  ${HOME}/.i2p
+deny  ${HOME}/.icedove
+deny  ${HOME}/.imagej
+deny  ${HOME}/.inkscape
+deny  ${HOME}/.itch
+deny  ${HOME}/.jack-server
+deny  ${HOME}/.jack-settings
+deny  ${HOME}/.jak
+deny  ${HOME}/.java
+deny  ${HOME}/.jd
+deny  ${HOME}/.jitsi
+deny  ${HOME}/.jumpnbump
+deny  ${HOME}/.kde/share/apps/digikam
+deny  ${HOME}/.kde/share/apps/gwenview
+deny  ${HOME}/.kde/share/apps/kaffeine
+deny  ${HOME}/.kde/share/apps/kcookiejar
+deny  ${HOME}/.kde/share/apps/kget
+deny  ${HOME}/.kde/share/apps/khtml
+deny  ${HOME}/.kde/share/apps/klatexformula
+deny  ${HOME}/.kde/share/apps/konqsidebartng
+deny  ${HOME}/.kde/share/apps/konqueror
+deny  ${HOME}/.kde/share/apps/kopete
+deny  ${HOME}/.kde/share/apps/ktorrent
+deny  ${HOME}/.kde/share/apps/okular
+deny  ${HOME}/.kde/share/config/baloofilerc
+deny  ${HOME}/.kde/share/config/baloorc
+deny  ${HOME}/.kde/share/config/digikam
+deny  ${HOME}/.kde/share/config/gwenviewrc
+deny  ${HOME}/.kde/share/config/k3brc
+deny  ${HOME}/.kde/share/config/kaffeinerc
+deny  ${HOME}/.kde/share/config/kcookiejarrc
+deny  ${HOME}/.kde/share/config/kfindrc
+deny  ${HOME}/.kde/share/config/kgetrc
+deny  ${HOME}/.kde/share/config/khtmlrc
+deny  ${HOME}/.kde/share/config/klipperrc
+deny  ${HOME}/.kde/share/config/kmplayerrc
+deny  ${HOME}/.kde/share/config/konq_history
+deny  ${HOME}/.kde/share/config/konqsidebartngrc
+deny  ${HOME}/.kde/share/config/konquerorrc
+deny  ${HOME}/.kde/share/config/konversationrc
+deny  ${HOME}/.kde/share/config/kopeterc
+deny  ${HOME}/.kde/share/config/ktorrentrc
+deny  ${HOME}/.kde/share/config/okularpartrc
+deny  ${HOME}/.kde/share/config/okularrc
+deny  ${HOME}/.kde4/share/apps/digikam
+deny  ${HOME}/.kde4/share/apps/gwenview
+deny  ${HOME}/.kde4/share/apps/kaffeine
+deny  ${HOME}/.kde4/share/apps/kcookiejar
+deny  ${HOME}/.kde4/share/apps/kget
+deny  ${HOME}/.kde4/share/apps/khtml
+deny  ${HOME}/.kde4/share/apps/konqsidebartng
+deny  ${HOME}/.kde4/share/apps/konqueror
+deny  ${HOME}/.kde4/share/apps/kopete
+deny  ${HOME}/.kde4/share/apps/ktorrent
+deny  ${HOME}/.kde4/share/apps/okular
+deny  ${HOME}/.kde4/share/config/baloofilerc
+deny  ${HOME}/.kde4/share/config/baloorc
+deny  ${HOME}/.kde4/share/config/digikam
+deny  ${HOME}/.kde4/share/config/gwenviewrc
+deny  ${HOME}/.kde4/share/config/k3brc
+deny  ${HOME}/.kde4/share/config/kaffeinerc
+deny  ${HOME}/.kde4/share/config/kcookiejarrc
+deny  ${HOME}/.kde4/share/config/kfindrc
+deny  ${HOME}/.kde4/share/config/kgetrc
+deny  ${HOME}/.kde4/share/config/khtmlrc
+deny  ${HOME}/.kde4/share/config/klipperrc
+deny  ${HOME}/.kde4/share/config/konq_history
+deny  ${HOME}/.kde4/share/config/konqsidebartngrc
+deny  ${HOME}/.kde4/share/config/konquerorrc
+deny  ${HOME}/.kde4/share/config/konversationrc
+deny  ${HOME}/.kde4/share/config/kopeterc
+deny  ${HOME}/.kde4/share/config/ktorrentrc
+deny  ${HOME}/.kde4/share/config/okularpartrc
+deny  ${HOME}/.kde4/share/config/okularrc
+deny  ${HOME}/.killingfloor
+deny  ${HOME}/.kingsoft
+deny  ${HOME}/.kino-history
+deny  ${HOME}/.kinorc
+deny  ${HOME}/.klatexformula
+deny  ${HOME}/.klei
+deny  ${HOME}/.kodi
+deny  ${HOME}/.librewolf
+deny  ${HOME}/.lincity-ng
+deny  ${HOME}/.links
+deny  ${HOME}/.links2
+deny  ${HOME}/.linphone-history.db
+deny  ${HOME}/.linphonerc
+deny  ${HOME}/.lmmsrc.xml
+deny  ${HOME}/.local/lib/vivaldi
+deny  ${HOME}/.local/share/0ad
+deny  ${HOME}/.local/share/3909/PapersPlease
+deny  ${HOME}/.local/share/Anki2
+deny  ${HOME}/.local/share/Dredmor
+deny  ${HOME}/.local/share/Empathy
+deny  ${HOME}/.local/share/Enpass
+deny  ${HOME}/.local/share/FasterThanLight
+deny  ${HOME}/.local/share/Flavio Tordini
+deny  ${HOME}/.local/share/IntoTheBreach
+deny  ${HOME}/.local/share/JetBrains
+deny  ${HOME}/.local/share/KDE/neochat
+deny  ${HOME}/.local/share/Kingsoft
+deny  ${HOME}/.local/share/LibreCAD
+deny  ${HOME}/.local/share/Mendeley Ltd.
+deny  ${HOME}/.local/share/Mumble
+deny  ${HOME}/.local/share/Nextcloud
+deny  ${HOME}/.local/share/PBE
+deny  ${HOME}/.local/share/Paradox Interactive
+deny  ${HOME}/.local/share/PawelStolowski
+deny  ${HOME}/.local/share/PillarsOfEternity
+deny  ${HOME}/.local/share/Psi
+deny  ${HOME}/.local/share/QGIS
+deny  ${HOME}/.local/share/QMediathekView
+deny  ${HOME}/.local/share/QuiteRss
+deny  ${HOME}/.local/share/Ricochet
+deny  ${HOME}/.local/share/RogueLegacy
+deny  ${HOME}/.local/share/RogueLegacyStorageContainer
+deny  ${HOME}/.local/share/Shortwave
+deny  ${HOME}/.local/share/Steam
+deny  ${HOME}/.local/share/SteamWorld Dig 2
+deny  ${HOME}/.local/share/SteamWorldDig
+deny  ${HOME}/.local/share/SuperHexagon
+deny  ${HOME}/.local/share/TelegramDesktop
+deny  ${HOME}/.local/share/Terraria
+deny  ${HOME}/.local/share/TpLogger
+deny  ${HOME}/.local/share/Zeal
+deny  ${HOME}/.local/share/agenda
+deny  ${HOME}/.local/share/akonadi*
+deny  ${HOME}/.local/share/akregator
+deny  ${HOME}/.local/share/apps/korganizer
+deny  ${HOME}/.local/share/aspyr-media
+deny  ${HOME}/.local/share/authenticator-rs
+deny  ${HOME}/.local/share/autokey
+deny  ${HOME}/.local/share/backintime
+deny  ${HOME}/.local/share/baloo
+deny  ${HOME}/.local/share/barrier
+deny  ${HOME}/.local/share/bibletime
+deny  ${HOME}/.local/share/bijiben
+deny  ${HOME}/.local/share/bohemiainteractive
+deny  ${HOME}/.local/share/caja-python
+deny  ${HOME}/.local/share/calligragemini
+deny  ${HOME}/.local/share/cantata
+deny  ${HOME}/.local/share/cdprojektred
+deny  ${HOME}/.local/share/clipit
+deny  ${HOME}/.local/share/com.github.johnfactotum.Foliate
+deny  ${HOME}/.local/share/contacts
+deny  ${HOME}/.local/share/cor-games
+deny  ${HOME}/.local/share/data/Mendeley Ltd.
+deny  ${HOME}/.local/share/data/Mumble
+deny  ${HOME}/.local/share/data/MusE
+deny  ${HOME}/.local/share/data/MuseScore
+deny  ${HOME}/.local/share/data/nomacs
+deny  ${HOME}/.local/share/data/qBittorrent
+deny  ${HOME}/.local/share/dino
+deny  ${HOME}/.local/share/dolphin
+deny  ${HOME}/.local/share/dolphin-emu
+deny  ${HOME}/.local/share/emailidentities
+deny  ${HOME}/.local/share/epiphany
+deny  ${HOME}/.local/share/evolution
+deny  ${HOME}/.local/share/feedreader
+deny  ${HOME}/.local/share/feral-interactive
+deny  ${HOME}/.local/share/five-or-more
+deny  ${HOME}/.local/share/freecol
+deny  ${HOME}/.local/share/gajim
+deny  ${HOME}/.local/share/geary
+deny  ${HOME}/.local/share/geeqie
+deny  ${HOME}/.local/share/ghostwriter
+deny  ${HOME}/.local/share/gitg
+deny  ${HOME}/.local/share/gnome-2048
+deny  ${HOME}/.local/share/gnome-boxes
+deny  ${HOME}/.local/share/gnome-builder
+deny  ${HOME}/.local/share/gnome-chess
+deny  ${HOME}/.local/share/gnome-klotski
+deny  ${HOME}/.local/share/gnome-latex
+deny  ${HOME}/.local/share/gnome-mines
+deny  ${HOME}/.local/share/gnome-music
+deny  ${HOME}/.local/share/gnome-nibbles
+deny  ${HOME}/.local/share/gnome-photos
+deny  ${HOME}/.local/share/gnome-pomodoro
+deny  ${HOME}/.local/share/gnome-recipes
+deny  ${HOME}/.local/share/gnome-ring
+deny  ${HOME}/.local/share/gnome-sudoku
+deny  ${HOME}/.local/share/gnome-twitch
+deny  ${HOME}/.local/share/gnote
+deny  ${HOME}/.local/share/godot
+deny  ${HOME}/.local/share/gradio
+deny  ${HOME}/.local/share/gwenview
+deny  ${HOME}/.local/share/i2p
+deny  ${HOME}/.local/share/jami
+deny  ${HOME}/.local/share/kaffeine
+deny  ${HOME}/.local/share/kalgebra
+deny  ${HOME}/.local/share/kate
+deny  ${HOME}/.local/share/kdenlive
+deny  ${HOME}/.local/share/kget
+deny  ${HOME}/.local/share/kiwix
+deny  ${HOME}/.local/share/kiwix-desktop
+deny  ${HOME}/.local/share/klavaro
+deny  ${HOME}/.local/share/kmail2
+deny  ${HOME}/.local/share/kmplayer
+deny  ${HOME}/.local/share/knotes
+deny  ${HOME}/.local/share/krita
+deny  ${HOME}/.local/share/ktorrent
+deny  ${HOME}/.local/share/ktorrentrc
+deny  ${HOME}/.local/share/ktouch
+deny  ${HOME}/.local/share/kube
+deny  ${HOME}/.local/share/kwrite
+deny  ${HOME}/.local/share/kxmlgui5/*
+deny  ${HOME}/.local/share/liferea
+deny  ${HOME}/.local/share/linphone
+deny  ${HOME}/.local/share/local-mail
+deny  ${HOME}/.local/share/lollypop
+deny  ${HOME}/.local/share/love
+deny  ${HOME}/.local/share/lugaru
+deny  ${HOME}/.local/share/lutris
+deny  ${HOME}/.local/share/man
+deny  ${HOME}/.local/share/mana
+deny  ${HOME}/.local/share/maps-places.json
+deny  ${HOME}/.local/share/matrix-mirage
+deny  ${HOME}/.local/share/mcomix
+deny  ${HOME}/.local/share/meld
+deny  ${HOME}/.local/share/midori
+deny  ${HOME}/.local/share/minder
+deny  ${HOME}/.local/share/mirage
+deny  ${HOME}/.local/share/multimc
+deny  ${HOME}/.local/share/multimc5
+deny  ${HOME}/.local/share/mupen64plus
+deny  ${HOME}/.local/share/mypaint
+deny  ${HOME}/.local/share/nautilus
+deny  ${HOME}/.local/share/nautilus-python
+deny  ${HOME}/.local/share/nemo
+deny  ${HOME}/.local/share/nemo-python
+deny  ${HOME}/.local/share/news-flash
+deny  ${HOME}/.local/share/newsbeuter
+deny  ${HOME}/.local/share/newsboat
+deny  ${HOME}/.local/share/nheko
+deny  ${HOME}/.local/share/nomacs
+deny  ${HOME}/.local/share/notes
+deny  ${HOME}/.local/share/ocenaudio
+deny  ${HOME}/.local/share/okular
+deny  ${HOME}/.local/share/onlyoffice
+deny  ${HOME}/.local/share/openmw
+deny  ${HOME}/.local/share/orage
+deny  ${HOME}/.local/share/org.kde.gwenview
+deny  ${HOME}/.local/share/pix
+deny  ${HOME}/.local/share/plasma_notes
+deny  ${HOME}/.local/share/profanity
+deny  ${HOME}/.local/share/psi
+deny  ${HOME}/.local/share/psi+
+deny  ${HOME}/.local/share/qpdfview
+deny  ${HOME}/.local/share/quadrapassel
+deny  ${HOME}/.local/share/qutebrowser
+deny  ${HOME}/.local/share/remmina
+deny  ${HOME}/.local/share/rhythmbox
+deny  ${HOME}/.local/share/rtv
+deny  ${HOME}/.local/share/scribus
+deny  ${HOME}/.local/share/shotwell
+deny  ${HOME}/.local/share/signal-cli
+deny  ${HOME}/.local/share/sink
+deny  ${HOME}/.local/share/smuxi
+deny  ${HOME}/.local/share/spotify
+deny  ${HOME}/.local/share/steam
+deny  ${HOME}/.local/share/strawberry
+deny  ${HOME}/.local/share/supertux2
+deny  ${HOME}/.local/share/supertuxkart
+deny  ${HOME}/.local/share/swell-foop
+deny  ${HOME}/.local/share/telepathy
+deny  ${HOME}/.local/share/terasology
+deny  ${HOME}/.local/share/torbrowser
+deny  ${HOME}/.local/share/totem
+deny  ${HOME}/.local/share/uzbl
+deny  ${HOME}/.local/share/vlc
+deny  ${HOME}/.local/share/vpltd
+deny  ${HOME}/.local/share/vulkan
+deny  ${HOME}/.local/share/warsow-2.1
+deny  ${HOME}/.local/share/wesnoth
+deny  ${HOME}/.local/share/wormux
+deny  ${HOME}/.local/share/xplayer
+deny  ${HOME}/.local/share/xreader
+deny  ${HOME}/.local/share/zathura
+deny  ${HOME}/.lv2
+deny  ${HOME}/.lyx
+deny  ${HOME}/.magicor
+deny  ${HOME}/.masterpdfeditor
+deny  ${HOME}/.mbwarband
+deny  ${HOME}/.mcabber
+deny  ${HOME}/.mcabberrc
+deny  ${HOME}/.mediathek3
+deny  ${HOME}/.megaglest
+deny  ${HOME}/.minecraft
+deny  ${HOME}/.minetest
+deny  ${HOME}/.mirrormagic
+deny  ${HOME}/.moc
+deny  ${HOME}/.moonchild productions/basilisk
+deny  ${HOME}/.moonchild productions/pale moon
+deny  ${HOME}/.mozilla
+deny  ${HOME}/.mp3splt-gtk
+deny  ${HOME}/.mpd
+deny  ${HOME}/.mpdconf
+deny  ${HOME}/.mplayer
+deny  ${HOME}/.msmtprc
+deny  ${HOME}/.multimc5
+deny  ${HOME}/.nanorc
+deny  ${HOME}/.netactview
+deny  ${HOME}/.neverball
+deny  ${HOME}/.newsbeuter
+deny  ${HOME}/.newsboat
+deny  ${HOME}/.newsrc
+deny  ${HOME}/.nicotine
+deny  ${HOME}/.node-gyp
+deny  ${HOME}/.npm
+deny  ${HOME}/.npmrc
+deny  ${HOME}/.nv
+deny  ${HOME}/.nvm
+deny  ${HOME}/.nylas-mail
+deny  ${HOME}/.openarena
+deny  ${HOME}/.opencity
+deny  ${HOME}/.openinvaders
+deny  ${HOME}/.openshot
+deny  ${HOME}/.openshot_qt
+deny  ${HOME}/.openttd
+deny  ${HOME}/.opera
+deny  ${HOME}/.opera-beta
+deny  ${HOME}/.ostrichriders
+deny  ${HOME}/.paradoxinteractive
+deny  ${HOME}/.parallelrealities/blobwars
+deny  ${HOME}/.pcsxr
+deny  ${HOME}/.penguin-command
+deny  ${HOME}/.pine-crash
+deny  ${HOME}/.pine-debug1
+deny  ${HOME}/.pine-debug2
+deny  ${HOME}/.pine-debug3
+deny  ${HOME}/.pine-debug4
+deny  ${HOME}/.pine-interrupted-mail
+deny  ${HOME}/.pinerc
+deny  ${HOME}/.pinercex
+deny  ${HOME}/.pingus
+deny  ${HOME}/.pioneer
+deny  ${HOME}/.purple
+deny  ${HOME}/.pylint.d
+deny  ${HOME}/.qemu-launcher
+deny  ${HOME}/.qgis2
+deny  ${HOME}/.qmmp
+deny  ${HOME}/.quodlibet
+deny  ${HOME}/.redeclipse
+deny  ${HOME}/.remmina
+deny  ${HOME}/.repo_.gitconfig.json
+deny  ${HOME}/.repoconfig
+deny  ${HOME}/.retroshare
+deny  ${HOME}/.ripperXrc
+deny  ${HOME}/.scorched3d
+deny  ${HOME}/.scribus
+deny  ${HOME}/.scribusrc
+deny  ${HOME}/.simutrans
+deny  ${HOME}/.smartgit/*/passwords
+deny  ${HOME}/.ssr
+deny  ${HOME}/.steam
+deny  ${HOME}/.steampath
+deny  ${HOME}/.steampid
+deny  ${HOME}/.stellarium
+deny  ${HOME}/.subversion
+deny  ${HOME}/.surf
+deny  ${HOME}/.suve/colorful
+deny  ${HOME}/.swb.ini
+deny  ${HOME}/.sword
+deny  ${HOME}/.sylpheed-2.0
+deny  ${HOME}/.synfig
+deny  ${HOME}/.tb
+deny  ${HOME}/.tconn
+deny  ${HOME}/.teeworlds
+deny  ${HOME}/.texlive20*
+deny  ${HOME}/.thunderbird
+deny  ${HOME}/.tilp
+deny  ${HOME}/.tin
+deny  ${HOME}/.tooling
+deny  ${HOME}/.tor-browser*
+deny  ${HOME}/.torcs
+deny  ${HOME}/.tremulous
+deny  ${HOME}/.ts3client
+deny  ${HOME}/.tuxguitar*
+deny  ${HOME}/.tvbrowser
+deny  ${HOME}/.unknown-horizons
+deny  ${HOME}/.viking
+deny  ${HOME}/.viking-maps
+deny  ${HOME}/.vim
+deny  ${HOME}/.vimrc
+deny  ${HOME}/.vmware
+deny  ${HOME}/.vscode
+deny  ${HOME}/.vscode-oss
+deny  ${HOME}/.vst
+deny  ${HOME}/.vultures
+deny  ${HOME}/.w3m
+deny  ${HOME}/.warzone2100-3.*
+deny  ${HOME}/.waterfox
+deny  ${HOME}/.weechat
+deny  ${HOME}/.wget-hsts
+deny  ${HOME}/.wgetrc
+deny  ${HOME}/.widelands
+deny  ${HOME}/.wine
+deny  ${HOME}/.wine64
+deny  ${HOME}/.wireshark
+deny  ${HOME}/.wordwarvi
+deny  ${HOME}/.wormux
+deny  ${HOME}/.xiphos
+deny  ${HOME}/.xmind
+deny  ${HOME}/.xmms
+deny  ${HOME}/.xmr-stak
+deny  ${HOME}/.xonotic
+deny  ${HOME}/.xournalpp
+deny  ${HOME}/.xpdfrc
+deny  ${HOME}/.yarn
+deny  ${HOME}/.yarn-config
+deny  ${HOME}/.yarncache
+deny  ${HOME}/.yarnrc
+deny  ${HOME}/.zoom
+deny  ${HOME}/Arduino
+deny  ${HOME}/Monero/wallets
+deny  ${HOME}/Nextcloud
+deny  ${HOME}/Nextcloud/Notes
+deny  ${HOME}/SoftMaker
+deny  ${HOME}/Standard Notes Backups
+deny  ${HOME}/TeamSpeak3-Client-linux_amd64
+deny  ${HOME}/TeamSpeak3-Client-linux_x86
+deny  ${HOME}/hyperrogue.ini
+deny  ${HOME}/i2p
+deny  ${HOME}/mps
+deny  ${HOME}/wallet.dat
+deny  /tmp/.wine-*
+deny  /tmp/akonadi-*
+deny  /var/games/nethack
+deny  /var/games/slashem
+deny  /var/games/vulturesclaw
+deny  /var/games/vultureseye
+deny  /var/lib/games/Maelstrom-Scores
 
 # ${HOME}/.cache directory
-blacklist ${HOME}/.cache/0ad
-blacklist ${HOME}/.cache/8pecxstudios
-blacklist ${HOME}/.cache/Authenticator
-blacklist ${HOME}/.cache/BraveSoftware
-blacklist ${HOME}/.cache/Clementine
-blacklist ${HOME}/.cache/ENCOM/Spectral
-blacklist ${HOME}/.cache/Enox
-blacklist ${HOME}/.cache/Enpass
-blacklist ${HOME}/.cache/Ferdi
-blacklist ${HOME}/.cache/Flavio Tordini
-blacklist ${HOME}/.cache/Franz
-blacklist ${HOME}/.cache/INRIA
-blacklist ${HOME}/.cache/MusicBrainz
-blacklist ${HOME}/.cache/NewsFlashGTK
-blacklist ${HOME}/.cache/Otter
-blacklist ${HOME}/.cache/PawelStolowski
-blacklist ${HOME}/.cache/Psi
-blacklist ${HOME}/.cache/QuiteRss
-blacklist ${HOME}/.cache/quodlibet
-blacklist ${HOME}/.cache/Quotient/quaternion
-blacklist ${HOME}/.cache/Shortwave
-blacklist ${HOME}/.cache/Tox
-blacklist ${HOME}/.cache/Zeal
-blacklist ${HOME}/.cache/agenda
-blacklist ${HOME}/.cache/akonadi*
-blacklist ${HOME}/.cache/atril
-blacklist ${HOME}/.cache/attic
-blacklist ${HOME}/.cache/babl
-blacklist ${HOME}/.cache/bnox
-blacklist ${HOME}/.cache/borg
-blacklist ${HOME}/.cache/calibre
-blacklist ${HOME}/.cache/cantata
-blacklist ${HOME}/.cache/champlain
-blacklist ${HOME}/.cache/chromium
-blacklist ${HOME}/.cache/chromium-dev
-blacklist ${HOME}/.cache/cliqz
-blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
-blacklist ${HOME}/.cache/darktable
-blacklist ${HOME}/.cache/deja-dup
-blacklist ${HOME}/.cache/discover
-blacklist ${HOME}/.cache/dnox
-blacklist ${HOME}/.cache/dolphin
-blacklist ${HOME}/.cache/dolphin-emu
-blacklist ${HOME}/.cache/ephemeral
-blacklist ${HOME}/.cache/epiphany
-blacklist ${HOME}/.cache/evolution
-blacklist ${HOME}/.cache/falkon
-blacklist ${HOME}/.cache/feedreader
-blacklist ${HOME}/.cache/firedragon
-blacklist ${HOME}/.cache/flaska.net/trojita
-blacklist ${HOME}/.cache/folks
-blacklist ${HOME}/.cache/font-manager
-blacklist ${HOME}/.cache/fossamail
-blacklist ${HOME}/.cache/fractal
-blacklist ${HOME}/.cache/freecol
-blacklist ${HOME}/.cache/gajim
-blacklist ${HOME}/.cache/geary
-blacklist ${HOME}/.cache/gegl-0.4
-blacklist ${HOME}/.cache/geeqie
-blacklist ${HOME}/.cache/gfeeds
-blacklist ${HOME}/.cache/gimp
-blacklist ${HOME}/.cache/gnome-boxes
-blacklist ${HOME}/.cache/gnome-builder
-blacklist ${HOME}/.cache/gnome-control-center
-blacklist ${HOME}/.cache/gnome-recipes
-blacklist ${HOME}/.cache/gnome-screenshot
-blacklist ${HOME}/.cache/gnome-software
-blacklist ${HOME}/.cache/gnome-twitch
-blacklist ${HOME}/.cache/godot
-blacklist ${HOME}/.cache/google-chrome
-blacklist ${HOME}/.cache/google-chrome-beta
-blacklist ${HOME}/.cache/google-chrome-unstable
-blacklist ${HOME}/.cache/gradio
-blacklist ${HOME}/.cache/gummi
-blacklist ${HOME}/.cache/icedove
-blacklist ${HOME}/.cache/INRIA/Natron
-blacklist ${HOME}/.cache/inkscape
-blacklist ${HOME}/.cache/inox
-blacklist ${HOME}/.cache/iridium
-blacklist ${HOME}/.cache/kcmshell5
-blacklist ${HOME}/.cache/KDE/neochat
-blacklist ${HOME}/.cache/kdenlive
-blacklist ${HOME}/.cache/keepassxc
-blacklist ${HOME}/.cache/kfind
-blacklist ${HOME}/.cache/kinfocenter
-blacklist ${HOME}/.cache/kmail2
-blacklist ${HOME}/.cache/krunner
-blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/kscreenlocker_greet
-blacklist ${HOME}/.cache/ksmserver-logout-greeter
-blacklist ${HOME}/.cache/ksplashqml
-blacklist ${HOME}/.cache/kube
-blacklist ${HOME}/.cache/kwin
-blacklist ${HOME}/.cache/libgweather
-blacklist ${HOME}/.cache/librewolf
-blacklist ${HOME}/.cache/liferea
-blacklist ${HOME}/.cache/lutris
-blacklist ${HOME}/.cache/Mendeley Ltd.
-blacklist ${HOME}/.cache/marker
-blacklist ${HOME}/.cache/matrix-mirage
-blacklist ${HOME}/.cache/microsoft-edge-dev
-blacklist ${HOME}/.cache/midori
-blacklist ${HOME}/.cache/minetest
-blacklist ${HOME}/.cache/mirage
-blacklist ${HOME}/.cache/moonchild productions/basilisk
-blacklist ${HOME}/.cache/moonchild productions/pale moon
-blacklist ${HOME}/.cache/mozilla
-blacklist ${HOME}/.cache/ms-excel-online
-blacklist ${HOME}/.cache/ms-office-online
-blacklist ${HOME}/.cache/ms-onenote-online
-blacklist ${HOME}/.cache/ms-outlook-online
-blacklist ${HOME}/.cache/ms-powerpoint-online
-blacklist ${HOME}/.cache/ms-skype-online
-blacklist ${HOME}/.cache/ms-word-online
-blacklist ${HOME}/.cache/mutt
-blacklist ${HOME}/.cache/mypaint
-blacklist ${HOME}/.cache/nheko
-blacklist ${HOME}/.cache/netsurf
-blacklist ${HOME}/.cache/okular
-blacklist ${HOME}/.cache/opera
-blacklist ${HOME}/.cache/opera-beta
-blacklist ${HOME}/.cache/org.gabmus.gfeeds
-blacklist ${HOME}/.cache/org.gnome.Books
-blacklist ${HOME}/.cache/org.gnome.Maps
-blacklist ${HOME}/.cache/pdfmod
-blacklist ${HOME}/.cache/peek
-blacklist ${HOME}/.cache/pip
-blacklist ${HOME}/.cache/pipe-viewer
-blacklist ${HOME}/.cache/plasmashell
-blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/psi
-blacklist ${HOME}/.cache/qBittorrent
-blacklist ${HOME}/.cache/qupzilla
-blacklist ${HOME}/.cache/qutebrowser
-blacklist ${HOME}/.cache/rhythmbox
-blacklist ${HOME}/.cache/shotwell
-blacklist ${HOME}/.cache/simple-scan
-blacklist ${HOME}/.cache/slimjet
-blacklist ${HOME}/.cache/smuxi
-blacklist ${HOME}/.cache/snox
-blacklist ${HOME}/.cache/spotify
-blacklist ${HOME}/.cache/strawberry
-blacklist ${HOME}/.cache/straw-viewer
-blacklist ${HOME}/.cache/supertuxkart
-blacklist ${HOME}/.cache/systemsettings
-blacklist ${HOME}/.cache/telepathy
-blacklist ${HOME}/.cache/thunderbird
-blacklist ${HOME}/.cache/torbrowser
-blacklist ${HOME}/.cache/transmission
-blacklist ${HOME}/.cache/ungoogled-chromium
-blacklist ${HOME}/.cache/vivaldi
-blacklist ${HOME}/.cache/vivaldi-snapshot
-blacklist ${HOME}/.cache/vlc
-blacklist ${HOME}/.cache/vmware
-blacklist ${HOME}/.cache/warsow-2.1
-blacklist ${HOME}/.cache/waterfox
-blacklist ${HOME}/.cache/wesnoth
-blacklist ${HOME}/.cache/winetricks
-blacklist ${HOME}/.cache/xmms2
-blacklist ${HOME}/.cache/xreader
-blacklist ${HOME}/.cache/yandex-browser
-blacklist ${HOME}/.cache/yandex-browser-beta
-blacklist ${HOME}/.cache/youtube-dl
-blacklist ${HOME}/.cache/youtube-viewer
+deny  ${HOME}/.cache/0ad
+deny  ${HOME}/.cache/8pecxstudios
+deny  ${HOME}/.cache/Authenticator
+deny  ${HOME}/.cache/BraveSoftware
+deny  ${HOME}/.cache/Clementine
+deny  ${HOME}/.cache/ENCOM/Spectral
+deny  ${HOME}/.cache/Enox
+deny  ${HOME}/.cache/Enpass
+deny  ${HOME}/.cache/Ferdi
+deny  ${HOME}/.cache/Flavio Tordini
+deny  ${HOME}/.cache/Franz
+deny  ${HOME}/.cache/INRIA
+deny  ${HOME}/.cache/INRIA/Natron
+deny  ${HOME}/.cache/KDE/neochat
+deny  ${HOME}/.cache/Mendeley Ltd.
+deny  ${HOME}/.cache/MusicBrainz
+deny  ${HOME}/.cache/NewsFlashGTK
+deny  ${HOME}/.cache/Otter
+deny  ${HOME}/.cache/PawelStolowski
+deny  ${HOME}/.cache/Psi
+deny  ${HOME}/.cache/QuiteRss
+deny  ${HOME}/.cache/Quotient/quaternion
+deny  ${HOME}/.cache/Shortwave
+deny  ${HOME}/.cache/Tox
+deny  ${HOME}/.cache/Zeal
+deny  ${HOME}/.cache/agenda
+deny  ${HOME}/.cache/akonadi*
+deny  ${HOME}/.cache/atril
+deny  ${HOME}/.cache/attic
+deny  ${HOME}/.cache/babl
+deny  ${HOME}/.cache/bnox
+deny  ${HOME}/.cache/borg
+deny  ${HOME}/.cache/calibre
+deny  ${HOME}/.cache/cantata
+deny  ${HOME}/.cache/champlain
+deny  ${HOME}/.cache/chromium
+deny  ${HOME}/.cache/chromium-dev
+deny  ${HOME}/.cache/cliqz
+deny  ${HOME}/.cache/com.github.johnfactotum.Foliate
+deny  ${HOME}/.cache/darktable
+deny  ${HOME}/.cache/deja-dup
+deny  ${HOME}/.cache/discover
+deny  ${HOME}/.cache/dnox
+deny  ${HOME}/.cache/dolphin
+deny  ${HOME}/.cache/dolphin-emu
+deny  ${HOME}/.cache/ephemeral
+deny  ${HOME}/.cache/epiphany
+deny  ${HOME}/.cache/evolution
+deny  ${HOME}/.cache/falkon
+deny  ${HOME}/.cache/feedreader
+deny  ${HOME}/.cache/firedragon
+deny  ${HOME}/.cache/flaska.net/trojita
+deny  ${HOME}/.cache/folks
+deny  ${HOME}/.cache/font-manager
+deny  ${HOME}/.cache/fossamail
+deny  ${HOME}/.cache/fractal
+deny  ${HOME}/.cache/freecol
+deny  ${HOME}/.cache/gajim
+deny  ${HOME}/.cache/geary
+deny  ${HOME}/.cache/geeqie
+deny  ${HOME}/.cache/gegl-0.4
+deny  ${HOME}/.cache/gfeeds
+deny  ${HOME}/.cache/gimp
+deny  ${HOME}/.cache/gnome-boxes
+deny  ${HOME}/.cache/gnome-builder
+deny  ${HOME}/.cache/gnome-control-center
+deny  ${HOME}/.cache/gnome-recipes
+deny  ${HOME}/.cache/gnome-screenshot
+deny  ${HOME}/.cache/gnome-software
+deny  ${HOME}/.cache/gnome-twitch
+deny  ${HOME}/.cache/godot
+deny  ${HOME}/.cache/google-chrome
+deny  ${HOME}/.cache/google-chrome-beta
+deny  ${HOME}/.cache/google-chrome-unstable
+deny  ${HOME}/.cache/gradio
+deny  ${HOME}/.cache/gummi
+deny  ${HOME}/.cache/icedove
+deny  ${HOME}/.cache/inkscape
+deny  ${HOME}/.cache/inox
+deny  ${HOME}/.cache/iridium
+deny  ${HOME}/.cache/JetBrains/CLion*
+deny  ${HOME}/.cache/kcmshell5
+deny  ${HOME}/.cache/kdenlive
+deny  ${HOME}/.cache/keepassxc
+deny  ${HOME}/.cache/kfind
+deny  ${HOME}/.cache/kinfocenter
+deny  ${HOME}/.cache/kmail2
+deny  ${HOME}/.cache/krunner
+deny  ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+deny  ${HOME}/.cache/kscreenlocker_greet
+deny  ${HOME}/.cache/ksmserver-logout-greeter
+deny  ${HOME}/.cache/ksplashqml
+deny  ${HOME}/.cache/kube
+deny  ${HOME}/.cache/kwin
+deny  ${HOME}/.cache/libgweather
+deny  ${HOME}/.cache/librewolf
+deny  ${HOME}/.cache/liferea
+deny  ${HOME}/.cache/lutris
+deny  ${HOME}/.cache/marker
+deny  ${HOME}/.cache/matrix-mirage
+deny  ${HOME}/.cache/microsoft-edge-dev
+deny  ${HOME}/.cache/midori
+deny  ${HOME}/.cache/minetest
+deny  ${HOME}/.cache/mirage
+deny  ${HOME}/.cache/moonchild productions/basilisk
+deny  ${HOME}/.cache/moonchild productions/pale moon
+deny  ${HOME}/.cache/mozilla
+deny  ${HOME}/.cache/ms-excel-online
+deny  ${HOME}/.cache/ms-office-online
+deny  ${HOME}/.cache/ms-onenote-online
+deny  ${HOME}/.cache/ms-outlook-online
+deny  ${HOME}/.cache/ms-powerpoint-online
+deny  ${HOME}/.cache/ms-skype-online
+deny  ${HOME}/.cache/ms-word-online
+deny  ${HOME}/.cache/mutt
+deny  ${HOME}/.cache/mypaint
+deny  ${HOME}/.cache/netsurf
+deny  ${HOME}/.cache/nheko
+deny  ${HOME}/.cache/okular
+deny  ${HOME}/.cache/opera
+deny  ${HOME}/.cache/opera-beta
+deny  ${HOME}/.cache/org.gabmus.gfeeds
+deny  ${HOME}/.cache/org.gnome.Books
+deny  ${HOME}/.cache/org.gnome.Maps
+deny  ${HOME}/.cache/pdfmod
+deny  ${HOME}/.cache/peek
+deny  ${HOME}/.cache/pip
+deny  ${HOME}/.cache/pipe-viewer
+deny  ${HOME}/.cache/plasmashell
+deny  ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
+deny  ${HOME}/.cache/psi
+deny  ${HOME}/.cache/qBittorrent
+deny  ${HOME}/.cache/quodlibet
+deny  ${HOME}/.cache/qupzilla
+deny  ${HOME}/.cache/qutebrowser
+deny  ${HOME}/.cache/rhythmbox
+deny  ${HOME}/.cache/shotwell
+deny  ${HOME}/.cache/simple-scan
+deny  ${HOME}/.cache/slimjet
+deny  ${HOME}/.cache/smuxi
+deny  ${HOME}/.cache/snox
+deny  ${HOME}/.cache/spotify
+deny  ${HOME}/.cache/straw-viewer
+deny  ${HOME}/.cache/strawberry
+deny  ${HOME}/.cache/supertuxkart
+deny  ${HOME}/.cache/systemsettings
+deny  ${HOME}/.cache/telepathy
+deny  ${HOME}/.cache/thunderbird
+deny  ${HOME}/.cache/torbrowser
+deny  ${HOME}/.cache/transmission
+deny  ${HOME}/.cache/ungoogled-chromium
+deny  ${HOME}/.cache/vivaldi
+deny  ${HOME}/.cache/vivaldi-snapshot
+deny  ${HOME}/.cache/vlc
+deny  ${HOME}/.cache/vmware
+deny  ${HOME}/.cache/warsow-2.1
+deny  ${HOME}/.cache/waterfox
+deny  ${HOME}/.cache/wesnoth
+deny  ${HOME}/.cache/winetricks
+deny  ${HOME}/.cache/xmms2
+deny  ${HOME}/.cache/xreader
+deny  ${HOME}/.cache/yandex-browser
+deny  ${HOME}/.cache/yandex-browser-beta
+deny  ${HOME}/.cache/youtube-dl
+deny  ${HOME}/.cache/youtube-viewer
diff --git a/etc/inc/disable-shell.inc b/etc/inc/disable-shell.inc
index 8274b0215..da6fb31a3 100644
--- a/etc/inc/disable-shell.inc
+++ b/etc/inc/disable-shell.inc
@@ -2,14 +2,14 @@
 # Persistent customizations should go in a .local file.
 include disable-shell.local
 
-blacklist ${PATH}/bash
-blacklist ${PATH}/csh
-blacklist ${PATH}/dash
-blacklist ${PATH}/fish
-blacklist ${PATH}/ksh
-blacklist ${PATH}/mksh
-blacklist ${PATH}/oksh
-blacklist ${PATH}/sh
-blacklist ${PATH}/tclsh
-blacklist ${PATH}/tcsh
-blacklist ${PATH}/zsh
+deny  ${PATH}/bash
+deny  ${PATH}/csh
+deny  ${PATH}/dash
+deny  ${PATH}/fish
+deny  ${PATH}/ksh
+deny  ${PATH}/mksh
+deny  ${PATH}/oksh
+deny  ${PATH}/sh
+deny  ${PATH}/tclsh
+deny  ${PATH}/tcsh
+deny  ${PATH}/zsh
diff --git a/etc/inc/disable-xdg.inc b/etc/inc/disable-xdg.inc
index 22acf272d..32aa8c7f6 100644
--- a/etc/inc/disable-xdg.inc
+++ b/etc/inc/disable-xdg.inc
@@ -2,10 +2,10 @@
 # Persistent customizations should go in a .local file.
 include disable-xdg.local
 
-blacklist ${DOCUMENTS}
-blacklist ${MUSIC}
-blacklist ${PICTURES}
-blacklist ${VIDEOS}
+deny  ${DOCUMENTS}
+deny  ${MUSIC}
+deny  ${PICTURES}
+deny  ${VIDEOS}
 
 # The following should be considered catch-all directories
 #blacklist ${DESKTOP}
diff --git a/etc/inc/whitelist-1793-workaround.inc b/etc/inc/whitelist-1793-workaround.inc
index 862837f12..06a424440 100644
--- a/etc/inc/whitelist-1793-workaround.inc
+++ b/etc/inc/whitelist-1793-workaround.inc
@@ -3,27 +3,27 @@
 include whitelist-1793-workaround.local
 # This works around bug 1793, and allows whitelisting to be used for some KDE applications.
 
-noblacklist ${HOME}/.config/ibus
-noblacklist ${HOME}/.config/mimeapps.list
-noblacklist ${HOME}/.config/pkcs11
-noblacklist ${HOME}/.config/user-dirs.dirs
-noblacklist ${HOME}/.config/user-dirs.locale
-noblacklist ${HOME}/.config/dconf
-noblacklist ${HOME}/.config/fontconfig
-noblacklist ${HOME}/.config/gtk-2.0
-noblacklist ${HOME}/.config/gtk-3.0
-noblacklist ${HOME}/.config/gtk-4.0
-noblacklist ${HOME}/.config/gtkrc
-noblacklist ${HOME}/.config/gtkrc-2.0
-noblacklist ${HOME}/.config/Kvantum
-noblacklist ${HOME}/.config/Trolltech.conf
-noblacklist ${HOME}/.config/QtProject.conf
-noblacklist ${HOME}/.config/kdeglobals
-noblacklist ${HOME}/.config/kio_httprc
-noblacklist ${HOME}/.config/kioslaverc
-noblacklist ${HOME}/.config/ksslcablacklist
-noblacklist ${HOME}/.config/qt5ct
-noblacklist ${HOME}/.config/qtcurve
+nodeny  ${HOME}/.config/ibus
+nodeny  ${HOME}/.config/mimeapps.list
+nodeny  ${HOME}/.config/pkcs11
+nodeny  ${HOME}/.config/user-dirs.dirs
+nodeny  ${HOME}/.config/user-dirs.locale
+nodeny  ${HOME}/.config/dconf
+nodeny  ${HOME}/.config/fontconfig
+nodeny  ${HOME}/.config/gtk-2.0
+nodeny  ${HOME}/.config/gtk-3.0
+nodeny  ${HOME}/.config/gtk-4.0
+nodeny  ${HOME}/.config/gtkrc
+nodeny  ${HOME}/.config/gtkrc-2.0
+nodeny  ${HOME}/.config/Kvantum
+nodeny  ${HOME}/.config/Trolltech.conf
+nodeny  ${HOME}/.config/QtProject.conf
+nodeny  ${HOME}/.config/kdeglobals
+nodeny  ${HOME}/.config/kio_httprc
+nodeny  ${HOME}/.config/kioslaverc
+nodeny  ${HOME}/.config/ksslcablacklist
+nodeny  ${HOME}/.config/qt5ct
+nodeny  ${HOME}/.config/qtcurve
 
-blacklist ${HOME}/.config/*
-whitelist ${HOME}/.config
+deny  ${HOME}/.config/*
+allow  ${HOME}/.config
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc
index 1d3728521..11070e372 100644
--- a/etc/inc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@@ -4,81 +4,82 @@ include whitelist-common.local
 
 # common whitelist for all profiles
 
-whitelist ${HOME}/.XCompose
-whitelist ${HOME}/.alsaequal.bin
-whitelist ${HOME}/.asoundrc
-whitelist ${HOME}/.config/ibus
-whitelist ${HOME}/.config/mimeapps.list
-whitelist ${HOME}/.config/pkcs11
+allow  ${HOME}/.XCompose
+allow  ${HOME}/.alsaequal.bin
+allow  ${HOME}/.asoundrc
+allow  ${HOME}/.config/ibus
+allow  ${HOME}/.config/mimeapps.list
+allow  ${HOME}/.config/pkcs11
 read-only ${HOME}/.config/pkcs11
-whitelist ${HOME}/.config/user-dirs.dirs
+allow  ${HOME}/.config/user-dirs.dirs
 read-only ${HOME}/.config/user-dirs.dirs
-whitelist ${HOME}/.config/user-dirs.locale
+allow  ${HOME}/.config/user-dirs.locale
 read-only ${HOME}/.config/user-dirs.locale
-whitelist ${HOME}/.drirc
-whitelist ${HOME}/.icons
+allow  ${HOME}/.drirc
+allow  ${HOME}/.icons
 ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit
-whitelist ${HOME}/.local/share/applications
+allow  ${HOME}/.local/share/applications
 read-only ${HOME}/.local/share/applications
-whitelist ${HOME}/.local/share/icons
-whitelist ${HOME}/.local/share/mime
-whitelist ${HOME}/.mime.types
-whitelist ${HOME}/.uim.d
+allow  ${HOME}/.local/share/icons
+allow  ${HOME}/.local/share/mime
+allow  ${HOME}/.mime.types
+allow  ${HOME}/.sndio/cookie
+allow  ${HOME}/.uim.d
 
 # dconf
 mkdir ${HOME}/.config/dconf
-whitelist ${HOME}/.config/dconf
+allow  ${HOME}/.config/dconf
 
 # fonts
-whitelist ${HOME}/.cache/fontconfig
-whitelist ${HOME}/.config/fontconfig
-whitelist ${HOME}/.fontconfig
-whitelist ${HOME}/.fonts
-whitelist ${HOME}/.fonts.conf
-whitelist ${HOME}/.fonts.conf.d
-whitelist ${HOME}/.fonts.d
-whitelist ${HOME}/.local/share/fonts
-whitelist ${HOME}/.pangorc
+allow  ${HOME}/.cache/fontconfig
+allow  ${HOME}/.config/fontconfig
+allow  ${HOME}/.fontconfig
+allow  ${HOME}/.fonts
+allow  ${HOME}/.fonts.conf
+allow  ${HOME}/.fonts.conf.d
+allow  ${HOME}/.fonts.d
+allow  ${HOME}/.local/share/fonts
+allow  ${HOME}/.pangorc
 
 # gtk
-whitelist ${HOME}/.config/gtk-2.0
-whitelist ${HOME}/.config/gtk-3.0
-whitelist ${HOME}/.config/gtk-4.0
-whitelist ${HOME}/.config/gtkrc
-whitelist ${HOME}/.config/gtkrc-2.0
-whitelist ${HOME}/.gnome2
-whitelist ${HOME}/.gnome2-private
-whitelist ${HOME}/.gtk-2.0
-whitelist ${HOME}/.gtkrc
-whitelist ${HOME}/.gtkrc-2.0
-whitelist ${HOME}/.kde/share/config/gtkrc
-whitelist ${HOME}/.kde/share/config/gtkrc-2.0
-whitelist ${HOME}/.kde4/share/config/gtkrc
-whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
-whitelist ${HOME}/.local/share/themes
-whitelist ${HOME}/.themes
+allow  ${HOME}/.config/gtk-2.0
+allow  ${HOME}/.config/gtk-3.0
+allow  ${HOME}/.config/gtk-4.0
+allow  ${HOME}/.config/gtkrc
+allow  ${HOME}/.config/gtkrc-2.0
+allow  ${HOME}/.gnome2
+allow  ${HOME}/.gnome2-private
+allow  ${HOME}/.gtk-2.0
+allow  ${HOME}/.gtkrc
+allow  ${HOME}/.gtkrc-2.0
+allow  ${HOME}/.kde/share/config/gtkrc
+allow  ${HOME}/.kde/share/config/gtkrc-2.0
+allow  ${HOME}/.kde4/share/config/gtkrc
+allow  ${HOME}/.kde4/share/config/gtkrc-2.0
+allow  ${HOME}/.local/share/themes
+allow  ${HOME}/.themes
 
 # qt/kde
-whitelist ${HOME}/.cache/kioexec/krun
-whitelist ${HOME}/.config/Kvantum
-whitelist ${HOME}/.config/Trolltech.conf
-whitelist ${HOME}/.config/QtProject.conf
-whitelist ${HOME}/.config/kdeglobals
-whitelist ${HOME}/.config/kio_httprc
-whitelist ${HOME}/.config/kioslaverc
-whitelist ${HOME}/.config/ksslcablacklist
-whitelist ${HOME}/.config/qt5ct
-whitelist ${HOME}/.config/qtcurve
-whitelist ${HOME}/.kde/share/config/kdeglobals
-whitelist ${HOME}/.kde/share/config/kio_httprc
-whitelist ${HOME}/.kde/share/config/kioslaverc
-whitelist ${HOME}/.kde/share/config/ksslcablacklist
-whitelist ${HOME}/.kde/share/config/oxygenrc
-whitelist ${HOME}/.kde/share/icons
-whitelist ${HOME}/.kde4/share/config/kdeglobals
-whitelist ${HOME}/.kde4/share/config/kio_httprc
-whitelist ${HOME}/.kde4/share/config/kioslaverc
-whitelist ${HOME}/.kde4/share/config/ksslcablacklist
-whitelist ${HOME}/.kde4/share/config/oxygenrc
-whitelist ${HOME}/.kde4/share/icons
-whitelist ${HOME}/.local/share/qt5ct
+allow  ${HOME}/.cache/kioexec/krun
+allow  ${HOME}/.config/Kvantum
+allow  ${HOME}/.config/Trolltech.conf
+allow  ${HOME}/.config/QtProject.conf
+allow  ${HOME}/.config/kdeglobals
+allow  ${HOME}/.config/kio_httprc
+allow  ${HOME}/.config/kioslaverc
+allow  ${HOME}/.config/ksslcablacklist
+allow  ${HOME}/.config/qt5ct
+allow  ${HOME}/.config/qtcurve
+allow  ${HOME}/.kde/share/config/kdeglobals
+allow  ${HOME}/.kde/share/config/kio_httprc
+allow  ${HOME}/.kde/share/config/kioslaverc
+allow  ${HOME}/.kde/share/config/ksslcablacklist
+allow  ${HOME}/.kde/share/config/oxygenrc
+allow  ${HOME}/.kde/share/icons
+allow  ${HOME}/.kde4/share/config/kdeglobals
+allow  ${HOME}/.kde4/share/config/kio_httprc
+allow  ${HOME}/.kde4/share/config/kioslaverc
+allow  ${HOME}/.kde4/share/config/ksslcablacklist
+allow  ${HOME}/.kde4/share/config/oxygenrc
+allow  ${HOME}/.kde4/share/icons
+allow  ${HOME}/.local/share/qt5ct
diff --git a/etc/inc/whitelist-player-common.inc b/etc/inc/whitelist-player-common.inc
index e5bf36804..d6ae8eab6 100644
--- a/etc/inc/whitelist-player-common.inc
+++ b/etc/inc/whitelist-player-common.inc
@@ -4,8 +4,8 @@ include whitelist-player-common.local
 
 # common whitelist for all media players
 
-whitelist ${DESKTOP}
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-whitelist ${PICTURES}
-whitelist ${VIDEOS}
+allow  ${DESKTOP}
+allow  ${DOWNLOADS}
+allow  ${MUSIC}
+allow  ${PICTURES}
+allow  ${VIDEOS}
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
index 48309ffe3..86e5264b9 100644
--- a/etc/inc/whitelist-runuser-common.inc
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -4,13 +4,13 @@ include whitelist-runuser-common.local
 
 # common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
 
-whitelist ${RUNUSER}/bus
-whitelist ${RUNUSER}/dconf
-whitelist ${RUNUSER}/gdm/Xauthority
-whitelist ${RUNUSER}/ICEauthority
-whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
-whitelist ${RUNUSER}/pulse/native
-whitelist ${RUNUSER}/wayland-0
-whitelist ${RUNUSER}/wayland-1
-whitelist ${RUNUSER}/xauth_*
-whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
+allow  ${RUNUSER}/bus
+allow  ${RUNUSER}/dconf
+allow  ${RUNUSER}/gdm/Xauthority
+allow  ${RUNUSER}/ICEauthority
+allow  ${RUNUSER}/.mutter-Xwaylandauth.*
+allow  ${RUNUSER}/pulse/native
+allow  ${RUNUSER}/wayland-0
+allow  ${RUNUSER}/wayland-1
+allow  ${RUNUSER}/xauth_*
+allow  ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index fe0097934..64296da15 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -4,66 +4,66 @@ include whitelist-usr-share-common.local
 
 # common /usr/share whitelist for all profiles
 
-whitelist /usr/share/alsa
-whitelist /usr/share/applications
-whitelist /usr/share/ca-certificates
-whitelist /usr/share/crypto-policies
-whitelist /usr/share/cursors
-whitelist /usr/share/dconf
-whitelist /usr/share/distro-info
-whitelist /usr/share/drirc.d
-whitelist /usr/share/enchant
-whitelist /usr/share/enchant-2
-whitelist /usr/share/file
-whitelist /usr/share/fontconfig
-whitelist /usr/share/fonts
-whitelist /usr/share/fonts-config
-whitelist /usr/share/gir-1.0
-whitelist /usr/share/gjs-1.0
-whitelist /usr/share/glib-2.0
-whitelist /usr/share/glvnd
-whitelist /usr/share/gtk-2.0
-whitelist /usr/share/gtk-3.0
-whitelist /usr/share/gtk-engines
-whitelist /usr/share/gtksourceview-3.0
-whitelist /usr/share/gtksourceview-4
-whitelist /usr/share/hunspell
-whitelist /usr/share/hwdata
-whitelist /usr/share/icons
-whitelist /usr/share/icu
-whitelist /usr/share/knotifications5
-whitelist /usr/share/kservices5
-whitelist /usr/share/Kvantum
-whitelist /usr/share/kxmlgui5
-whitelist /usr/share/libdrm
-whitelist /usr/share/libthai
-whitelist /usr/share/locale
-whitelist /usr/share/mime
-whitelist /usr/share/misc
-whitelist /usr/share/Modules
-whitelist /usr/share/myspell
-whitelist /usr/share/p11-kit
-whitelist /usr/share/perl
-whitelist /usr/share/perl5
-whitelist /usr/share/pixmaps
-whitelist /usr/share/pki
-whitelist /usr/share/plasma
-whitelist /usr/share/publicsuffix
-whitelist /usr/share/qt
-whitelist /usr/share/qt4
-whitelist /usr/share/qt5
-whitelist /usr/share/qt5ct
-whitelist /usr/share/sounds
-whitelist /usr/share/tcl8.6
-whitelist /usr/share/tcltk
-whitelist /usr/share/terminfo
-whitelist /usr/share/texlive
-whitelist /usr/share/texmf
-whitelist /usr/share/themes
-whitelist /usr/share/thumbnail.so
-whitelist /usr/share/uim
-whitelist /usr/share/vulkan
-whitelist /usr/share/X11
-whitelist /usr/share/xml
-whitelist /usr/share/zenity
-whitelist /usr/share/zoneinfo
+allow  /usr/share/alsa
+allow  /usr/share/applications
+allow  /usr/share/ca-certificates
+allow  /usr/share/crypto-policies
+allow  /usr/share/cursors
+allow  /usr/share/dconf
+allow  /usr/share/distro-info
+allow  /usr/share/drirc.d
+allow  /usr/share/enchant
+allow  /usr/share/enchant-2
+allow  /usr/share/file
+allow  /usr/share/fontconfig
+allow  /usr/share/fonts
+allow  /usr/share/fonts-config
+allow  /usr/share/gir-1.0
+allow  /usr/share/gjs-1.0
+allow  /usr/share/glib-2.0
+allow  /usr/share/glvnd
+allow  /usr/share/gtk-2.0
+allow  /usr/share/gtk-3.0
+allow  /usr/share/gtk-engines
+allow  /usr/share/gtksourceview-3.0
+allow  /usr/share/gtksourceview-4
+allow  /usr/share/hunspell
+allow  /usr/share/hwdata
+allow  /usr/share/icons
+allow  /usr/share/icu
+allow  /usr/share/knotifications5
+allow  /usr/share/kservices5
+allow  /usr/share/Kvantum
+allow  /usr/share/kxmlgui5
+allow  /usr/share/libdrm
+allow  /usr/share/libthai
+allow  /usr/share/locale
+allow  /usr/share/mime
+allow  /usr/share/misc
+allow  /usr/share/Modules
+allow  /usr/share/myspell
+allow  /usr/share/p11-kit
+allow  /usr/share/perl
+allow  /usr/share/perl5
+allow  /usr/share/pixmaps
+allow  /usr/share/pki
+allow  /usr/share/plasma
+allow  /usr/share/publicsuffix
+allow  /usr/share/qt
+allow  /usr/share/qt4
+allow  /usr/share/qt5
+allow  /usr/share/qt5ct
+allow  /usr/share/sounds
+allow  /usr/share/tcl8.6
+allow  /usr/share/tcltk
+allow  /usr/share/terminfo
+allow  /usr/share/texlive
+allow  /usr/share/texmf
+allow  /usr/share/themes
+allow  /usr/share/thumbnail.so
+allow  /usr/share/uim
+allow  /usr/share/vulkan
+allow  /usr/share/X11
+allow  /usr/share/xml
+allow  /usr/share/zenity
+allow  /usr/share/zoneinfo
diff --git a/etc/inc/whitelist-var-common.inc b/etc/inc/whitelist-var-common.inc
index d8ba84ad0..c449e8905 100644
--- a/etc/inc/whitelist-var-common.inc
+++ b/etc/inc/whitelist-var-common.inc
@@ -4,12 +4,12 @@ include whitelist-var-common.local
 
 # common /var whitelist for all profiles
 
-whitelist /var/lib/aspell
-whitelist /var/lib/ca-certificates
-whitelist /var/lib/dbus
-whitelist /var/lib/menu-xdg
-whitelist /var/lib/uim
-whitelist /var/cache/fontconfig
-whitelist /var/tmp
-whitelist /var/run
-whitelist /var/lock
+allow  /var/lib/aspell
+allow  /var/lib/ca-certificates
+allow  /var/lib/dbus
+allow  /var/lib/menu-xdg
+allow  /var/lib/uim
+allow  /var/cache/fontconfig
+allow  /var/tmp
+allow  /var/run
+allow  /var/lock
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 454a15ab2..6f493fff1 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -6,9 +6,11 @@ include 0ad.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/0ad
-noblacklist ${HOME}/.config/0ad
-noblacklist ${HOME}/.local/share/0ad
+nodeny  ${HOME}/.cache/0ad
+nodeny  ${HOME}/.config/0ad
+nodeny  ${HOME}/.local/share/0ad
+
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,11 +23,11 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/0ad
 mkdir ${HOME}/.config/0ad
 mkdir ${HOME}/.local/share/0ad
-whitelist ${HOME}/.cache/0ad
-whitelist ${HOME}/.config/0ad
-whitelist ${HOME}/.local/share/0ad
-whitelist /usr/share/0ad
-whitelist /usr/share/games
+allow  ${HOME}/.cache/0ad
+allow  ${HOME}/.config/0ad
+allow  ${HOME}/.local/share/0ad
+allow  /usr/share/0ad
+allow  /usr/share/games
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile
index 1d787cba7..3a7b331a7 100644
--- a/etc/profile-a-l/2048-qt.profile
+++ b/etc/profile-a-l/2048-qt.profile
@@ -6,8 +6,8 @@ include 2048-qt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/2048-qt
-noblacklist ${HOME}/.config/xiaoyong
+nodeny  ${HOME}/.config/2048-qt
+nodeny  ${HOME}/.config/xiaoyong
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.config/2048-qt
 mkdir ${HOME}/.config/xiaoyong
-whitelist ${HOME}/.config/2048-qt
-whitelist ${HOME}/.config/xiaoyong
+allow  ${HOME}/.config/2048-qt
+allow  ${HOME}/.config/xiaoyong
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile
index 1d86b0fbf..def0ec111 100644
--- a/etc/profile-a-l/Cryptocat.profile
+++ b/etc/profile-a-l/Cryptocat.profile
@@ -5,7 +5,7 @@ include Cryptocat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Cryptocat
+nodeny  ${HOME}/.config/Cryptocat
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/Discord.profile b/etc/profile-a-l/Discord.profile
index 3f274b21c..1d3ae49ca 100644
--- a/etc/profile-a-l/Discord.profile
+++ b/etc/profile-a-l/Discord.profile
@@ -5,10 +5,10 @@ include Discord.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/discord
+nodeny  ${HOME}/.config/discord
 
 mkdir ${HOME}/.config/discord
-whitelist ${HOME}/.config/discord
+allow  ${HOME}/.config/discord
 
 private-bin Discord
 private-opt Discord
diff --git a/etc/profile-a-l/DiscordCanary.profile b/etc/profile-a-l/DiscordCanary.profile
index d24e73ed8..3c85f187b 100644
--- a/etc/profile-a-l/DiscordCanary.profile
+++ b/etc/profile-a-l/DiscordCanary.profile
@@ -5,10 +5,10 @@ include DiscordCanary.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/discordcanary
+nodeny  ${HOME}/.config/discordcanary
 
 mkdir ${HOME}/.config/discordcanary
-whitelist ${HOME}/.config/discordcanary
+allow  ${HOME}/.config/discordcanary
 
 private-bin DiscordCanary
 private-opt DiscordCanary
diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile
index 7dc6b5ff0..8f746581f 100644
--- a/etc/profile-a-l/Fritzing.profile
+++ b/etc/profile-a-l/Fritzing.profile
@@ -6,8 +6,8 @@ include Fritzing.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Fritzing
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/Fritzing
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile
index d10b70796..9a00c3230 100644
--- a/etc/profile-a-l/JDownloader.profile
+++ b/etc/profile-a-l/JDownloader.profile
@@ -5,7 +5,7 @@ include JDownloader.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.jd
+nodeny  ${HOME}/.jd
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -19,8 +19,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.jd
-whitelist ${HOME}/.jd
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.jd
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index 75da9a956..2a92c7db4 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -6,7 +6,7 @@ include abiword.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/abiword
+nodeny  ${HOME}/.config/abiword
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
-whitelist /usr/share/abiword-3.0
+allow  /usr/share/abiword-3.0
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile
index 2e6e8f1af..70ddcec20 100644
--- a/etc/profile-a-l/abrowser.profile
+++ b/etc/profile-a-l/abrowser.profile
@@ -5,13 +5,13 @@ include abrowser.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/mozilla
-noblacklist ${HOME}/.mozilla
+nodeny  ${HOME}/.cache/mozilla
+nodeny  ${HOME}/.mozilla
 
 mkdir ${HOME}/.cache/mozilla/abrowser
 mkdir ${HOME}/.mozilla
-whitelist ${HOME}/.cache/mozilla/abrowser
-whitelist ${HOME}/.mozilla
+allow  ${HOME}/.cache/mozilla/abrowser
+allow  ${HOME}/.mozilla
 
 # private-etc must first be enabled in firefox-common.profile
 #private-etc abrowser
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index 34f59769e..d32586c5b 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -7,8 +7,8 @@ include agetpkg.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
@@ -23,7 +23,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index 37fdb38b5..7b1d1445f 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -4,22 +4,22 @@ include akonadi_control.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/akonadi*
-noblacklist ${HOME}/.config/akonadi*
-noblacklist ${HOME}/.config/baloorc
-noblacklist ${HOME}/.config/emaildefaults
-noblacklist ${HOME}/.config/emailidentities
-noblacklist ${HOME}/.config/kmail2rc
-noblacklist ${HOME}/.config/mailtransports
-noblacklist ${HOME}/.config/specialmailcollectionsrc
-noblacklist ${HOME}/.local/share/akonadi*
-noblacklist ${HOME}/.local/share/apps/korganizer
-noblacklist ${HOME}/.local/share/contacts
-noblacklist ${HOME}/.local/share/local-mail
-noblacklist ${HOME}/.local/share/notes
-noblacklist /sbin
-noblacklist /tmp/akonadi-*
-noblacklist /usr/sbin
+nodeny  ${HOME}/.cache/akonadi*
+nodeny  ${HOME}/.config/akonadi*
+nodeny  ${HOME}/.config/baloorc
+nodeny  ${HOME}/.config/emaildefaults
+nodeny  ${HOME}/.config/emailidentities
+nodeny  ${HOME}/.config/kmail2rc
+nodeny  ${HOME}/.config/mailtransports
+nodeny  ${HOME}/.config/specialmailcollectionsrc
+nodeny  ${HOME}/.local/share/akonadi*
+nodeny  ${HOME}/.local/share/apps/korganizer
+nodeny  ${HOME}/.local/share/contacts
+nodeny  ${HOME}/.local/share/local-mail
+nodeny  ${HOME}/.local/share/notes
+nodeny  /sbin
+nodeny  /tmp/akonadi-*
+nodeny  /usr/sbin
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
index 38fcd2dc1..b2323547c 100644
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -6,9 +6,9 @@ include akregator.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/akregatorrc
-noblacklist ${HOME}/.local/share/akregator
-noblacklist ${HOME}/.local/share/kxmlgui5/akregator
+nodeny  ${HOME}/.config/akregatorrc
+nodeny  ${HOME}/.local/share/akregator
+nodeny  ${HOME}/.local/share/kxmlgui5/akregator
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,10 +21,10 @@ include disable-shell.inc
 mkfile ${HOME}/.config/akregatorrc
 mkdir ${HOME}/.local/share/akregator
 mkdir ${HOME}/.local/share/kxmlgui5/akregator
-whitelist ${HOME}/.config/akregatorrc
-whitelist ${HOME}/.local/share/akregator
-whitelist ${HOME}/.local/share/kssl
-whitelist ${HOME}/.local/share/kxmlgui5/akregator
+allow  ${HOME}/.config/akregatorrc
+allow  ${HOME}/.local/share/akregator
+allow  ${HOME}/.local/share/kssl
+allow  ${HOME}/.local/share/kxmlgui5/akregator
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 4c6d68020..ca6c8d887 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -19,13 +19,13 @@ include disable-passwdmgr.inc
 include disable-xdg.inc
 
 # Whitelist your system icon directory,varies by distro
-whitelist /usr/share/alacarte
-whitelist /usr/share/app-info
-whitelist /usr/share/desktop-directories
-whitelist /usr/share/icons
-whitelist /var/lib/app-info/icons
-whitelist /var/lib/flatpak/exports/share/applications
-whitelist /var/lib/flatpak/exports/share/icons
+allow  /usr/share/alacarte
+allow  /usr/share/app-info
+allow  /usr/share/desktop-directories
+allow  /usr/share/icons
+allow  /var/lib/app-info/icons
+allow  /var/lib/flatpak/exports/share/applications
+allow  /var/lib/flatpak/exports/share/icons
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
index 81ee6bd46..220c3345d 100644
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@@ -6,7 +6,7 @@ include alienarena.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/cor-games
+nodeny  ${HOME}/.local/share/cor-games
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/cor-games
-whitelist ${HOME}/.local/share/cor-games
-whitelist /usr/share/alienarena
+allow  ${HOME}/.local/share/cor-games
+allow  /usr/share/alienarena
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile
new file mode 100644
index 000000000..6fa3edfa1
--- /dev/null
+++ b/etc/profile-a-l/alpine.profile
@@ -0,0 +1,104 @@
+# Firejail profile for alpine
+# Description: Text-based email and newsgroups reader
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpine.local
+# Persistent global definitions
+include globals.local
+
+# Workaround for bug https://github.com/netblue30/firejail/issues/2747
+# firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)'
+
+nodeny  /var/mail
+nodeny  /var/spool/mail
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.addressbook
+nodeny  ${HOME}/.alpine-smime
+nodeny  ${HOME}/.mailcap
+nodeny  ${HOME}/.mh_profile
+nodeny  ${HOME}/.mime.types
+nodeny  ${HOME}/.newsrc
+nodeny  ${HOME}/.pine-crash
+nodeny  ${HOME}/.pine-debug1
+nodeny  ${HOME}/.pine-debug2
+nodeny  ${HOME}/.pine-debug3
+nodeny  ${HOME}/.pine-debug4
+nodeny  ${HOME}/.pine-interrupted-mail
+nodeny  ${HOME}/.pinerc
+nodeny  ${HOME}/.pinercex
+nodeny  ${HOME}/.signature
+nodeny  ${HOME}/mail
+
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+#whitelist ${DOCUMENTS}
+#whitelist ${DOWNLOADS}
+#whitelist ${HOME}/.addressbook
+#whitelist ${HOME}/.alpine-smime
+#whitelist ${HOME}/.mailcap
+#whitelist ${HOME}/.mh_profile
+#whitelist ${HOME}/.mime.types
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.pine-crash
+#whitelist ${HOME}/.pine-interrupted-mail
+#whitelist ${HOME}/.pinerc
+#whitelist ${HOME}/.pinercex
+#whitelist ${HOME}/.pine-debug1
+#whitelist ${HOME}/.pine-debug2
+#whitelist ${HOME}/.pine-debug3
+#whitelist ${HOME}/.pine-debug4
+#whitelist ${HOME}/.signature
+#whitelist ${HOME}/mail
+allow  /var/mail
+allow  /var/spool/mail
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin alpine
+private-cache
+private-dev
+private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+private-tmp
+writable-run-user
+writable-var
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}/.signature
diff --git a/etc/profile-a-l/alpinef.profile b/etc/profile-a-l/alpinef.profile
new file mode 100644
index 000000000..97b97fe5f
--- /dev/null
+++ b/etc/profile-a-l/alpinef.profile
@@ -0,0 +1,14 @@
+# Firejail profile for alpinef
+# Description: Text-based email and newsgroups reader using function keys
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include alpinef.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin alpinef
+
+# Redirect
+include alpine.profile
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index a7caddc4c..03aba36e4 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -6,7 +6,7 @@ include amarok.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
index e3c4164ee..00039a7e9 100644
--- a/etc/profile-a-l/amule.profile
+++ b/etc/profile-a-l/amule.profile
@@ -6,7 +6,7 @@ include amule.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.aMule
+nodeny  ${HOME}/.aMule
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.aMule
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.aMule
+allow  ${DOWNLOADS}
+allow  ${HOME}/.aMule
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
index 5a21744cf..5bf6ed773 100644
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -5,13 +5,13 @@ include android-studio.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Google
-noblacklist ${HOME}/.AndroidStudio*
-noblacklist ${HOME}/.android
-noblacklist ${HOME}/.jack-server
-noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.tooling
+nodeny  ${HOME}/.config/Google
+nodeny  ${HOME}/.AndroidStudio*
+nodeny  ${HOME}/.android
+nodeny  ${HOME}/.jack-server
+nodeny  ${HOME}/.jack-settings
+nodeny  ${HOME}/.local/share/JetBrains
+nodeny  ${HOME}/.tooling
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index ef60e91c2..c1aa18ff3 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -6,8 +6,8 @@ include anki.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/.local/share/Anki2
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.local/share/Anki2
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -23,8 +23,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/Anki2
-whitelist ${DOCUMENTS}
-whitelist ${HOME}/.local/share/Anki2
+allow  ${DOCUMENTS}
+allow  ${HOME}/.local/share/Anki2
 include whitelist-common.inc
 include whitelist-var-common.inc
 
@@ -46,7 +46,6 @@ protocol unix,inet,inet6
 # QtWebengine needs chroot to set up its own sandbox
 seccomp !chroot
 shell none
-tracelog
 
 disable-mnt
 private-bin anki,python*
diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile
index fdaf10259..cb30ed8da 100644
--- a/etc/profile-a-l/anydesk.profile
+++ b/etc/profile-a-l/anydesk.profile
@@ -5,7 +5,7 @@ include anydesk.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.anydesk
+nodeny  ${HOME}/.anydesk
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.anydesk
-whitelist ${HOME}/.anydesk
+allow  ${HOME}/.anydesk
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile
index e7b09283e..d647a4657 100644
--- a/etc/profile-a-l/aosp.profile
+++ b/etc/profile-a-l/aosp.profile
@@ -5,13 +5,13 @@ include aosp.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.android
-noblacklist ${HOME}/.bash_history
-noblacklist ${HOME}/.jack-server
-noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.repo_.gitconfig.json
-noblacklist ${HOME}/.repoconfig
-noblacklist ${HOME}/.tooling
+nodeny  ${HOME}/.android
+nodeny  ${HOME}/.bash_history
+nodeny  ${HOME}/.jack-server
+nodeny  ${HOME}/.jack-settings
+nodeny  ${HOME}/.repo_.gitconfig.json
+nodeny  ${HOME}/.repoconfig
+nodeny  ${HOME}/.tooling
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index 54abdb234..020ae2812 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -6,9 +6,9 @@ include apostrophe.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.texlive20*
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.texlive20*
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -31,11 +31,12 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/apostrophe
-whitelist /usr/share/texlive
-whitelist /usr/share/texmf
-whitelist /usr/share/pandoc-*
-whitelist /usr/share/perl5
+allow  /usr/libexec/webkit2gtk-4.0
+allow  /usr/share/apostrophe
+allow  /usr/share/texlive
+allow  /usr/share/texmf
+allow  /usr/share/pandoc-*
+allow  /usr/share/perl5
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile
index accabb6f5..8c71dd574 100644
--- a/etc/profile-a-l/arch-audit.profile
+++ b/etc/profile-a-l/arch-audit.profile
@@ -7,7 +7,7 @@ include arch-audit.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/lib/pacman
+nodeny  /var/lib/pacman
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/arch-audit
+allow  /usr/share/arch-audit
 include whitelist-usr-share-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile
index 19c37f90e..0915ede33 100644
--- a/etc/profile-a-l/archaudit-report.profile
+++ b/etc/profile-a-l/archaudit-report.profile
@@ -6,7 +6,7 @@ include archaudit-report.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/lib/pacman
+nodeny  /var/lib/pacman
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index 1fab4606b..5b859ceb1 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -4,7 +4,7 @@ include archiver-common.local
 
 # common profile for archiver/compression tools
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
 # Comment/uncomment the relevant include file(s) in your archiver-common.local
 # to (un)restrict file access for **all** archivers. Another option is to do this **per archiver**
diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile
index 84b1d6c18..960948afc 100644
--- a/etc/profile-a-l/ardour5.profile
+++ b/etc/profile-a-l/ardour5.profile
@@ -5,12 +5,12 @@ include ardour5.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ardour4
-noblacklist ${HOME}/.config/ardour5
-noblacklist ${HOME}/.lv2
-noblacklist ${HOME}/.vst
-noblacklist ${DOCUMENTS}
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/ardour4
+nodeny  ${HOME}/.config/ardour5
+nodeny  ${HOME}/.lv2
+nodeny  ${HOME}/.vst
+nodeny  ${DOCUMENTS}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
index fd1ca9a09..88f14fbfe 100644
--- a/etc/profile-a-l/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
@@ -6,9 +6,9 @@ include arduino.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.arduino15
-noblacklist ${HOME}/Arduino
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.arduino15
+nodeny  ${HOME}/Arduino
+nodeny  ${DOCUMENTS}
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index 22b8ecd65..be56011f0 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -6,12 +6,12 @@ include aria2c.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.aria2
-noblacklist ${HOME}/.config/aria2
-noblacklist ${HOME}/.netrc
+nodeny  ${HOME}/.aria2
+nodeny  ${HOME}/.config/aria2
+nodeny  ${HOME}/.netrc
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
index a63dd8f5f..031c57080 100644
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -6,8 +6,8 @@ include ark.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/arkrc
-noblacklist ${HOME}/.local/share/kxmlgui5/ark
+nodeny  ${HOME}/.config/arkrc
+nodeny  ${HOME}/.local/share/kxmlgui5/ark
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/ark
+allow  /usr/share/ark
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
index 2c8b630ce..9ed8076be 100644
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@@ -6,7 +6,7 @@ include arm.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.arm
+nodeny  ${HOME}/.arm
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -20,7 +20,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.arm
-whitelist ${HOME}/.arm
+allow  ${HOME}/.arm
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index fab72b7d3..7cfac4915 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -6,12 +6,12 @@ include artha.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/artha.conf
-noblacklist ${HOME}/.config/artha.log
-noblacklist ${HOME}/.config/enchant
+nodeny  ${HOME}/.config/artha.conf
+nodeny  ${HOME}/.config/artha.log
+nodeny  ${HOME}/.config/enchant
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -28,8 +28,8 @@ include disable-xdg.inc
 #whitelist ${HOME}/.config/artha.conf
 #whitelist ${HOME}/.config/artha.log
 #whitelist ${HOME}/.config/enchant
-whitelist /usr/share/artha
-whitelist /usr/share/wordnet
+allow  /usr/share/artha
+allow  /usr/share/wordnet
 #include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile
index 977fe30a4..f2251c210 100644
--- a/etc/profile-a-l/assogiate.profile
+++ b/etc/profile-a-l/assogiate.profile
@@ -6,7 +6,7 @@ include assogiate.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${PICTURES}
+allow  ${PICTURES}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
index c97fd691a..e65072266 100644
--- a/etc/profile-a-l/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@@ -6,11 +6,11 @@ include asunder.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/asunder
-noblacklist ${HOME}/.asunder_album_genre
-noblacklist ${HOME}/.asunder_album_title
-noblacklist ${HOME}/.asunder_album_artist
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/asunder
+nodeny  ${HOME}/.asunder_album_genre
+nodeny  ${HOME}/.asunder_album_title
+nodeny  ${HOME}/.asunder_album_artist
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/atom.profile b/etc/profile-a-l/atom.profile
index 5f237ac59..ea3038537 100644
--- a/etc/profile-a-l/atom.profile
+++ b/etc/profile-a-l/atom.profile
@@ -18,8 +18,8 @@ ignore include whitelist-var-common.inc
 ignore apparmor
 ignore disable-mnt
 
-noblacklist ${HOME}/.atom
-noblacklist ${HOME}/.config/Atom
+nodeny  ${HOME}/.atom
+nodeny  ${HOME}/.config/Atom
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index 1c3ed66ff..8ae8617cf 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -6,9 +6,9 @@ include atril.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/atril
-noblacklist ${HOME}/.config/atril
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/atril
+nodeny  ${HOME}/.config/atril
+nodeny  ${DOCUMENTS}
 
 #noblacklist ${HOME}/.local/share
 # it seems to use only ${HOME}/.local/share/webkitgtk
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index f9f209786..53baf0a2a 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -6,9 +6,9 @@ include audacious.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Audaciousrc
-noblacklist ${HOME}/.config/audacious
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/Audaciousrc
+nodeny  ${HOME}/.config/audacious
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index a2de8436a..c244846e1 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -6,9 +6,9 @@ include audacity.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.audacity-data
-noblacklist ${DOCUMENTS}
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.audacity-data
+nodeny  ${DOCUMENTS}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index 2c7fdc812..534792cc6 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -7,7 +7,7 @@ include audio-recorder.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,10 +17,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${MUSIC}
-whitelist ${DOWNLOADS}
-whitelist /usr/share/audio-recorder
-whitelist /usr/share/gstreamer-1.0
+allow  ${MUSIC}
+allow  ${DOWNLOADS}
+allow  /usr/share/audio-recorder
+allow  /usr/share/gstreamer-1.0
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index 2ebe35dd5..0d6eb6a21 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -6,7 +6,7 @@ include authenticator-rs.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/authenticator-rs
+nodeny  ${HOME}/.local/share/authenticator-rs
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/authenticator-rs
-whitelist ${HOME}/.local/share/authenticator-rs
-whitelist ${DOWNLOADS}
-whitelist /usr/share/uk.co.grumlimited.authenticator-rs
+allow  ${HOME}/.local/share/authenticator-rs
+allow  ${DOWNLOADS}
+allow  /usr/share/uk.co.grumlimited.authenticator-rs
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 42d9cd56a..55d967e3e 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -6,8 +6,8 @@ include authenticator.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Authenticator
-noblacklist ${HOME}/.config/Authenticator
+nodeny  ${HOME}/.cache/Authenticator
+nodeny  ${HOME}/.config/Authenticator
 
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
index 891928e5a..a5b3b22f6 100644
--- a/etc/profile-a-l/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
@@ -7,8 +7,8 @@ include autokey-common.local
 # added by caller profile
 #include globals.local
 
-noblacklist ${HOME}/.config/autokey
-noblacklist ${HOME}/.local/share/autokey
+nodeny  ${HOME}/.config/autokey
+nodeny  ${HOME}/.local/share/autokey
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile
index 1ecc03da1..0feb05d75 100644
--- a/etc/profile-a-l/avidemux.profile
+++ b/etc/profile-a-l/avidemux.profile
@@ -5,9 +5,9 @@ include avidemux.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.avidemux6
-noblacklist ${HOME}/.config/avidemux3_qt5rc
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.avidemux6
+nodeny  ${HOME}/.config/avidemux3_qt5rc
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.avidemux6
 mkdir ${HOME}/.config/avidemux3_qt5rc
-whitelist ${HOME}/.avidemux6
-whitelist ${HOME}/.config/avidemux3_qt5rc
-whitelist ${VIDEOS}
+allow  ${HOME}/.avidemux6
+allow  ${HOME}/.config/avidemux3_qt5rc
+allow  ${VIDEOS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile
index a57ad4014..abe9fdb24 100644
--- a/etc/profile-a-l/aweather.profile
+++ b/etc/profile-a-l/aweather.profile
@@ -6,7 +6,7 @@ include aweather.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/aweather
+nodeny  ${HOME}/.config/aweather
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.config/aweather
-whitelist ${HOME}/.config/aweather
+allow  ${HOME}/.config/aweather
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
index 5d1bf5071..58f4f5e96 100644
--- a/etc/profile-a-l/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
@@ -7,7 +7,7 @@ include awesome.local
 include globals.local
 
 # all applications started in awesome will run in this profile
-noblacklist ${HOME}/.config/awesome
+nodeny  ${HOME}/.config/awesome
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile
index 3952921a3..46bb0b44e 100644
--- a/etc/profile-a-l/ballbuster.profile
+++ b/etc/profile-a-l/ballbuster.profile
@@ -6,7 +6,7 @@ include ballbuster.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.ballbuster.hs
+nodeny  ${HOME}/.ballbuster.hs
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.ballbuster.hs
-whitelist ${HOME}/.ballbuster.hs
-whitelist /usr/share/ballbuster
+allow  ${HOME}/.ballbuster.hs
+allow  /usr/share/ballbuster
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index fe86d9b80..2b10883f7 100644
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@@ -12,12 +12,12 @@ include globals.local
 # read-write ${HOME}/.local/share/baloo
 # ignore read-write
 
-noblacklist ${HOME}/.config/baloofilerc
-noblacklist ${HOME}/.kde/share/config/baloofilerc
-noblacklist ${HOME}/.kde/share/config/baloorc
-noblacklist ${HOME}/.kde4/share/config/baloofilerc
-noblacklist ${HOME}/.kde4/share/config/baloorc
-noblacklist ${HOME}/.local/share/baloo
+nodeny  ${HOME}/.config/baloofilerc
+nodeny  ${HOME}/.kde/share/config/baloofilerc
+nodeny  ${HOME}/.kde/share/config/baloorc
+nodeny  ${HOME}/.kde4/share/config/baloofilerc
+nodeny  ${HOME}/.kde4/share/config/baloorc
+nodeny  ${HOME}/.local/share/baloo
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index 8c69652c5..1e74443aa 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -6,13 +6,13 @@ include balsa.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.balsa
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.signature
-noblacklist ${HOME}/mail
-noblacklist /var/mail
-noblacklist /var/spool/mail
+nodeny  ${HOME}/.balsa
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.mozilla
+nodeny  ${HOME}/.signature
+nodeny  ${HOME}/mail
+nodeny  /var/mail
+nodeny  /var/spool/mail
 
 include disable-common.inc
 include disable-devel.inc
@@ -27,17 +27,17 @@ mkdir ${HOME}/.balsa
 mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.signature
 mkdir ${HOME}/mail
-whitelist ${HOME}/.balsa
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-whitelist ${HOME}/.signature
-whitelist ${HOME}/mail
-whitelist ${RUNUSER}/gnupg
-whitelist /usr/share/balsa
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-whitelist /var/mail
-whitelist /var/spool/mail
+allow  ${HOME}/.balsa
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.mozilla/firefox/profiles.ini
+allow  ${HOME}/.signature
+allow  ${HOME}/mail
+allow  ${RUNUSER}/gnupg
+allow  /usr/share/balsa
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
+allow  /var/mail
+allow  /var/spool/mail
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile
index 7b50e9199..fcea9b3ba 100644
--- a/etc/profile-a-l/barrier.profile
+++ b/etc/profile-a-l/barrier.profile
@@ -6,9 +6,9 @@ include barrier.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Debauchee/Barrier.conf
-noblacklist ${HOME}/.local/share/barrier
-noblacklist ${PATH}/openssl
+nodeny  ${HOME}/.config/Debauchee/Barrier.conf
+nodeny  ${HOME}/.local/share/barrier
+nodeny  ${PATH}/openssl
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile
index 8dc3847a0..547c67fc8 100644
--- a/etc/profile-a-l/basilisk.profile
+++ b/etc/profile-a-l/basilisk.profile
@@ -5,13 +5,13 @@ include basilisk.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/moonchild productions/basilisk
-noblacklist ${HOME}/.moonchild productions/basilisk
+nodeny  ${HOME}/.cache/moonchild productions/basilisk
+nodeny  ${HOME}/.moonchild productions/basilisk
 
 mkdir ${HOME}/.cache/moonchild productions/basilisk
 mkdir ${HOME}/.moonchild productions
-whitelist ${HOME}/.cache/moonchild productions/basilisk
-whitelist ${HOME}/.moonchild productions
+allow  ${HOME}/.cache/moonchild productions/basilisk
+allow  ${HOME}/.moonchild productions
 
 # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
 seccomp
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
index 3ecaea7fe..a1d2b1e73 100644
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@@ -7,10 +7,10 @@ include bcompare.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/bcompare
+nodeny  ${HOME}/.config/bcompare
 # In case the user decides to include disable-programs.inc, still allow
 # KDE's Gwenview to view images via right click -> Open With -> Associated Application
-noblacklist ${HOME}/.config/gwenviewrc
+nodeny  ${HOME}/.config/gwenviewrc
 
 # Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
diff --git a/etc/profile-a-l/beaker.profile b/etc/profile-a-l/beaker.profile
index f3a9568bd..588f460a8 100644
--- a/etc/profile-a-l/beaker.profile
+++ b/etc/profile-a-l/beaker.profile
@@ -19,10 +19,10 @@ ignore private-cache
 ignore private-dev
 ignore private-tmp
 
-noblacklist ${HOME}/.config/Beaker Browser
+nodeny  ${HOME}/.config/Beaker Browser
 
 mkdir ${HOME}/.config/Beaker Browser
-whitelist ${HOME}/.config/Beaker Browser
+allow  ${HOME}/.config/Beaker Browser
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index c7a82afbd..717d7258d 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -6,11 +6,11 @@ include bibletime.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.bibletime
-noblacklist ${HOME}/.sword
-noblacklist ${HOME}/.local/share/bibletime
+nodeny  ${HOME}/.bibletime
+nodeny  ${HOME}/.sword
+nodeny  ${HOME}/.local/share/bibletime
 
-blacklist ${HOME}/.bashrc
+deny  ${HOME}/.bashrc
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,12 +22,12 @@ include disable-programs.inc
 mkdir ${HOME}/.bibletime
 mkdir ${HOME}/.sword
 mkdir ${HOME}/.local/share/bibletime
-whitelist ${HOME}/.bibletime
-whitelist ${HOME}/.sword
-whitelist ${HOME}/.local/share/bibletime
-whitelist /usr/share/bibletime
-whitelist /usr/share/doc/bibletime
-whitelist /usr/share/sword
+allow  ${HOME}/.bibletime
+allow  ${HOME}/.sword
+allow  ${HOME}/.local/share/bibletime
+allow  /usr/share/bibletime
+allow  /usr/share/doc/bibletime
+allow  /usr/share/sword
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index 721a6c082..b02fcc3e0 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -6,7 +6,7 @@ include bijiben.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/bijiben
+nodeny  ${HOME}/.local/share/bijiben
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,11 +18,12 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/bijiben
-whitelist ${HOME}/.local/share/bijiben
-whitelist ${HOME}/.cache/tracker
-whitelist /usr/share/bijiben
-whitelist /usr/share/tracker
-whitelist /usr/share/tracker3
+allow  ${HOME}/.local/share/bijiben
+allow  ${HOME}/.cache/tracker
+allow  /usr/libexec/webkit2gtk-4.0
+allow  /usr/share/bijiben
+allow  /usr/share/tracker
+allow  /usr/share/tracker3
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile
index 932db9b73..c4ec0f820 100644
--- a/etc/profile-a-l/bitcoin-qt.profile
+++ b/etc/profile-a-l/bitcoin-qt.profile
@@ -6,8 +6,8 @@ include bitcoin-qt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.bitcoin
-noblacklist ${HOME}/.config/Bitcoin
+nodeny  ${HOME}/.bitcoin
+nodeny  ${HOME}/.config/Bitcoin
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-shell.inc
 
 mkdir ${HOME}/.bitcoin
 mkdir ${HOME}/.config/Bitcoin
-whitelist ${HOME}/.bitcoin
-whitelist ${HOME}/.config/Bitcoin
+allow  ${HOME}/.bitcoin
+allow  ${HOME}/.config/Bitcoin
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index dd7651979..0f000b26b 100644
--- a/etc/profile-a-l/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
@@ -8,8 +8,8 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 # noblacklist /var/log
 
 include disable-common.inc
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index bef25276d..4b292d72a 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -6,54 +6,25 @@ include bitwarden.local
 # Persistent global definitions
 include globals.local
 
+# Disabled until someone reported positive feedback
+ignore include whitelist-usr-share-common.inc
+
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/Bitwarden
+nodeny  ${HOME}/.config/Bitwarden
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
 include disable-shell.inc
-include disable-xdg.inc
 
 mkdir ${HOME}/.config/Bitwarden
-whitelist ${HOME}/.config/Bitwarden
-whitelist ${DOWNLOADS}
-include whitelist-common.inc
-include whitelist-var-common.inc
+allow  ${HOME}/.config/Bitwarden
 
-apparmor
-caps.drop all
 machine-id
-netfilter
 no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
 nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp !chroot
-shell none
-#tracelog - breaks on Arch
-
-private-bin bitwarden
-private-cache
+
 ?HAS_APPIMAGE: ignore private-dev
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl
 private-opt Bitwarden
-private-tmp
-
-# breaks appindicator (tray) functionality
-# dbus-user none
-# dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
+# Redirect
+include electron.profile
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile
index 233f9a96f..616ad6801 100644
--- a/etc/profile-a-l/blackbox.profile
+++ b/etc/profile-a-l/blackbox.profile
@@ -7,7 +7,7 @@ include blackbox.local
 include globals.local
 
 # all applications started in blackbox will run in this profile
-noblacklist ${HOME}/.blackbox
+nodeny  ${HOME}/.blackbox
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile
index 701ae431e..8d0b5616f 100644
--- a/etc/profile-a-l/blender.profile
+++ b/etc/profile-a-l/blender.profile
@@ -6,7 +6,7 @@ include blender.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/blender
+nodeny  ${HOME}/.config/blender
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -20,8 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 # Allow usage of AMD GPU by OpenCL
-noblacklist /sys/module
-whitelist /sys/module/amdgpu
+nodeny  /sys/module
+allow  /sys/module/amdgpu
 read-only /sys/module/amdgpu
 
 caps.drop all
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 80dc750f7..ca5f96eee 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -6,7 +6,7 @@ include bless.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/bless
+nodeny  ${HOME}/.config/bless
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
new file mode 100644
index 000000000..ee2a73b54
--- /dev/null
+++ b/etc/profile-a-l/blobby.profile
@@ -0,0 +1,52 @@
+# Firejail profile for blobby
+# Persistent local customizations
+include blobby.local
+# Persistent global definitions
+include globals.local
+
+nodeny  ${HOME}/.blobby
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.blobby
+allow  ${HOME}/.blobby
+include whitelist-common.inc
+allow  /usr/share/blobby
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin blobby
+private-dev
+private-etc alsa,alternatives,asound.conf,drirc,group,hosts,login.defs,machine-id,passwd,pulse
+private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 904710cb5..e0be5261e 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -6,7 +6,7 @@ include blobwars.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.parallelrealities/blobwars
+nodeny  ${HOME}/.parallelrealities/blobwars
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.parallelrealities/blobwars
-whitelist ${HOME}/.parallelrealities/blobwars
-whitelist /usr/share/blobwars
+allow  ${HOME}/.parallelrealities/blobwars
+allow  /usr/share/blobwars
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile
index 6e8f0d7d1..dcfd5d8d2 100644
--- a/etc/profile-a-l/bnox.profile
+++ b/etc/profile-a-l/bnox.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/bnox
-noblacklist ${HOME}/.config/bnox
+nodeny  ${HOME}/.cache/bnox
+nodeny  ${HOME}/.config/bnox
 
 mkdir ${HOME}/.cache/bnox
 mkdir ${HOME}/.config/bnox
-whitelist ${HOME}/.cache/bnox
-whitelist ${HOME}/.config/bnox
+allow  ${HOME}/.cache/bnox
+allow  ${HOME}/.config/bnox
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
index 0cbac049a..a14bb8fef 100644
--- a/etc/profile-a-l/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
@@ -5,7 +5,7 @@ include brackets.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Brackets
+nodeny  ${HOME}/.config/Brackets
 #noblacklist /opt/brackets
 #noblacklist /opt/google
 
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile
index 417a6b3e0..a78882409 100644
--- a/etc/profile-a-l/brasero.profile
+++ b/etc/profile-a-l/brasero.profile
@@ -6,7 +6,7 @@ include brasero.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/brasero
+nodeny  ${HOME}/.config/brasero
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 09548c761..bc2d7a6a1 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -14,24 +14,24 @@ ignore noexec /tmp
 # Alternatively you can add 'ignore apparmor' to your brave.local.
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/BraveSoftware
-noblacklist ${HOME}/.config/BraveSoftware
-noblacklist ${HOME}/.config/brave
-noblacklist ${HOME}/.config/brave-flags.conf
+nodeny  ${HOME}/.cache/BraveSoftware
+nodeny  ${HOME}/.config/BraveSoftware
+nodeny  ${HOME}/.config/brave
+nodeny  ${HOME}/.config/brave-flags.conf
 # brave uses gpg for built-in password manager
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 
 mkdir ${HOME}/.cache/BraveSoftware
 mkdir ${HOME}/.config/BraveSoftware
 mkdir ${HOME}/.config/brave
-whitelist ${HOME}/.cache/BraveSoftware
-whitelist ${HOME}/.config/BraveSoftware
-whitelist ${HOME}/.config/brave
-whitelist ${HOME}/.config/brave-flags.conf
-whitelist ${HOME}/.gnupg
+allow  ${HOME}/.cache/BraveSoftware
+allow  ${HOME}/.config/BraveSoftware
+allow  ${HOME}/.config/brave
+allow  ${HOME}/.config/brave-flags.conf
+allow  ${HOME}/.gnupg
 
 # Brave sandbox needs read access to /proc/config.gz
-noblacklist /proc/config.gz
+nodeny  /proc/config.gz
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile
index bda96bbb3..62ca041c2 100644
--- a/etc/profile-a-l/bzflag.profile
+++ b/etc/profile-a-l/bzflag.profile
@@ -6,7 +6,7 @@ include bzflag.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.bzf
+nodeny  ${HOME}/.bzf
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.bzf
-whitelist ${HOME}/.bzf
+allow  ${HOME}/.bzf
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
index 83571397b..99706620c 100644
--- a/etc/profile-a-l/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@@ -6,9 +6,9 @@ include calibre.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/calibre
-noblacklist ${HOME}/.config/calibre
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/calibre
+nodeny  ${HOME}/.config/calibre
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
index fcff47662..36ecc06a0 100644
--- a/etc/profile-a-l/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -6,7 +6,7 @@ include calligra.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/calligra
+nodeny  ${HOME}/.local/share/kxmlgui5/calligra
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/calligragemini.profile b/etc/profile-a-l/calligragemini.profile
index 006c307ab..76123c96a 100644
--- a/etc/profile-a-l/calligragemini.profile
+++ b/etc/profile-a-l/calligragemini.profile
@@ -6,7 +6,7 @@ include calligragemini.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/calligragemini
+nodeny  ${HOME}/.local/share/calligragemini
 
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligraplan.profile b/etc/profile-a-l/calligraplan.profile
index 81dbd4dcd..5fb1e16da 100644
--- a/etc/profile-a-l/calligraplan.profile
+++ b/etc/profile-a-l/calligraplan.profile
@@ -6,7 +6,7 @@ include calligraplan.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/calligraplan
+nodeny  ${HOME}/.local/share/kxmlgui5/calligraplan
 
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligraplanwork.profile b/etc/profile-a-l/calligraplanwork.profile
index bba91b66b..c176bfea1 100644
--- a/etc/profile-a-l/calligraplanwork.profile
+++ b/etc/profile-a-l/calligraplanwork.profile
@@ -6,7 +6,7 @@ include calligraplanwork.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/calligraplanwork
+nodeny  ${HOME}/.local/share/kxmlgui5/calligraplanwork
 
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligrasheets.profile b/etc/profile-a-l/calligrasheets.profile
index 7bc296047..b7ac68945 100644
--- a/etc/profile-a-l/calligrasheets.profile
+++ b/etc/profile-a-l/calligrasheets.profile
@@ -6,7 +6,7 @@ include calligrasheets.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/calligrasheets
+nodeny  ${HOME}/.local/share/kxmlgui5/calligrasheets
 
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligrastage.profile b/etc/profile-a-l/calligrastage.profile
index 7694abbe4..1258fec56 100644
--- a/etc/profile-a-l/calligrastage.profile
+++ b/etc/profile-a-l/calligrastage.profile
@@ -6,7 +6,7 @@ include calligrastage.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/calligrastage
+nodeny  ${HOME}/.local/share/kxmlgui5/calligrastage
 
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/calligrawords.profile b/etc/profile-a-l/calligrawords.profile
index d69d56a95..c2b6c8041 100644
--- a/etc/profile-a-l/calligrawords.profile
+++ b/etc/profile-a-l/calligrawords.profile
@@ -6,7 +6,7 @@ include calligrawords.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/calligrawords
+nodeny  ${HOME}/.local/share/kxmlgui5/calligrawords
 
 # Redirect
 include calligra.profile
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index 74c7cc34b..390ae383c 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -20,7 +20,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/cameramonitor
+allow  /usr/share/cameramonitor
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
index 96f88a7c4..77bdc09e0 100644
--- a/etc/profile-a-l/cantata.profile
+++ b/etc/profile-a-l/cantata.profile
@@ -6,10 +6,10 @@ include cantata.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/cantata
-noblacklist ${HOME}/.config/cantata
-noblacklist ${HOME}/.local/share/cantata
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.cache/cantata
+nodeny  ${HOME}/.config/cantata
+nodeny  ${HOME}/.local/share/cantata
+nodeny  ${MUSIC}
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index 043fd6718..9c53af84f 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -10,11 +10,11 @@ include globals.local
 ignore noexec ${HOME}
 ignore noexec /tmp
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
-noblacklist ${HOME}/.cargo/credentials
-noblacklist ${HOME}/.cargo/credentials.toml
+nodeny  ${HOME}/.cargo/credentials
+nodeny  ${HOME}/.cargo/credentials.toml
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
@@ -34,6 +34,7 @@ include disable-xdg.inc
 #whitelist ${HOME}/.cargo
 #whitelist ${HOME}/.rustup
 #include whitelist-common.inc
+allow  /usr/share/pkgconfig
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile
index 009d3a049..4ea53ea6b 100644
--- a/etc/profile-a-l/catfish.profile
+++ b/etc/profile-a-l/catfish.profile
@@ -9,7 +9,7 @@ include globals.local
 # We can't blacklist much since catfish
 # is for finding files/content
 
-noblacklist ${HOME}/.config/catfish
+nodeny  ${HOME}/.config/catfish
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -21,7 +21,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 # include disable-programs.inc
 
-whitelist /var/lib/mlocate
+allow  /var/lib/mlocate
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index 6e137010c..d7aee1902 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -6,7 +6,7 @@ include cawbird.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/cawbird
+nodeny  ${HOME}/.config/cawbird
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index f02161b9b..d6f4306ba 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -6,9 +6,9 @@ include celluloid.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/celluloid
-noblacklist ${HOME}/.config/gnome-mpv
-noblacklist ${HOME}/.config/youtube-dl
+nodeny  ${HOME}/.config/celluloid
+nodeny  ${HOME}/.config/gnome-mpv
+nodeny  ${HOME}/.config/youtube-dl
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -17,6 +17,8 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
+deny  /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -28,9 +30,9 @@ read-only ${DESKTOP}
 mkdir ${HOME}/.config/celluloid
 mkdir ${HOME}/.config/gnome-mpv
 mkdir ${HOME}/.config/youtube-dl
-whitelist ${HOME}/.config/celluloid
-whitelist ${HOME}/.config/gnome-mpv
-whitelist ${HOME}/.config/youtube-dl
+allow  ${HOME}/.config/celluloid
+allow  ${HOME}/.config/gnome-mpv
+allow  ${HOME}/.config/youtube-dl
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile
index 24939fc70..0f61084e0 100644
--- a/etc/profile-a-l/checkbashisms.profile
+++ b/etc/profile-a-l/checkbashisms.profile
@@ -7,9 +7,9 @@ include checkbashisms.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index aca1f5876..bde3e1311 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -6,8 +6,8 @@ include cheese.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${VIDEOS}
-noblacklist ${PICTURES}
+nodeny  ${VIDEOS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,9 +17,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${VIDEOS}
-whitelist ${PICTURES}
-whitelist /usr/share/gnome-video-effects
+allow  ${VIDEOS}
+allow  ${PICTURES}
+allow  /usr/share/gnome-video-effects
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/cherrytree.profile b/etc/profile-a-l/cherrytree.profile
index 7621b3c8c..d5dedd81d 100644
--- a/etc/profile-a-l/cherrytree.profile
+++ b/etc/profile-a-l/cherrytree.profile
@@ -6,8 +6,8 @@ include cherrytree.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/cherrytree
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/cherrytree
+nodeny  ${DOCUMENTS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
index 0283a6934..64c45772a 100644
--- a/etc/profile-a-l/chromium-browser-privacy.profile
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -3,13 +3,15 @@
 # Persistent local customizations
 include chromium-browser-privacy.local
 
-noblacklist ${HOME}/.cache/ungoogled-chromium
-noblacklist ${HOME}/.config/ungoogled-chromium
+nodeny  ${HOME}/.cache/ungoogled-chromium
+nodeny  ${HOME}/.config/ungoogled-chromium
+
+deny  /usr/libexec
 
 mkdir ${HOME}/.cache/ungoogled-chromium
 mkdir ${HOME}/.config/ungoogled-chromium
-whitelist ${HOME}/.cache/ungoogled-chromium
-whitelist ${HOME}/.config/ungoogled-chromium
+allow  ${HOME}/.cache/ungoogled-chromium
+allow  ${HOME}/.config/ungoogled-chromium
 
 # private-bin basename,bash,cat,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
 
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index f7493aa82..dbeb715d4 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -9,8 +9,8 @@ include chromium-common.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 # Add the next line to your chromium-common.local if you want Google Chrome/Chromium browser
 # to have access to Gnome extensions (extensions.gnome.org) via browser connector
@@ -26,9 +26,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -37,8 +37,9 @@ include whitelist-var-common.inc
 # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
 #include chromium-common-hardened.inc.profile
 
-# Add the next line to your chromium-common.local to allow screen sharing under wayland.
+# Add the next two lines to your chromium-common.local to allow screen sharing under wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 
 apparmor
 caps.keep sys_admin,sys_chroot
diff --git a/etc/profile-a-l/chromium.profile b/etc/profile-a-l/chromium.profile
index 9ac33aa1c..ea92e90a8 100644
--- a/etc/profile-a-l/chromium.profile
+++ b/etc/profile-a-l/chromium.profile
@@ -6,17 +6,17 @@ include chromium.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/chromium
-noblacklist ${HOME}/.config/chromium
-noblacklist ${HOME}/.config/chromium-flags.conf
+nodeny  ${HOME}/.cache/chromium
+nodeny  ${HOME}/.config/chromium
+nodeny  ${HOME}/.config/chromium-flags.conf
 
 mkdir ${HOME}/.cache/chromium
 mkdir ${HOME}/.config/chromium
-whitelist ${HOME}/.cache/chromium
-whitelist ${HOME}/.config/chromium
-whitelist ${HOME}/.config/chromium-flags.conf
-whitelist /usr/share/chromium
-whitelist /usr/share/mozilla/extensions
+allow  ${HOME}/.cache/chromium
+allow  ${HOME}/.config/chromium
+allow  ${HOME}/.config/chromium-flags.conf
+allow  /usr/share/chromium
+allow  /usr/share/mozilla/extensions
 
 # private-bin chromium,chromium-browser,chromedriver
 
diff --git a/etc/profile-a-l/cin.profile b/etc/profile-a-l/cin.profile
index e1f9523c4..c967e1c96 100644
--- a/etc/profile-a-l/cin.profile
+++ b/etc/profile-a-l/cin.profile
@@ -5,7 +5,7 @@ include cin.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.bcast5
+nodeny  ${HOME}/.bcast5
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/clamav.profile b/etc/profile-a-l/clamav.profile
index e403c2c41..0efbcd4f2 100644
--- a/etc/profile-a-l/clamav.profile
+++ b/etc/profile-a-l/clamav.profile
@@ -7,7 +7,7 @@ include clamav.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-exec.inc
 
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 691657fa0..3e4e1f2a1 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -6,17 +6,17 @@ include claws-mail.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.claws-mail
+nodeny  ${HOME}/.claws-mail
 
 mkdir ${HOME}/.claws-mail
-whitelist ${HOME}/.claws-mail
+allow  ${HOME}/.claws-mail
 
 # Add the below lines to your claws-mail.local if you use python-based plugins.
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
 #include allow-python3.inc
 
-whitelist /usr/share/doc/claws-mail
+allow  /usr/share/doc/claws-mail
 
 # private-bin claws-mail,curl,gpg,gpg2,gpg-agent,gpgsm,gpgme-config,pinentry,pinentry-gtk-2
 
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 9b62a1f73..ee64391d9 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -6,7 +6,7 @@ include clawsker.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.claws-mail
+nodeny  ${HOME}/.claws-mail
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -19,7 +19,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.claws-mail
-whitelist ${HOME}/.claws-mail
+allow  ${HOME}/.claws-mail
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
index fa33795c1..f9c0006f9 100644
--- a/etc/profile-a-l/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
@@ -6,9 +6,9 @@ include clementine.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Clementine
-noblacklist ${HOME}/.config/Clementine
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.cache/Clementine
+nodeny  ${HOME}/.config/Clementine
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/clion-eap.profile b/etc/profile-a-l/clion-eap.profile
new file mode 100644
index 000000000..3602c3e7b
--- /dev/null
+++ b/etc/profile-a-l/clion-eap.profile
@@ -0,0 +1,10 @@
+# Firejail profile for CLion EAP
+# This file is overwritten after every install/update
+# Persistent local customizations
+include clion-eap.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include clion.profile
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
index 22cecff09..5c5399069 100644
--- a/etc/profile-a-l/clion.profile
+++ b/etc/profile-a-l/clion.profile
@@ -5,13 +5,16 @@ include clion.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.CLion*
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.java
-noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.tooling
+nodeny  ${HOME}/.config/JetBrains/CLion*
+nodeny  ${HOME}/.cache/JetBrains/CLion*
+nodeny  ${HOME}/.clion*
+nodeny  ${HOME}/.CLion*
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
+nodeny  ${HOME}/.java
+nodeny  ${HOME}/.local/share/JetBrains
+nodeny  ${HOME}/.tooling
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index c8258da07..89f8d96f0 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -6,9 +6,9 @@ include clipgrab.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Philipp Schmieder
-noblacklist ${HOME}/.pki
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/Philipp Schmieder
+nodeny  ${HOME}/.pki
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile
index d421903a3..4a2a5171b 100644
--- a/etc/profile-a-l/clipit.profile
+++ b/etc/profile-a-l/clipit.profile
@@ -6,8 +6,8 @@ include clipit.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/clipit
-noblacklist ${HOME}/.local/share/clipit
+nodeny  ${HOME}/.config/clipit
+nodeny  ${HOME}/.local/share/clipit
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/clipit
 mkdir ${HOME}/.local/share/clipit
-whitelist ${HOME}/.config/clipit
-whitelist ${HOME}/.local/share/clipit
+allow  ${HOME}/.config/clipit
+allow  ${HOME}/.local/share/clipit
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile
index d0b8cc0ef..22c6ef882 100644
--- a/etc/profile-a-l/cliqz.profile
+++ b/etc/profile-a-l/cliqz.profile
@@ -5,16 +5,16 @@ include cliqz.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/cliqz
-noblacklist ${HOME}/.cliqz
-noblacklist ${HOME}/.config/cliqz
+nodeny  ${HOME}/.cache/cliqz
+nodeny  ${HOME}/.cliqz
+nodeny  ${HOME}/.config/cliqz
 
 mkdir ${HOME}/.cache/cliqz
 mkdir ${HOME}/.cliqz
 mkdir ${HOME}/.config/cliqz
-whitelist ${HOME}/.cache/cliqz
-whitelist ${HOME}/.cliqz
-whitelist ${HOME}/.config/cliqz
+allow  ${HOME}/.cache/cliqz
+allow  ${HOME}/.cliqz
+allow  ${HOME}/.config/cliqz
 
 # private-etc must first be enabled in firefox-common.profile
 #private-etc cliqz
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
index bcd557787..51e53209f 100644
--- a/etc/profile-a-l/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -6,8 +6,8 @@ include cmus.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/cmus
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/cmus
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/code.profile b/etc/profile-a-l/code.profile
index e19b78908..1933c66fa 100644
--- a/etc/profile-a-l/code.profile
+++ b/etc/profile-a-l/code.profile
@@ -5,10 +5,10 @@ include code.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Code
-noblacklist ${HOME}/.config/Code - OSS
-noblacklist ${HOME}/.vscode
-noblacklist ${HOME}/.vscode-oss
+nodeny  ${HOME}/.config/Code
+nodeny  ${HOME}/.config/Code - OSS
+nodeny  ${HOME}/.vscode
+nodeny  ${HOME}/.vscode-oss
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile
index bd6d8f5b0..efa7f516c 100644
--- a/etc/profile-a-l/colorful.profile
+++ b/etc/profile-a-l/colorful.profile
@@ -6,7 +6,7 @@ include colorful.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.suve/colorful
+nodeny  ${HOME}/.suve/colorful
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.suve/colorful
-whitelist ${HOME}/.suve/colorful
-whitelist /usr/share/suve
+allow  ${HOME}/.suve/colorful
+allow  /usr/share/suve
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index c8bdfec23..34b662959 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -6,7 +6,7 @@ include com.github.bleakgrey.tootle.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/com.github.bleakgrey.tootle
+nodeny  ${HOME}/.config/com.github.bleakgrey.tootle
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/com.github.bleakgrey.tootle
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/com.github.bleakgrey.tootle
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/com.github.bleakgrey.tootle
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index b467a0f7a..4e26e4925 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -6,9 +6,9 @@ include com.github.dahenson.agenda.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/agenda
-noblacklist ${HOME}/.config/agenda
-noblacklist ${HOME}/.local/share/agenda
+nodeny  ${HOME}/.cache/agenda
+nodeny  ${HOME}/.config/agenda
+nodeny  ${HOME}/.local/share/agenda
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,9 +22,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/agenda
 mkdir ${HOME}/.config/agenda
 mkdir ${HOME}/.local/share/agenda
-whitelist ${HOME}/.cache/agenda
-whitelist ${HOME}/.config/agenda
-whitelist ${HOME}/.local/share/agenda
+allow  ${HOME}/.cache/agenda
+allow  ${HOME}/.config/agenda
+allow  ${HOME}/.local/share/agenda
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index c13f9618b..bbfc1fe41 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -6,9 +6,9 @@ include foliate.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
-noblacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.cache/com.github.johnfactotum.Foliate
+nodeny  ${HOME}/.local/share/com.github.johnfactotum.Foliate
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
@@ -24,12 +24,12 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate
 mkdir ${HOME}/.local/share/com.github.johnfactotum.Foliate
-whitelist ${HOME}/.cache/com.github.johnfactotum.Foliate
-whitelist ${HOME}/.local/share/com.github.johnfactotum.Foliate
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
-whitelist /usr/share/com.github.johnfactotum.Foliate
-whitelist /usr/share/hyphen
+allow  ${HOME}/.cache/com.github.johnfactotum.Foliate
+allow  ${HOME}/.local/share/com.github.johnfactotum.Foliate
+allow  ${DOCUMENTS}
+allow  ${DOWNLOADS}
+allow  /usr/share/com.github.johnfactotum.Foliate
+allow  /usr/share/hyphen
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile
index d0402d188..3e9acc6c8 100644
--- a/etc/profile-a-l/com.github.phase1geo.minder.profile
+++ b/etc/profile-a-l/com.github.phase1geo.minder.profile
@@ -6,9 +6,9 @@ include com.github.phase1geo.minder.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/minder
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.local/share/minder
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,10 +20,10 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/minder
-whitelist ${HOME}/.local/share/minder
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
-whitelist ${PICTURES}
+allow  ${HOME}/.local/share/minder
+allow  ${DOCUMENTS}
+allow  ${DOWNLOADS}
+allow  ${PICTURES}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/conkeror.profile b/etc/profile-a-l/conkeror.profile
index 38edf0d21..6cc9ec551 100644
--- a/etc/profile-a-l/conkeror.profile
+++ b/etc/profile-a-l/conkeror.profile
@@ -5,23 +5,23 @@ include conkeror.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.conkeror.mozdev.org
+nodeny  ${HOME}/.conkeror.mozdev.org
 
 include disable-common.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.conkeror.mozdev.org
 mkfile ${HOME}/.conkerorrc
-whitelist ${HOME}/.conkeror.mozdev.org
-whitelist ${HOME}/.conkerorrc
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.conkeror.mozdev.org
+allow  ${HOME}/.conkerorrc
+allow  ${HOME}/.lastpass
+allow  ${HOME}/.pentadactyl
+allow  ${HOME}/.pentadactylrc
+allow  ${HOME}/.vimperator
+allow  ${HOME}/.vimperatorrc
+allow  ${HOME}/.zotero
+allow  ${HOME}/dwhelper
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/conky.profile b/etc/profile-a-l/conky.profile
index eaa18739d..1b3fe6651 100644
--- a/etc/profile-a-l/conky.profile
+++ b/etc/profile-a-l/conky.profile
@@ -6,7 +6,7 @@ include conky.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile
index 2fb446e2a..266c404ee 100644
--- a/etc/profile-a-l/corebird.profile
+++ b/etc/profile-a-l/corebird.profile
@@ -6,7 +6,7 @@ include corebird.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/corebird
+nodeny  ${HOME}/.config/corebird
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 1635995dc..0a1353e40 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -7,8 +7,8 @@ include cower.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/cower
-noblacklist /var/lib/pacman
+nodeny  ${HOME}/.config/cower
+nodeny  /var/lib/pacman
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
index 7ece35c2b..5e48c8022 100644
--- a/etc/profile-a-l/coyim.profile
+++ b/etc/profile-a-l/coyim.profile
@@ -6,7 +6,7 @@ include coyim.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/coyim
+nodeny  ${HOME}/.config/coyim
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/coyim
-whitelist ${HOME}/.config/coyim
+allow  ${HOME}/.config/coyim
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/cpio.profile b/etc/profile-a-l/cpio.profile
index bdc4f21a6..dec8c086b 100644
--- a/etc/profile-a-l/cpio.profile
+++ b/etc/profile-a-l/cpio.profile
@@ -7,8 +7,8 @@ include cpio.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile
index b10216895..81292c01c 100644
--- a/etc/profile-a-l/crawl.profile
+++ b/etc/profile-a-l/crawl.profile
@@ -6,7 +6,7 @@ include crawl-tiles.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.crawl
+nodeny  ${HOME}/.crawl
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.crawl
-whitelist ${HOME}/.crawl
+allow  ${HOME}/.crawl
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
index 02b15ecc2..36bd93778 100644
--- a/etc/profile-a-l/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -8,8 +8,8 @@ include globals.local
 
 mkdir ${HOME}/.config/crow
 mkdir ${HOME}/.cache/gstreamer-1.0
-whitelist ${HOME}/.config/crow
-whitelist ${HOME}/.cache/gstreamer-1.0
+allow  ${HOME}/.config/crow
+allow  ${HOME}/.cache/gstreamer-1.0
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index c9867c5d7..4950b7a4c 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -12,11 +12,11 @@ include globals.local
 # Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts.
 # If your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local
 # and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact.
-noblacklist ${HOME}/.curl-hsts
-noblacklist ${HOME}/.curlrc
+nodeny  ${HOME}/.curl-hsts
+nodeny  ${HOME}/.curlrc
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index d1fff0004..49f972e4a 100644
--- a/etc/profile-a-l/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
@@ -5,13 +5,13 @@ include cyberfox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.8pecxstudios
-noblacklist ${HOME}/.cache/8pecxstudios
+nodeny  ${HOME}/.8pecxstudios
+nodeny  ${HOME}/.cache/8pecxstudios
 
 mkdir ${HOME}/.8pecxstudios
 mkdir ${HOME}/.cache/8pecxstudios
-whitelist ${HOME}/.8pecxstudios
-whitelist ${HOME}/.cache/8pecxstudios
+allow  ${HOME}/.8pecxstudios
+allow  ${HOME}/.cache/8pecxstudios
 
 # private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
 # private-etc must first be enabled in firefox-common.profile
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index ba1e7adad..c7ce1730a 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -6,7 +6,7 @@ include d-feet.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/d-feet
+nodeny  ${HOME}/.config/d-feet
 
 # Allow python (disabled by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +22,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/d-feet
-whitelist ${HOME}/.config/d-feet
-whitelist /usr/share/d-feet
+allow  ${HOME}/.config/d-feet
+allow  /usr/share/d-feet
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile
index 61fa52928..4d51c255e 100644
--- a/etc/profile-a-l/darktable.profile
+++ b/etc/profile-a-l/darktable.profile
@@ -6,9 +6,9 @@ include darktable.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/darktable
-noblacklist ${HOME}/.config/darktable
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.cache/darktable
+nodeny  ${HOME}/.config/darktable
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 67a61bb60..745042d6f 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -7,8 +7,8 @@ include dbus-send.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index 0c221850a..c1231c6cf 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${HOME}/.local/share/glib-2.0
+allow  ${HOME}/.local/share/glib-2.0
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
index be7514cbf..b9d385adf 100644
--- a/etc/profile-a-l/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
@@ -6,7 +6,7 @@ include dconf.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${HOME}/.local/share/glib-2.0
+allow  ${HOME}/.local/share/glib-2.0
 # dconf paths are whitelisted by the following
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/ddgr.profile b/etc/profile-a-l/ddgr.profile
new file mode 100644
index 000000000..b1d41ddf7
--- /dev/null
+++ b/etc/profile-a-l/ddgr.profile
@@ -0,0 +1,13 @@
+# Firejail profile for ddgr
+# Description: Search DuckDuckGo from your terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ddgr.local
+# Persistent global definitions
+include globals.local
+
+private-bin ddgr
+
+# Redirect
+include googler-common.profile
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 5b95b74be..09fa7a07a 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -18,8 +18,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
-whitelist /usr/share/ddgtk
+allow  ${DOWNLOADS}
+allow  /usr/share/ddgtk
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
index a221ebbd7..25fa944a1 100644
--- a/etc/profile-a-l/deadbeef.profile
+++ b/etc/profile-a-l/deadbeef.profile
@@ -6,8 +6,8 @@ include deadbeef.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/deadbeef
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/deadbeef
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
index ad7aa6ed5..d41a4a023 100644
--- a/etc/profile-a-l/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -6,7 +6,7 @@ include deluge.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/deluge
+nodeny  ${HOME}/.config/deluge
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -20,8 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/deluge
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/deluge
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/deluge
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile
index 212cdab60..aed4355d5 100644
--- a/etc/profile-a-l/desktopeditors.profile
+++ b/etc/profile-a-l/desktopeditors.profile
@@ -6,9 +6,9 @@ include desktopeditors.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/onlyoffice
-noblacklist ${HOME}/.local/share/onlyoffice
-noblacklist ${HOME}/.pki
+nodeny  ${HOME}/.config/onlyoffice
+nodeny  ${HOME}/.local/share/onlyoffice
+nodeny  ${HOME}/.pki
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index 5007f8e74..dc0f290fb 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -16,9 +16,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/devhelp
-whitelist /usr/share/doc
-whitelist /usr/share/gtk-doc/html
+allow  /usr/share/devhelp
+allow  /usr/share/doc
+allow  /usr/share/gtk-doc/html
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 6267b5709..631f15f93 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -6,9 +6,9 @@ include devilspie.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.devilspie
+nodeny  ${HOME}/.devilspie
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.devilspie
-whitelist ${HOME}/.devilspie
+allow  ${HOME}/.devilspie
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/devilspie2.profile b/etc/profile-a-l/devilspie2.profile
index 9eab3f536..140c9da0f 100644
--- a/etc/profile-a-l/devilspie2.profile
+++ b/etc/profile-a-l/devilspie2.profile
@@ -6,17 +6,17 @@ include devilspie2.local
 # Persistent global definitions
 #include globals.local
 
-blacklist ${HOME}/.devilspie
+deny  ${HOME}/.devilspie
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.config/devilspie2
+nodeny  ${HOME}/.config/devilspie2
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
 
 mkdir ${HOME}/.config/devilspie2
-whitelist ${HOME}/.config/devilspie2
+allow  ${HOME}/.config/devilspie2
 
 private-bin devilspie2
 
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
index 531734b7d..2a808238b 100644
--- a/etc/profile-a-l/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -6,8 +6,8 @@ include dia.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.dia
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.dia
+nodeny  ${DOCUMENTS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -25,7 +25,7 @@ include disable-xdg.inc
 #whitelist ${HOME}/.dia
 #whitelist ${DOCUMENTS}
 #include whitelist-common.inc
-whitelist /usr/share/dia
+allow  /usr/share/dia
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index 247159a8a..2d683b811 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -7,11 +7,11 @@ include dig.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.digrc
-noblacklist ${PATH}/dig
+nodeny  ${HOME}/.digrc
+nodeny  ${PATH}/dig
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 # include disable-devel.inc
@@ -22,7 +22,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 #mkfile ${HOME}/.digrc - see #903
-whitelist ${HOME}/.digrc
+allow  ${HOME}/.digrc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index 2ca7bd400..124b50952 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -6,12 +6,12 @@ include digikam.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/digikam
-noblacklist ${HOME}/.config/digikamrc
-noblacklist ${HOME}/.kde/share/apps/digikam
-noblacklist ${HOME}/.kde4/share/apps/digikam
-noblacklist ${HOME}/.local/share/kxmlgui5/digikam
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/digikam
+nodeny  ${HOME}/.config/digikamrc
+nodeny  ${HOME}/.kde/share/apps/digikam
+nodeny  ${HOME}/.kde4/share/apps/digikam
+nodeny  ${HOME}/.local/share/kxmlgui5/digikam
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile
index 9871a6095..883466f4d 100644
--- a/etc/profile-a-l/dillo.profile
+++ b/etc/profile-a-l/dillo.profile
@@ -6,7 +6,7 @@ include dillo.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.dillo
+nodeny  ${HOME}/.dillo
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-programs.inc
 
 mkdir ${HOME}/.dillo
 mkdir ${HOME}/.fltk
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.dillo
-whitelist ${HOME}/.fltk
+allow  ${DOWNLOADS}
+allow  ${HOME}/.dillo
+allow  ${HOME}/.fltk
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index c3174b35f..3078bef71 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -6,7 +6,7 @@ include dino.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/dino
+nodeny  ${HOME}/.local/share/dino
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.local/share/dino
-whitelist ${HOME}/.local/share/dino
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.local/share/dino
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/discord-canary.profile b/etc/profile-a-l/discord-canary.profile
index 43db95b8a..1c53cd211 100644
--- a/etc/profile-a-l/discord-canary.profile
+++ b/etc/profile-a-l/discord-canary.profile
@@ -5,10 +5,10 @@ include discord-canary.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/discordcanary
+nodeny  ${HOME}/.config/discordcanary
 
 mkdir ${HOME}/.config/discordcanary
-whitelist ${HOME}/.config/discordcanary
+allow  ${HOME}/.config/discordcanary
 
 private-bin discord-canary,electron,electron[0-9],electron[0-9][0-9]
 private-opt discord-canary
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 19e7bd9ab..6bee1901c 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -20,8 +20,8 @@ ignore dbus-system none
 ignore noexec ${HOME}
 ignore novideo
 
-whitelist ${HOME}/.config/BetterDiscord
-whitelist ${HOME}/.local/share/betterdiscordctl
+allow  ${HOME}/.config/BetterDiscord
+allow  ${HOME}/.local/share/betterdiscordctl
 
 private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-a-l/discord.profile b/etc/profile-a-l/discord.profile
index 8ef02a30f..658d3fc83 100644
--- a/etc/profile-a-l/discord.profile
+++ b/etc/profile-a-l/discord.profile
@@ -5,10 +5,10 @@ include discord.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/discord
+nodeny  ${HOME}/.config/discord
 
 mkdir ${HOME}/.config/discord
-whitelist ${HOME}/.config/discord
+allow  ${HOME}/.config/discord
 
 private-bin discord
 private-opt discord
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 11f3fd36e..4474b97d2 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -5,7 +5,7 @@ include display.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile
index 51ba6f8b7..8c3d6211b 100644
--- a/etc/profile-a-l/dnox.profile
+++ b/etc/profile-a-l/dnox.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/dnox
-noblacklist ${HOME}/.config/dnox
+nodeny  ${HOME}/.cache/dnox
+nodeny  ${HOME}/.config/dnox
 
 mkdir ${HOME}/.cache/dnox
 mkdir ${HOME}/.config/dnox
-whitelist ${HOME}/.cache/dnox
-whitelist ${HOME}/.config/dnox
+allow  ${HOME}/.cache/dnox
+allow  ${HOME}/.config/dnox
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile
index f8fb1a331..dbcef36f8 100644
--- a/etc/profile-a-l/dnscrypt-proxy.profile
+++ b/etc/profile-a-l/dnscrypt-proxy.profile
@@ -7,11 +7,11 @@ include dnscrypt-proxy.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,7 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/dnscrypt-proxy
+allow  /usr/share/dnscrypt-proxy
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile
index 01398c2b2..b1acbf392 100644
--- a/etc/profile-a-l/dnsmasq.profile
+++ b/etc/profile-a-l/dnsmasq.profile
@@ -7,11 +7,11 @@ include dnsmasq.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index 49feec32e..15b312ecb 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -8,9 +8,9 @@ include globals.local
 
 # Note: you must whitelist your games folder in your dolphin-emu.local.
 
-noblacklist ${HOME}/.cache/dolphin-emu
-noblacklist ${HOME}/.config/dolphin-emu
-noblacklist ${HOME}/.local/share/dolphin-emu
+nodeny  ${HOME}/.cache/dolphin-emu
+nodeny  ${HOME}/.config/dolphin-emu
+nodeny  ${HOME}/.local/share/dolphin-emu
 
 include disable-common.inc
 include disable-devel.inc
@@ -24,10 +24,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/dolphin-emu
 mkdir ${HOME}/.config/dolphin-emu
 mkdir ${HOME}/.local/share/dolphin-emu
-whitelist ${HOME}/.cache/dolphin-emu
-whitelist ${HOME}/.config/dolphin-emu
-whitelist ${HOME}/.local/share/dolphin-emu
-whitelist /usr/share/dolphin-emu
+allow  ${HOME}/.cache/dolphin-emu
+allow  ${HOME}/.config/dolphin-emu
+allow  ${HOME}/.local/share/dolphin-emu
+allow  /usr/share/dolphin-emu
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/dooble.profile b/etc/profile-a-l/dooble.profile
index 37a4113cb..3b0adcc36 100644
--- a/etc/profile-a-l/dooble.profile
+++ b/etc/profile-a-l/dooble.profile
@@ -7,7 +7,7 @@ include dooble-qt4.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.dooble
+nodeny  ${HOME}/.dooble
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.dooble
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.dooble
+allow  ${DOWNLOADS}
+allow  ${HOME}/.dooble
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
index 988f66f28..29e506764 100644
--- a/etc/profile-a-l/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -6,8 +6,8 @@ include dosbox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.dosbox
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.dosbox
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile
index 8fa01d504..90ca11774 100644
--- a/etc/profile-a-l/dragon.profile
+++ b/etc/profile-a-l/dragon.profile
@@ -6,9 +6,9 @@ include dragon.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/dragonplayerrc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/dragonplayerrc
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/dragonplayer
+allow  /usr/share/dragonplayer
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 82d96e405..84a77ce34 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -6,7 +6,7 @@ include drawio.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/draw.io
+nodeny  ${HOME}/.config/draw.io
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/draw.io
-whitelist ${HOME}/.config/draw.io
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/draw.io
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
index 068bd88d8..e177fd60e 100644
--- a/etc/profile-a-l/drill.profile
+++ b/etc/profile-a-l/drill.profile
@@ -7,10 +7,10 @@ include drill.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PATH}/drill
+nodeny  ${PATH}/drill
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile
index b3b2aaf40..274cdd478 100644
--- a/etc/profile-a-l/dropbox.profile
+++ b/etc/profile-a-l/dropbox.profile
@@ -5,9 +5,9 @@ include dropbox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/autostart
-noblacklist ${HOME}/.dropbox
-noblacklist ${HOME}/.dropbox-dist
+nodeny  ${HOME}/.config/autostart
+nodeny  ${HOME}/.dropbox
+nodeny  ${HOME}/.dropbox-dist
 
 # Allow python3 (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -22,10 +22,10 @@ mkdir ${HOME}/.dropbox
 mkdir ${HOME}/.dropbox-dist
 mkdir ${HOME}/Dropbox
 mkfile ${HOME}/.config/autostart/dropbox.desktop
-whitelist ${HOME}/.config/autostart/dropbox.desktop
-whitelist ${HOME}/.dropbox
-whitelist ${HOME}/.dropbox-dist
-whitelist ${HOME}/Dropbox
+allow  ${HOME}/.config/autostart/dropbox.desktop
+allow  ${HOME}/.dropbox
+allow  ${HOME}/.dropbox-dist
+allow  ${HOME}/Dropbox
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index 38e4b16f7..da54fec34 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -6,7 +6,7 @@ include easystroke.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.easystroke
+nodeny  ${HOME}/.easystroke
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.easystroke
-whitelist ${HOME}/.easystroke
+allow  ${HOME}/.easystroke
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 278dd6cbd..10e57371e 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -6,7 +6,7 @@ include electron-mail.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/electron-mail
+nodeny  ${HOME}/.config/electron-mail
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/electron-mail
-whitelist ${HOME}/.config/electron-mail
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/electron-mail
+allow  ${DOWNLOADS}
 
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index 493af79d4..e8d8d35c4 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -12,7 +12,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index ad636d71a..f6691017c 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -6,7 +6,7 @@ include electrum.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.electrum
+nodeny  ${HOME}/.electrum
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,7 +22,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.electrum
-whitelist ${HOME}/.electrum
+allow  ${HOME}/.electrum
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index 48a826f2e..ec28866b8 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -9,11 +9,11 @@ include element-desktop.local
 
 ignore dbus-user none
 
-noblacklist ${HOME}/.config/Element
+nodeny  ${HOME}/.config/Element
 
 mkdir ${HOME}/.config/Element
-whitelist ${HOME}/.config/Element
-whitelist /opt/Element
+allow  ${HOME}/.config/Element
+allow  /opt/Element
 
 private-opt Element
 
diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile
index 8120725d2..30dca05cb 100644
--- a/etc/profile-a-l/elinks.profile
+++ b/etc/profile-a-l/elinks.profile
@@ -1,44 +1,18 @@
 # Firejail profile for elinks
 # Description: Advanced text-mode WWW browser
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include elinks.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.elinks
+nodeny  ${HOME}/.elinks
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+mkdir ${HOME}/.elinks
+allow  ${HOME}/.elinks
 
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
+private-bin elinks
 
-include whitelist-runuser-common.inc
-
-caps.drop all
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
-
-# private-bin elinks
-private-cache
-private-dev
-# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
-private-tmp
+# Redirect
+include links-common.profile
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile
index 55bf743ef..f0e0e2830 100644
--- a/etc/profile-a-l/emacs.profile
+++ b/etc/profile-a-l/emacs.profile
@@ -6,8 +6,8 @@ include emacs.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.emacs
-noblacklist ${HOME}/.emacs.d
+nodeny  ${HOME}/.emacs
+nodeny  ${HOME}/.emacs.d
 # Add the next line to your emacs.local if you need gpg support.
 #noblacklist ${HOME}/.gnupg
 
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 6c9a8a6ea..5fc72d340 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -7,14 +7,14 @@ include email-common.local
 # added by caller profile
 #include globals.local
 
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.signature
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.mozilla
+nodeny  ${HOME}/.signature
 # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
 # and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
-noblacklist ${HOME}/Mail
+nodeny  ${HOME}/Mail
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -27,17 +27,17 @@ include disable-xdg.inc
 mkdir ${HOME}/.gnupg
 mkfile ${HOME}/.config/mimeapps.list
 mkfile ${HOME}/.signature
-whitelist ${HOME}/.config/mimeapps.list
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.signature
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/mimeapps.list
+allow  ${HOME}/.mozilla/firefox/profiles.ini
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.signature
+allow  ${DOCUMENTS}
+allow  ${DOWNLOADS}
 # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local
-whitelist ${HOME}/Mail
-whitelist ${RUNUSER}/gnupg
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
+allow  ${HOME}/Mail
+allow  ${RUNUSER}/gnupg
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
index ac17b1726..36015b702 100644
--- a/etc/profile-a-l/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -6,9 +6,9 @@ include enchant.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.config/enchant
+nodeny  ${HOME}/.config/enchant
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/enchant
-whitelist ${HOME}/.config/enchant
+allow  ${HOME}/.config/enchant
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile
index d982433e2..9a1d89bba 100644
--- a/etc/profile-a-l/enox.profile
+++ b/etc/profile-a-l/enox.profile
@@ -10,15 +10,15 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/Enox
-noblacklist ${HOME}/.config/Enox
+nodeny  ${HOME}/.cache/Enox
+nodeny  ${HOME}/.config/Enox
 
 #mkdir ${HOME}/.cache/dnox
 #mkdir ${HOME}/.config/dnox
 mkdir ${HOME}/.cache/Enox
 mkdir ${HOME}/.config/Enox
-whitelist ${HOME}/.cache/Enox
-whitelist ${HOME}/.config/Enox
+allow  ${HOME}/.cache/Enox
+allow  ${HOME}/.config/Enox
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
index c4123b4c2..5d8f8a0b9 100644
--- a/etc/profile-a-l/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
@@ -6,11 +6,11 @@ include enpass.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Enpass
-noblacklist ${HOME}/.config/sinew.in
-noblacklist ${HOME}/.config/Sinew Software Systems
-noblacklist ${HOME}/.local/share/Enpass
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/Enpass
+nodeny  ${HOME}/.config/sinew.in
+nodeny  ${HOME}/.config/Sinew Software Systems
+nodeny  ${HOME}/.local/share/Enpass
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -24,11 +24,11 @@ mkdir ${HOME}/.cache/Enpass
 mkfile ${HOME}/.config/sinew.in
 mkdir ${HOME}/.config/Sinew Software Systems
 mkdir ${HOME}/.local/share/Enpass
-whitelist ${HOME}/.cache/Enpass
-whitelist ${HOME}/.config/sinew.in
-whitelist ${HOME}/.config/Sinew Software Systems
-whitelist ${HOME}/.local/share/Enpass
-whitelist ${DOCUMENTS}
+allow  ${HOME}/.cache/Enpass
+allow  ${HOME}/.config/sinew.in
+allow  ${HOME}/.config/Sinew Software Systems
+allow  ${HOME}/.local/share/Enpass
+allow  ${DOCUMENTS}
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 8e8047b00..ff7040e5c 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -7,9 +7,11 @@ include eo-common.local
 # added by caller profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.steam
+nodeny  ${HOME}/.local/share/Trash
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.steam
+
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index 5892374bd..e8592c7df 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -6,9 +6,9 @@ include eog.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/eog
+nodeny  ${HOME}/.config/eog
 
-whitelist /usr/share/eog
+allow  /usr/share/eog
 
 # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'.
 # Add the next lines to your eog.local if you need that functionality.
diff --git a/etc/profile-a-l/eom.profile b/etc/profile-a-l/eom.profile
index 7143a8e03..323f5ade2 100644
--- a/etc/profile-a-l/eom.profile
+++ b/etc/profile-a-l/eom.profile
@@ -6,9 +6,9 @@ include eom.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mate/eom
+nodeny  ${HOME}/.config/mate/eom
 
-whitelist /usr/share/eom
+allow  /usr/share/eom
 
 # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager'.
 # Add the next lines to your eom.local if you need that functionality.
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index 131d68951..3657742b9 100644
--- a/etc/profile-a-l/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -9,8 +9,8 @@ include globals.local
 # enforce private-cache
 #noblacklist ${HOME}/.cache/ephemeral
 
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
@@ -27,9 +27,9 @@ mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
 # enforce private-cache
 #whitelist ${HOME}/.cache/ephemeral
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/epiphany.profile b/etc/profile-a-l/epiphany.profile
index 225811226..daedb2193 100644
--- a/etc/profile-a-l/epiphany.profile
+++ b/etc/profile-a-l/epiphany.profile
@@ -9,9 +9,9 @@ include globals.local
 # Note: Epiphany use bwrap since 3.34 and can not be firejailed any more.
 # See https://github.com/netblue30/firejail/issues/2995
 
-noblacklist ${HOME}/.cache/epiphany
-noblacklist ${HOME}/.config/epiphany
-noblacklist ${HOME}/.local/share/epiphany
+nodeny  ${HOME}/.cache/epiphany
+nodeny  ${HOME}/.config/epiphany
+nodeny  ${HOME}/.local/share/epiphany
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,10 +21,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/epiphany
 mkdir ${HOME}/.config/epiphany
 mkdir ${HOME}/.local/share/epiphany
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/epiphany
-whitelist ${HOME}/.config/epiphany
-whitelist ${HOME}/.local/share/epiphany
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/epiphany
+allow  ${HOME}/.config/epiphany
+allow  ${HOME}/.local/share/epiphany
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
index 964d3b7ca..ac957870c 100644
--- a/etc/profile-a-l/equalx.profile
+++ b/etc/profile-a-l/equalx.profile
@@ -6,8 +6,8 @@ include equalx.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/equalx
-noblacklist ${HOME}/.equalx
+nodeny  ${HOME}/.config/equalx
+nodeny  ${HOME}/.equalx
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,13 +20,13 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/equalx
 mkdir ${HOME}/.equalx
-whitelist ${HOME}/.config/equalx
-whitelist ${HOME}/.equalx
-whitelist /usr/share/poppler
-whitelist /usr/share/ghostscript
-whitelist /usr/share/texlive
-whitelist /usr/share/equalx
-whitelist /var/lib/texmf
+allow  ${HOME}/.config/equalx
+allow  ${HOME}/.equalx
+allow  /usr/share/poppler
+allow  /usr/share/ghostscript
+allow  /usr/share/texlive
+allow  /usr/share/equalx
+allow  /var/lib/texmf
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index b970b0dfd..a2f46b757 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -6,7 +6,9 @@ include etr.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.etr
+nodeny  ${HOME}/.etr
+
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +20,10 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.etr
-whitelist ${HOME}/.etr
-whitelist /usr/share/etr
+allow  ${HOME}/.etr
+allow  /usr/share/etr
+# Debian version
+allow  /usr/share/games/etr
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index adcb29063..ce2617ad6 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -10,8 +10,10 @@ include globals.local
 # Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below).
 #noblacklist ${HOME}/.local/share/gvfs-metadata
 
-noblacklist ${HOME}/.config/evince
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/evince
+nodeny  ${DOCUMENTS}
+
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +24,10 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/doc
-whitelist /usr/share/evince
-whitelist /usr/share/poppler
-whitelist /usr/share/tracker
+allow  /usr/share/doc
+allow  /usr/share/evince
+allow  /usr/share/poppler
+allow  /usr/share/tracker
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 7222493ac..142498a28 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -6,15 +6,15 @@ include evolution.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/mail
-noblacklist /var/spool/mail
-noblacklist ${HOME}/.bogofilter
-noblacklist ${HOME}/.cache/evolution
-noblacklist ${HOME}/.config/evolution
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.local/share/evolution
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  /var/mail
+nodeny  /var/spool/mail
+nodeny  ${HOME}/.bogofilter
+nodeny  ${HOME}/.cache/evolution
+nodeny  ${HOME}/.config/evolution
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.local/share/evolution
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index 7b09a2c64..216814989 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -6,7 +6,7 @@ include exiftool.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -18,7 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/perl-image-exiftool
+allow  /usr/share/perl-image-exiftool
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index b2061db79..9bb42945b 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -6,8 +6,8 @@ include falkon.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/falkon
-noblacklist ${HOME}/.config/falkon
+nodeny  ${HOME}/.cache/falkon
+nodeny  ${HOME}/.config/falkon
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,10 +19,10 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/falkon
 mkdir ${HOME}/.config/falkon
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/falkon
-whitelist ${HOME}/.config/falkon
-whitelist /usr/share/falkon
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/falkon
+allow  ${HOME}/.config/falkon
+allow  /usr/share/falkon
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile
index 8e81000fd..d141c6ed5 100644
--- a/etc/profile-a-l/fbreader.profile
+++ b/etc/profile-a-l/fbreader.profile
@@ -6,8 +6,8 @@ include fbreader.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.FBReader
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.FBReader
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index 31cb1776c..17a365053 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -5,11 +5,11 @@ include fdns.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 664ec2da6..359be083e 100644
--- a/etc/profile-a-l/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -6,8 +6,8 @@ include feedreader.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/feedreader
-noblacklist ${HOME}/.local/share/feedreader
+nodeny  ${HOME}/.cache/feedreader
+nodeny  ${HOME}/.local/share/feedreader
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/feedreader
 mkdir ${HOME}/.local/share/feedreader
-whitelist ${HOME}/.cache/feedreader
-whitelist ${HOME}/.local/share/feedreader
-whitelist /usr/share/feedreader
+allow  ${HOME}/.cache/feedreader
+allow  ${HOME}/.local/share/feedreader
+allow  /usr/share/feedreader
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
index a2372ec8a..f60055f37 100644
--- a/etc/profile-a-l/ferdi.profile
+++ b/etc/profile-a-l/ferdi.profile
@@ -7,10 +7,10 @@ include globals.local
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.cache/Ferdi
-noblacklist ${HOME}/.config/Ferdi
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.cache/Ferdi
+nodeny  ${HOME}/.config/Ferdi
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,11 +22,11 @@ mkdir ${HOME}/.cache/Ferdi
 mkdir ${HOME}/.config/Ferdi
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/Ferdi
-whitelist ${HOME}/.config/Ferdi
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/Ferdi
+allow  ${HOME}/.config/Ferdi
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/fetchmail.profile b/etc/profile-a-l/fetchmail.profile
index 7358ed5c7..1e06ec29a 100644
--- a/etc/profile-a-l/fetchmail.profile
+++ b/etc/profile-a-l/fetchmail.profile
@@ -6,8 +6,8 @@ include fetchmail.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.fetchmailrc
-noblacklist ${HOME}/.netrc
+nodeny  ${HOME}/.fetchmailrc
+nodeny  ${HOME}/.netrc
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index 13ef1beb9..1a64183ab 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -7,8 +7,8 @@ include ffmpeg.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/devedeng
-whitelist /usr/share/ffmpeg
-whitelist /usr/share/qtchooser
+allow  /usr/share/devedeng
+allow  /usr/share/ffmpeg
+allow  /usr/share/qtchooser
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 0b8a8cd6c..f7a938f24 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -13,7 +13,9 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/file-roller
+allow  /usr/libexec/file-roller
+allow  /usr/libexec/p7zip
+allow  /usr/share/file-roller
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
index 5c7583605..426d1e72d 100644
--- a/etc/profile-a-l/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -7,7 +7,7 @@ include file.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile
index dc5def54f..d9e0e9da0 100644
--- a/etc/profile-a-l/filezilla.profile
+++ b/etc/profile-a-l/filezilla.profile
@@ -6,8 +6,8 @@ include filezilla.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/filezilla
-noblacklist ${HOME}/.filezilla
+nodeny  ${HOME}/.config/filezilla
+nodeny  ${HOME}/.filezilla
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/firedragon.profile b/etc/profile-a-l/firedragon.profile
index 77487161e..e22424794 100644
--- a/etc/profile-a-l/firedragon.profile
+++ b/etc/profile-a-l/firedragon.profile
@@ -6,13 +6,13 @@ include firedragon.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/firedragon
-noblacklist ${HOME}/.firedragon
+nodeny  ${HOME}/.cache/firedragon
+nodeny  ${HOME}/.firedragon
 
 mkdir ${HOME}/.cache/firedragon
 mkdir ${HOME}/.firedragon
-whitelist ${HOME}/.cache/firedragon
-whitelist ${HOME}/.firedragon
+allow  ${HOME}/.cache/firedragon
+allow  ${HOME}/.firedragon
 
 # Add the next lines to your firedragon.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index d282f9a60..7e2e8760d 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -5,74 +5,74 @@ include firefox-common-addons.local
 ignore include whitelist-runuser-common.inc
 ignore private-cache
 
-noblacklist ${HOME}/.cache/youtube-dl
-noblacklist ${HOME}/.config/kgetrc
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.config/qpdfview
-noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.kde/share/apps/kget
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde/share/config/kgetrc
-noblacklist ${HOME}/.kde/share/config/okularpartrc
-noblacklist ${HOME}/.kde/share/config/okularrc
-noblacklist ${HOME}/.kde4/share/apps/kget
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.kde4/share/config/kgetrc
-noblacklist ${HOME}/.kde4/share/config/okularpartrc
-noblacklist ${HOME}/.kde4/share/config/okularrc
-noblacklist ${HOME}/.local/share/kget
-noblacklist ${HOME}/.local/share/kxmlgui5/okular
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${HOME}/.local/share/qpdfview
-noblacklist ${HOME}/.netrc
+nodeny  ${HOME}/.cache/youtube-dl
+nodeny  ${HOME}/.config/kgetrc
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.config/okularpartrc
+nodeny  ${HOME}/.config/okularrc
+nodeny  ${HOME}/.config/qpdfview
+nodeny  ${HOME}/.config/youtube-dl
+nodeny  ${HOME}/.kde/share/apps/kget
+nodeny  ${HOME}/.kde/share/apps/okular
+nodeny  ${HOME}/.kde/share/config/kgetrc
+nodeny  ${HOME}/.kde/share/config/okularpartrc
+nodeny  ${HOME}/.kde/share/config/okularrc
+nodeny  ${HOME}/.kde4/share/apps/kget
+nodeny  ${HOME}/.kde4/share/apps/okular
+nodeny  ${HOME}/.kde4/share/config/kgetrc
+nodeny  ${HOME}/.kde4/share/config/okularpartrc
+nodeny  ${HOME}/.kde4/share/config/okularrc
+nodeny  ${HOME}/.local/share/kget
+nodeny  ${HOME}/.local/share/kxmlgui5/okular
+nodeny  ${HOME}/.local/share/okular
+nodeny  ${HOME}/.local/share/qpdfview
+nodeny  ${HOME}/.netrc
 
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
-whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/kgetrc
-whitelist ${HOME}/.config/mpv
-whitelist ${HOME}/.config/okularpartrc
-whitelist ${HOME}/.config/okularrc
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.config/qpdfview
-whitelist ${HOME}/.config/youtube-dl
-whitelist ${HOME}/.kde/share/apps/kget
-whitelist ${HOME}/.kde/share/apps/okular
-whitelist ${HOME}/.kde/share/config/kgetrc
-whitelist ${HOME}/.kde/share/config/okularpartrc
-whitelist ${HOME}/.kde/share/config/okularrc
-whitelist ${HOME}/.kde4/share/apps/kget
-whitelist ${HOME}/.kde4/share/apps/okular
-whitelist ${HOME}/.kde4/share/config/kgetrc
-whitelist ${HOME}/.kde4/share/config/okularpartrc
-whitelist ${HOME}/.kde4/share/config/okularrc
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/kget
-whitelist ${HOME}/.local/share/kxmlgui5/okular
-whitelist ${HOME}/.local/share/okular
-whitelist ${HOME}/.local/share/qpdfview
-whitelist ${HOME}/.local/share/tridactyl
-whitelist ${HOME}/.netrc
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.tridactylrc
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
-whitelist /usr/share/lua
-whitelist /usr/share/lua*
-whitelist /usr/share/vulkan
+allow  ${HOME}/.cache/gnome-mplayer/plugin
+allow  ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+allow  ${HOME}/.config/gnome-mplayer
+allow  ${HOME}/.config/kgetrc
+allow  ${HOME}/.config/mpv
+allow  ${HOME}/.config/okularpartrc
+allow  ${HOME}/.config/okularrc
+allow  ${HOME}/.config/pipelight-silverlight5.1
+allow  ${HOME}/.config/pipelight-widevine
+allow  ${HOME}/.config/qpdfview
+allow  ${HOME}/.config/youtube-dl
+allow  ${HOME}/.kde/share/apps/kget
+allow  ${HOME}/.kde/share/apps/okular
+allow  ${HOME}/.kde/share/config/kgetrc
+allow  ${HOME}/.kde/share/config/okularpartrc
+allow  ${HOME}/.kde/share/config/okularrc
+allow  ${HOME}/.kde4/share/apps/kget
+allow  ${HOME}/.kde4/share/apps/okular
+allow  ${HOME}/.kde4/share/config/kgetrc
+allow  ${HOME}/.kde4/share/config/okularpartrc
+allow  ${HOME}/.kde4/share/config/okularrc
+allow  ${HOME}/.keysnail.js
+allow  ${HOME}/.lastpass
+allow  ${HOME}/.local/share/kget
+allow  ${HOME}/.local/share/kxmlgui5/okular
+allow  ${HOME}/.local/share/okular
+allow  ${HOME}/.local/share/qpdfview
+allow  ${HOME}/.local/share/tridactyl
+allow  ${HOME}/.netrc
+allow  ${HOME}/.pentadactyl
+allow  ${HOME}/.pentadactylrc
+allow  ${HOME}/.tridactylrc
+allow  ${HOME}/.vimperator
+allow  ${HOME}/.vimperatorrc
+allow  ${HOME}/.wine-pipelight
+allow  ${HOME}/.wine-pipelight64
+allow  ${HOME}/.zotero
+allow  ${HOME}/dwhelper
+allow  /usr/share/lua
+allow  /usr/share/lua*
+allow  /usr/share/vulkan
 
 # GNOME Shell integration (chrome-gnome-shell) needs dbus and python
-noblacklist ${HOME}/.local/share/gnome-shell
-whitelist ${HOME}/.local/share/gnome-shell
+nodeny  ${HOME}/.local/share/gnome-shell
+allow  ${HOME}/.local/share/gnome-shell
 dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.gnome.ChromeGnomeShell
 dbus-user.talk org.gnome.Shell
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 8b74ed979..cb0fae5dc 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -12,8 +12,8 @@ include firefox-common.local
 # Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
 #include firefox-common-addons.profile
 
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,9 +23,9 @@ include disable-programs.inc
 
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/firefox-esr.profile b/etc/profile-a-l/firefox-esr.profile
index 5e69fdb51..4fd315fdf 100644
--- a/etc/profile-a-l/firefox-esr.profile
+++ b/etc/profile-a-l/firefox-esr.profile
@@ -6,7 +6,7 @@ include firefox-esr.local
 # added by included profile
 #include globals.local
 
-whitelist /usr/share/firefox-esr
+allow  /usr/share/firefox-esr
 
 # Redirect
 include firefox.profile
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index b22a78458..8acfe7c2a 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -14,25 +14,27 @@ include globals.local
 # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
 # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
 
-noblacklist ${HOME}/.cache/mozilla
-noblacklist ${HOME}/.mozilla
+nodeny  ${HOME}/.cache/mozilla
+nodeny  ${HOME}/.mozilla
+
+deny  /usr/libexec
 
 mkdir ${HOME}/.cache/mozilla/firefox
 mkdir ${HOME}/.mozilla
-whitelist ${HOME}/.cache/mozilla/firefox
-whitelist ${HOME}/.mozilla
+allow  ${HOME}/.cache/mozilla/firefox
+allow  ${HOME}/.mozilla
 
 # Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support.
 # NOTE: start KeePassXC before Firefox and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 
-whitelist /usr/share/doc
-whitelist /usr/share/firefox
-whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
-whitelist /usr/share/gtk-doc/html
-whitelist /usr/share/mozilla
-whitelist /usr/share/webext
+allow  /usr/share/doc
+allow  /usr/share/firefox
+allow  /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
+allow  /usr/share/gtk-doc/html
+allow  /usr/share/mozilla
+allow  /usr/share/webext
 include whitelist-usr-share-common.inc
 
 # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
@@ -54,8 +56,9 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.*
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next two lines to your firefox.local to allow screen sharing under wayland.
+# Add the next three lines to your firefox.local to allow screen sharing under wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 #dbus-user.talk org.freedesktop.portal.*
 # Add the next line to your firefox.local if screen sharing sharing still does not work
 # with the above lines (might depend on the portal implementation).
diff --git a/etc/profile-a-l/five-or-more.profile b/etc/profile-a-l/five-or-more.profile
index 2c86d3ac7..bd1becaf0 100644
--- a/etc/profile-a-l/five-or-more.profile
+++ b/etc/profile-a-l/five-or-more.profile
@@ -6,12 +6,12 @@ include five-or-more.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/five-or-more
+nodeny  ${HOME}/.local/share/five-or-more
 
 mkdir ${HOME}/.local/share/five-or-more
-whitelist ${HOME}/.local/share/five-or-more
+allow  ${HOME}/.local/share/five-or-more
 
-whitelist /usr/share/five-or-more
+allow  /usr/share/five-or-more
 
 private-bin five-or-more
 
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 55af96c84..f16a65536 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -7,9 +7,9 @@ include flameshot.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
-noblacklist ${HOME}/.config/Dharkael
-noblacklist ${HOME}/.config/flameshot
+nodeny  ${PICTURES}
+nodeny  ${HOME}/.config/Dharkael
+nodeny  ${HOME}/.config/flameshot
 
 include disable-common.inc
 include disable-devel.inc
@@ -25,7 +25,7 @@ include disable-xdg.inc
 #whitelist ${PICTURES}
 #whitelist ${HOME}/.config/Dharkael
 #whitelist ${HOME}/.config/flameshot
-whitelist /usr/share/flameshot
+allow  /usr/share/flameshot
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile
index 310fb378f..af114e129 100644
--- a/etc/profile-a-l/flashpeak-slimjet.profile
+++ b/etc/profile-a-l/flashpeak-slimjet.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/slimjet
-noblacklist ${HOME}/.config/slimjet
+nodeny  ${HOME}/.cache/slimjet
+nodeny  ${HOME}/.config/slimjet
 
 mkdir ${HOME}/.cache/slimjet
 mkdir ${HOME}/.config/slimjet
-whitelist ${HOME}/.cache/slimjet
-whitelist ${HOME}/.config/slimjet
+allow  ${HOME}/.cache/slimjet
+allow  ${HOME}/.config/slimjet
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/flowblade.profile b/etc/profile-a-l/flowblade.profile
index a4421e3ce..505763fb9 100644
--- a/etc/profile-a-l/flowblade.profile
+++ b/etc/profile-a-l/flowblade.profile
@@ -6,8 +6,8 @@ include flowblade.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/flowblade
-noblacklist ${HOME}/.flowblade
+nodeny  ${HOME}/.config/flowblade
+nodeny  ${HOME}/.flowblade
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile
index 1210f365c..a22c0e103 100644
--- a/etc/profile-a-l/fluxbox.profile
+++ b/etc/profile-a-l/fluxbox.profile
@@ -7,7 +7,7 @@ include fluxbox.local
 include globals.local
 
 # all applications started in fluxbox will run in this profile
-noblacklist ${HOME}/.fluxbox
+nodeny  ${HOME}/.fluxbox
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile
index cd0129436..ff9167c1a 100644
--- a/etc/profile-a-l/font-manager.profile
+++ b/etc/profile-a-l/font-manager.profile
@@ -6,8 +6,8 @@ include font-manager.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/font-manager
-noblacklist ${HOME}/.config/font-manager
+nodeny  ${HOME}/.cache/font-manager
+nodeny  ${HOME}/.config/font-manager
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -24,9 +24,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/font-manager
 mkdir ${HOME}/.config/font-manager
-whitelist ${HOME}/.cache/font-manager
-whitelist ${HOME}/.config/font-manager
-whitelist /usr/share/font-manager
+allow  ${HOME}/.cache/font-manager
+allow  ${HOME}/.config/font-manager
+allow  /usr/share/font-manager
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/fontforge.profile b/etc/profile-a-l/fontforge.profile
index bd1495877..64c7655e2 100644
--- a/etc/profile-a-l/fontforge.profile
+++ b/etc/profile-a-l/fontforge.profile
@@ -6,8 +6,8 @@ include fontforge.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.FontForge
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.FontForge
+nodeny  ${DOCUMENTS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/fossamail.profile b/etc/profile-a-l/fossamail.profile
index 2d700d336..5e5a12794 100644
--- a/etc/profile-a-l/fossamail.profile
+++ b/etc/profile-a-l/fossamail.profile
@@ -6,16 +6,16 @@ include fossamail.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/fossamail
-noblacklist ${HOME}/.fossamail
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.cache/fossamail
+nodeny  ${HOME}/.fossamail
+nodeny  ${HOME}/.gnupg
 
 mkdir ${HOME}/.cache/fossamail
 mkdir ${HOME}/.fossamail
 mkdir ${HOME}/.gnupg
-whitelist ${HOME}/.cache/fossamail
-whitelist ${HOME}/.fossamail
-whitelist ${HOME}/.gnupg
+allow  ${HOME}/.cache/fossamail
+allow  ${HOME}/.fossamail
+allow  ${HOME}/.gnupg
 include whitelist-common.inc
 
 # allow browsers
diff --git a/etc/profile-a-l/four-in-a-row.profile b/etc/profile-a-l/four-in-a-row.profile
index eb0c43ca5..97fd4a626 100644
--- a/etc/profile-a-l/four-in-a-row.profile
+++ b/etc/profile-a-l/four-in-a-row.profile
@@ -9,7 +9,7 @@ include globals.local
 ignore machine-id
 ignore nosound
 
-whitelist /usr/share/four-in-a-row
+allow  /usr/share/four-in-a-row
 
 private-bin four-in-a-row
 
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index 1b1d031b4..8edc9b02d 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -6,7 +6,7 @@ include fractal.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/fractal
+nodeny  ${HOME}/.cache/fractal
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +22,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/fractal
-whitelist ${HOME}/.cache/fractal
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/fractal
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
index 9b780a572..1a8ec8f99 100644
--- a/etc/profile-a-l/franz.profile
+++ b/etc/profile-a-l/franz.profile
@@ -7,10 +7,10 @@ include globals.local
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.cache/Franz
-noblacklist ${HOME}/.config/Franz
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.cache/Franz
+nodeny  ${HOME}/.config/Franz
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,11 +22,11 @@ mkdir ${HOME}/.cache/Franz
 mkdir ${HOME}/.config/Franz
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/Franz
-whitelist ${HOME}/.config/Franz
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/Franz
+allow  ${HOME}/.config/Franz
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/freecad.profile b/etc/profile-a-l/freecad.profile
index 8043d0530..a45ad4c7a 100644
--- a/etc/profile-a-l/freecad.profile
+++ b/etc/profile-a-l/freecad.profile
@@ -6,8 +6,8 @@ include freecad.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/FreeCAD
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/FreeCAD
+nodeny  ${DOCUMENTS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/freeciv.profile b/etc/profile-a-l/freeciv.profile
index 23c19682c..20abd4056 100644
--- a/etc/profile-a-l/freeciv.profile
+++ b/etc/profile-a-l/freeciv.profile
@@ -6,7 +6,7 @@ include freeciv.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.freeciv
+nodeny  ${HOME}/.freeciv
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.freeciv
-whitelist ${HOME}/.freeciv
+allow  ${HOME}/.freeciv
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/freecol.profile b/etc/profile-a-l/freecol.profile
index 93fa7da03..79ccf4101 100644
--- a/etc/profile-a-l/freecol.profile
+++ b/etc/profile-a-l/freecol.profile
@@ -6,10 +6,10 @@ include freecol.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.freecol
-noblacklist ${HOME}/.cache/freecol
-noblacklist ${HOME}/.config/freecol
-noblacklist ${HOME}/.local/share/freecol
+nodeny  ${HOME}/.freecol
+nodeny  ${HOME}/.cache/freecol
+nodeny  ${HOME}/.config/freecol
+nodeny  ${HOME}/.local/share/freecol
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -26,11 +26,11 @@ mkdir ${HOME}/.java
 mkdir ${HOME}/.cache/freecol
 mkdir ${HOME}/.config/freecol
 mkdir ${HOME}/.local/share/freecol
-whitelist ${HOME}/.freecol
-whitelist ${HOME}/.java
-whitelist ${HOME}/.cache/freecol
-whitelist ${HOME}/.config/freecol
-whitelist ${HOME}/.local/share/freecol
+allow  ${HOME}/.freecol
+allow  ${HOME}/.java
+allow  ${HOME}/.cache/freecol
+allow  ${HOME}/.config/freecol
+allow  ${HOME}/.local/share/freecol
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
index 699177039..ba52dd208 100644
--- a/etc/profile-a-l/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -6,8 +6,8 @@ include freemind.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/.freemind
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.freemind
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index e6aff533d..4c321322c 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -6,12 +6,12 @@ include freetube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/FreeTube
+nodeny  ${HOME}/.config/FreeTube
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/FreeTube
-whitelist ${HOME}/.config/FreeTube
+allow  ${HOME}/.config/FreeTube
 
 private-bin freetube
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index fa56d2b2d..3a6dfcfd6 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -6,7 +6,7 @@ include frogatto.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.frogatto
+nodeny  ${HOME}/.frogatto
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.frogatto
-whitelist ${HOME}/.frogatto
-whitelist /usr/share/frogatto
+allow  ${HOME}/.frogatto
+allow  /usr/libexec/frogatto
+allow  /usr/share/frogatto
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index 76352e41e..12eca8eb0 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -6,7 +6,7 @@ include frozen-bubble.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.frozen-bubble
+nodeny  ${HOME}/.frozen-bubble
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -20,7 +20,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.frozen-bubble
-whitelist ${HOME}/.frozen-bubble
+allow  ${HOME}/.frozen-bubble
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
new file mode 100644
index 000000000..07030df4b
--- /dev/null
+++ b/etc/profile-a-l/funnyboat.profile
@@ -0,0 +1,57 @@
+# Firejail profile for funnyboat
+# This file is overwritten after every install/update
+# Persistent local customizations
+include funnyboat.local
+# Persistent global definitions
+include globals.local
+
+nodeny  ${HOME}/.funnyboat
+
+ignore noexec /dev/shm
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.funnyboat
+allow  ${HOME}/.funnyboat
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+allow  /usr/share/funnyboat
+# Debian:
+allow  /usr/share/games/funnyboat
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+# tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index ed3f0357d..4cd2cb1e6 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -6,10 +6,10 @@ include gajim.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.cache/gajim
-noblacklist ${HOME}/.config/gajim
-noblacklist ${HOME}/.local/share/gajim
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.cache/gajim
+nodeny  ${HOME}/.config/gajim
+nodeny  ${HOME}/.local/share/gajim
 
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
@@ -28,14 +28,14 @@ mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.cache/gajim
 mkdir ${HOME}/.config/gajim
 mkdir ${HOME}/.local/share/gajim
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.cache/gajim
-whitelist ${HOME}/.config/gajim
-whitelist ${HOME}/.local/share/gajim
-whitelist ${DOWNLOADS}
-whitelist ${RUNUSER}/gnupg
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.cache/gajim
+allow  ${HOME}/.config/gajim
+allow  ${HOME}/.local/share/gajim
+allow  ${DOWNLOADS}
+allow  ${RUNUSER}/gnupg
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 550b3808b..0b1b595a6 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -6,7 +6,7 @@ include galculator.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/galculator
+nodeny  ${HOME}/.config/galculator
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/galculator
-whitelist ${HOME}/.config/galculator
+allow  ${HOME}/.config/galculator
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index f2da60c87..00b830234 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -6,7 +6,8 @@ include gapplication.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 388f4c0df..896a100fc 100644
--- a/etc/profile-a-l/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -8,9 +8,9 @@ include globals.local
 # noexec ${HOME} will break user-local installs of gcloud tooling
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.boto
-noblacklist ${HOME}/.config/gcloud
-noblacklist /var/run/docker.sock
+nodeny  ${HOME}/.boto
+nodeny  ${HOME}/.config/gcloud
+nodeny  /var/run/docker.sock
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gconf-editor.profile b/etc/profile-a-l/gconf-editor.profile
index cb39174e5..8f72f0b34 100644
--- a/etc/profile-a-l/gconf-editor.profile
+++ b/etc/profile-a-l/gconf-editor.profile
@@ -7,9 +7,9 @@ include gconf-editor.local
 # added by included profile
 #include globals.local
 
-blacklist /tmp/.X11-unix
+deny  /tmp/.X11-unix
 
-whitelist /usr/share/gconf-editor
+allow  /usr/share/gconf-editor
 
 ignore x11 none
 
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
index fec1a555a..8c7013574 100644
--- a/etc/profile-a-l/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
@@ -6,9 +6,9 @@ include gconf.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.config/gconf
+nodeny  ${HOME}/.config/gconf
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -23,9 +23,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/gconf
-whitelist ${HOME}/.config/gconf
-whitelist /usr/share/GConf
-whitelist /usr/share/gconf
+allow  ${HOME}/.config/gconf
+allow  /usr/share/GConf
+allow  /usr/share/gconf
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/geany.profile b/etc/profile-a-l/geany.profile
index 6fdb9b37a..706a85c75 100644
--- a/etc/profile-a-l/geany.profile
+++ b/etc/profile-a-l/geany.profile
@@ -6,7 +6,7 @@ include geany.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/geany
+nodeny  ${HOME}/.config/geany
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index 74e135a7c..512fc1e59 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -6,14 +6,14 @@ include geary.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/evolution
-noblacklist ${HOME}/.cache/folks
-noblacklist ${HOME}/.cache/geary
-noblacklist ${HOME}/.config/evolution
-noblacklist ${HOME}/.config/geary
-noblacklist ${HOME}/.local/share/evolution
-noblacklist ${HOME}/.local/share/geary
-noblacklist ${HOME}/.mozilla
+nodeny  ${HOME}/.cache/evolution
+nodeny  ${HOME}/.cache/folks
+nodeny  ${HOME}/.cache/geary
+nodeny  ${HOME}/.config/evolution
+nodeny  ${HOME}/.config/geary
+nodeny  ${HOME}/.local/share/evolution
+nodeny  ${HOME}/.local/share/geary
+nodeny  ${HOME}/.mozilla
 
 include disable-common.inc
 include disable-devel.inc
@@ -31,16 +31,16 @@ mkdir ${HOME}/.config/evolution
 mkdir ${HOME}/.config/geary
 mkdir ${HOME}/.local/share/evolution
 mkdir ${HOME}/.local/share/geary
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/evolution
-whitelist ${HOME}/.cache/folks
-whitelist ${HOME}/.cache/geary
-whitelist ${HOME}/.config/evolution
-whitelist ${HOME}/.config/geary
-whitelist ${HOME}/.local/share/evolution
-whitelist ${HOME}/.local/share/geary
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-whitelist /usr/share/geary
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/evolution
+allow  ${HOME}/.cache/folks
+allow  ${HOME}/.cache/geary
+allow  ${HOME}/.config/evolution
+allow  ${HOME}/.config/geary
+allow  ${HOME}/.local/share/evolution
+allow  ${HOME}/.local/share/geary
+allow  ${HOME}/.mozilla/firefox/profiles.ini
+allow  /usr/share/geary
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index 108b7041d..f11540374 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -6,8 +6,8 @@ include gedit.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/enchant
-noblacklist ${HOME}/.config/gedit
+nodeny  ${HOME}/.config/enchant
+nodeny  ${HOME}/.config/gedit
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index dd33b3fb5..8ec3bbaf9 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -6,9 +6,9 @@ include geeqie.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/geeqie
-noblacklist ${HOME}/.config/geeqie
-noblacklist ${HOME}/.local/share/geeqie
+nodeny  ${HOME}/.cache/geeqie
+nodeny  ${HOME}/.config/geeqie
+nodeny  ${HOME}/.local/share/geeqie
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index 7ec8ba810..1661da639 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -6,10 +6,10 @@ include gfeeds.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/gfeeds
-noblacklist ${HOME}/.cache/org.gabmus.gfeeds
-noblacklist ${HOME}/.config/org.gabmus.gfeeds.json
-noblacklist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+nodeny  ${HOME}/.cache/gfeeds
+nodeny  ${HOME}/.cache/org.gabmus.gfeeds
+nodeny  ${HOME}/.config/org.gabmus.gfeeds.json
+nodeny  ${HOME}/.config/org.gabmus.gfeeds.saved_articles
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -27,11 +27,12 @@ mkdir ${HOME}/.cache/gfeeds
 mkdir ${HOME}/.cache/org.gabmus.gfeeds
 mkfile ${HOME}/.config/org.gabmus.gfeeds.json
 mkdir ${HOME}/.config/org.gabmus.gfeeds.saved_articles
-whitelist ${HOME}/.cache/gfeeds
-whitelist ${HOME}/.cache/org.gabmus.gfeeds
-whitelist ${HOME}/.config/org.gabmus.gfeeds.json
-whitelist ${HOME}/.config/org.gabmus.gfeeds.saved_articles
-whitelist /usr/share/gfeeds
+allow  ${HOME}/.cache/gfeeds
+allow  ${HOME}/.cache/org.gabmus.gfeeds
+allow  ${HOME}/.config/org.gabmus.gfeeds.json
+allow  ${HOME}/.config/org.gabmus.gfeeds.saved_articles
+allow  /usr/libexec/webkit2gtk-4.0
+allow  /usr/share/gfeeds
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
index d9c5a0d9a..06929dbe3 100644
--- a/etc/profile-a-l/gget.profile
+++ b/etc/profile-a-l/gget.profile
@@ -7,8 +7,8 @@ include gget.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index 276ab76df..0577fe24f 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -6,10 +6,10 @@ include ghostwriter.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ghostwriter
-noblacklist ${HOME}/.local/share/ghostwriter
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/ghostwriter
+nodeny  ${HOME}/.local/share/ghostwriter
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include allow-lua.inc
 
@@ -22,10 +22,10 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/ghostwriter
-whitelist /usr/share/mozilla-dicts
-whitelist /usr/share/texlive
-whitelist /usr/share/pandoc*
+allow  /usr/share/ghostwriter
+allow  /usr/share/mozilla-dicts
+allow  /usr/share/texlive
+allow  /usr/share/pandoc*
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index dfc1304d1..de9db8d0f 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -18,13 +18,13 @@ include globals.local
 # If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local.
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/babl
-noblacklist ${HOME}/.cache/gegl-0.4
-noblacklist ${HOME}/.cache/gimp
-noblacklist ${HOME}/.config/GIMP
-noblacklist ${HOME}/.gimp*
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.cache/babl
+nodeny  ${HOME}/.cache/gegl-0.4
+nodeny  ${HOME}/.cache/gimp
+nodeny  ${HOME}/.config/GIMP
+nodeny  ${HOME}/.gimp*
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-exec.inc
@@ -33,10 +33,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/gegl-0.4
-whitelist /usr/share/gimp
-whitelist /usr/share/mypaint-data
-whitelist /usr/share/lensfun
+allow  /usr/share/gegl-0.4
+allow  /usr/share/gimp
+allow  /usr/share/mypaint-data
+allow  /usr/share/lensfun
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
index 661c3a375..e601d3ab0 100644
--- a/etc/profile-a-l/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -7,10 +7,10 @@ include gist.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.gist
+nodeny  ${HOME}/.gist
 
 # Allow ruby (blacklisted by disable-interpreters.inc)
 include allow-ruby.inc
@@ -24,8 +24,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.gist
-whitelist ${HOME}/.gist
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.gist
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 5e4249376..74b7506cf 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -8,12 +8,12 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.subversion
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.config/git-cola
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.subversion
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.config/git-cola
 # Add your editor/diff viewer config paths and the next line to your git-cola.local to load settings.
 #noblacklist ${HOME}/
 
@@ -32,17 +32,17 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${RUNUSER}/gnupg
-whitelist ${RUNUSER}/keyring
+allow  ${RUNUSER}/gnupg
+allow  ${RUNUSER}/keyring
 # Add additional whitelist paths below /usr/share to your git-cola.local to support your editor/diff viewer.
-whitelist /usr/share/git
-whitelist /usr/share/git-cola
-whitelist /usr/share/git-core
-whitelist /usr/share/git-gui
-whitelist /usr/share/gitk
-whitelist /usr/share/gitweb
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
+allow  /usr/share/git
+allow  /usr/share/git-cola
+allow  /usr/share/git-core
+allow  /usr/share/git-gui
+allow  /usr/share/gitk
+allow  /usr/share/gitweb
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile
index bfa0081c6..680e91085 100644
--- a/etc/profile-a-l/git.profile
+++ b/etc/profile-a-l/git.profile
@@ -7,33 +7,33 @@ include git.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.config/nano
-noblacklist ${HOME}/.emacs
-noblacklist ${HOME}/.emacs.d
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.nanorc
-noblacklist ${HOME}/.vim
-noblacklist ${HOME}/.viminfo
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.config/nano
+nodeny  ${HOME}/.emacs
+nodeny  ${HOME}/.emacs.d
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.nanorc
+nodeny  ${HOME}/.vim
+nodeny  ${HOME}/.viminfo
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/git
-whitelist /usr/share/git-core
-whitelist /usr/share/gitgui
-whitelist /usr/share/gitweb
-whitelist /usr/share/nano
+allow  /usr/share/git
+allow  /usr/share/git-core
+allow  /usr/share/gitgui
+allow  /usr/share/gitweb
+allow  /usr/share/nano
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 05d7dffa9..d313b5022 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -6,10 +6,10 @@ include gitg.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.local/share/gitg
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
+nodeny  ${HOME}/.local/share/gitg
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
@@ -29,7 +29,7 @@ include disable-programs.inc
 #whitelist ${HOME}/.ssh
 #include whitelist-common.inc
 
-whitelist /usr/share/gitg
+allow  /usr/share/gitg
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/github-desktop.profile b/etc/profile-a-l/github-desktop.profile
index 325c54ced..81b534a74 100644
--- a/etc/profile-a-l/github-desktop.profile
+++ b/etc/profile-a-l/github-desktop.profile
@@ -22,10 +22,10 @@ ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/GitHub Desktop
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
+nodeny  ${HOME}/.config/GitHub Desktop
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
 
 # no3d
 nosound
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 460e2b990..2d1694ef7 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -5,8 +5,8 @@ include gitter.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/autostart
-noblacklist ${HOME}/.config/Gitter
+nodeny  ${HOME}/.config/autostart
+nodeny  ${HOME}/.config/Gitter
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.config/Gitter
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/autostart
-whitelist ${HOME}/.config/Gitter
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/autostart
+allow  ${HOME}/.config/Gitter
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile
index ed68b3c2d..e00bb1dbf 100644
--- a/etc/profile-a-l/gjs.profile
+++ b/etc/profile-a-l/gjs.profile
@@ -8,10 +8,10 @@ include globals.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ${HOME}/.cache/libgweather
-noblacklist ${HOME}/.cache/org.gnome.Books
-noblacklist ${HOME}/.config/libreoffice
-noblacklist ${HOME}/.local/share/gnome-photos
+nodeny  ${HOME}/.cache/libgweather
+nodeny  ${HOME}/.cache/org.gnome.Books
+nodeny  ${HOME}/.config/libreoffice
+nodeny  ${HOME}/.local/share/gnome-photos
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
index c8cefc67e..a3236c2be 100644
--- a/etc/profile-a-l/gl-117.profile
+++ b/etc/profile-a-l/gl-117.profile
@@ -6,7 +6,7 @@ include gl-117.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gl-117
+nodeny  ${HOME}/.gl-117
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.gl-117
-whitelist ${HOME}/.gl-117
-whitelist /usr/share/gl-117
+allow  ${HOME}/.gl-117
+allow  /usr/share/gl-117
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
index ee7af0546..ec894a5f3 100644
--- a/etc/profile-a-l/glaxium.profile
+++ b/etc/profile-a-l/glaxium.profile
@@ -6,7 +6,7 @@ include glaxium.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.glaxiumrc
+nodeny  ${HOME}/.glaxiumrc
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.glaxiumrc
-whitelist ${HOME}/.glaxiumrc
-whitelist /usr/share/glaxium
+allow  ${HOME}/.glaxiumrc
+allow  /usr/share/glaxium
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/globaltime.profile b/etc/profile-a-l/globaltime.profile
index 14b3ef811..e091b811f 100644
--- a/etc/profile-a-l/globaltime.profile
+++ b/etc/profile-a-l/globaltime.profile
@@ -5,7 +5,7 @@ include globaltime.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/globaltime
+nodeny  ${HOME}/.config/globaltime
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index b3aad8b2c..79397d28f 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -6,8 +6,8 @@ include gmpc.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gmpc
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/gmpc
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/gmpc
-whitelist ${HOME}/.config/gmpc
-whitelist ${MUSIC}
-whitelist /usr/share/gmpc
+allow  ${HOME}/.config/gmpc
+allow  ${MUSIC}
+allow  /usr/share/gmpc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-2048.profile b/etc/profile-a-l/gnome-2048.profile
index 777c81dbe..c723f6e46 100644
--- a/etc/profile-a-l/gnome-2048.profile
+++ b/etc/profile-a-l/gnome-2048.profile
@@ -6,10 +6,10 @@ include gnome-2048.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-2048
+nodeny  ${HOME}/.local/share/gnome-2048
 
 mkdir ${HOME}/.local/share/gnome-2048
-whitelist ${HOME}/.local/share/gnome-2048
+allow  ${HOME}/.local/share/gnome-2048
 
 private-bin gnome-2048
 
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
index 34a7f557c..2ed5fa76b 100644
--- a/etc/profile-a-l/gnome-books.profile
+++ b/etc/profile-a-l/gnome-books.profile
@@ -7,8 +7,8 @@ include globals.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ${HOME}/.cache/org.gnome.Books
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/org.gnome.Books
+nodeny  ${DOCUMENTS}
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
index 37ca5aeff..7dd1c6e22 100644
--- a/etc/profile-a-l/gnome-builder.profile
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -6,11 +6,11 @@ include gnome-builder.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.bash_history
+nodeny  ${HOME}/.bash_history
 
-noblacklist ${HOME}/.cache/gnome-builder
-noblacklist ${HOME}/.config/gnome-builder
-noblacklist ${HOME}/.local/share/gnome-builder
+nodeny  ${HOME}/.cache/gnome-builder
+nodeny  ${HOME}/.config/gnome-builder
+nodeny  ${HOME}/.local/share/gnome-builder
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index eaf25b177..d91fbaa4b 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/libgweather
+allow  /usr/share/libgweather
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -46,7 +46,7 @@ private
 private-bin gnome-calendar
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,nsswitch.conf,pki,resolv.conf,ssl
+private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,localtime,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 741fe9bf7..806d7e571 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/org.gnome.Characters
+allow  /usr/share/org.gnome.Characters
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index bd39f625c..095210565 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -6,8 +6,8 @@ include gnome-chess.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gnome-chess
-noblacklist ${HOME}/.local/share/gnome-chess
+nodeny  ${HOME}/.config/gnome-chess
+nodeny  ${HOME}/.local/share/gnome-chess
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +22,8 @@ include disable-xdg.inc
 #whitelist ${HOME}/.local/share/gnome-chess
 #include whitelist-common.inc
 
-whitelist /usr/share/gnuchess
-whitelist /usr/share/gnome-chess
+allow  /usr/share/gnuchess
+allow  /usr/share/gnome-chess
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index 1e7c70b84..7e2d458fd 100644
--- a/etc/profile-a-l/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -15,8 +15,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/gnome-clocks
-whitelist /usr/share/libgweather
+allow  /usr/share/gnome-clocks
+allow  /usr/share/libgweather
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index dcc6163b6..7902fa169 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -6,7 +6,7 @@ include gnome-contacts.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile
index 29ad67af8..0f601149f 100644
--- a/etc/profile-a-l/gnome-documents.profile
+++ b/etc/profile-a-l/gnome-documents.profile
@@ -8,8 +8,8 @@ include globals.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ${HOME}/.config/libreoffice
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/libreoffice
+nodeny  ${DOCUMENTS}
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 2db956faf..50c3e2c6f 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -16,7 +16,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/mesa_shader_cache
-whitelist /usr/share/gnome-hexgl
+allow  /usr/share/gnome-hexgl
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index 25b4c47de..62a5a34ea 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -7,7 +7,7 @@ include gnome-keyring.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,12 +18,12 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.gnupg
-whitelist ${HOME}/.gnupg
-whitelist ${DOWNLOADS}
-whitelist ${RUNUSER}/gnupg
-whitelist ${RUNUSER}/keyring
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
+allow  ${HOME}/.gnupg
+allow  ${DOWNLOADS}
+allow  ${RUNUSER}/gnupg
+allow  ${RUNUSER}/keyring
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-klotski.profile b/etc/profile-a-l/gnome-klotski.profile
index c67a5c0da..ed074f944 100644
--- a/etc/profile-a-l/gnome-klotski.profile
+++ b/etc/profile-a-l/gnome-klotski.profile
@@ -6,10 +6,10 @@ include gnome-klotski.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-klotski
+nodeny  ${HOME}/.local/share/gnome-klotski
 
 mkdir ${HOME}/.local/share/gnome-klotski
-whitelist ${HOME}/.local/share/gnome-klotski
+allow  ${HOME}/.local/share/gnome-klotski
 
 private-bin gnome-klotski
 
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 1a7eafeca..4a03a7ff5 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -6,8 +6,8 @@ include gnome-latex.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gnome-latex
-noblacklist ${HOME}/.local/share/gnome-latex
+nodeny  ${HOME}/.config/gnome-latex
+nodeny  ${HOME}/.local/share/gnome-latex
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -19,8 +19,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/gnome-latex
-whitelist /usr/share/texlive
+allow  /usr/share/gnome-latex
+allow  /usr/share/texlive
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 # May cause issues.
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 9d2ea7b7b..fcc02dc76 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /var/log/journal
+allow  /var/log/journal
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-mahjongg.profile b/etc/profile-a-l/gnome-mahjongg.profile
index 42409dce8..e21f03efe 100644
--- a/etc/profile-a-l/gnome-mahjongg.profile
+++ b/etc/profile-a-l/gnome-mahjongg.profile
@@ -6,7 +6,7 @@ include gnome-mahjongg.local
 # Persistent global definitions
 include globals.local
 
-whitelist /usr/share/gnome-mahjongg
+allow  /usr/share/gnome-mahjongg
 
 private-bin gnome-mahjongg
 
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index cf2ac2f75..cf4eceee3 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -11,13 +11,15 @@ include globals.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ${HOME}/.cache/champlain
-noblacklist ${HOME}/.cache/org.gnome.Maps
-noblacklist ${HOME}/.local/share/maps-places.json
+nodeny  ${HOME}/.cache/champlain
+nodeny  ${HOME}/.cache/org.gnome.Maps
+nodeny  ${HOME}/.local/share/maps-places.json
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
 
+deny  /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -29,12 +31,12 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/champlain
 mkfile ${HOME}/.local/share/maps-places.json
-whitelist ${HOME}/.cache/champlain
-whitelist ${HOME}/.local/share/maps-places.json
-whitelist ${DOWNLOADS}
-whitelist ${PICTURES}
-whitelist /usr/share/gnome-maps
-whitelist /usr/share/libgweather
+allow  ${HOME}/.cache/champlain
+allow  ${HOME}/.local/share/maps-places.json
+allow  ${DOWNLOADS}
+allow  ${PICTURES}
+allow  /usr/share/gnome-maps
+allow  /usr/share/libgweather
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-mines.profile b/etc/profile-a-l/gnome-mines.profile
index 4fe8986c2..1b2949bc5 100644
--- a/etc/profile-a-l/gnome-mines.profile
+++ b/etc/profile-a-l/gnome-mines.profile
@@ -6,11 +6,11 @@ include gnome-mines.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-mines
+nodeny  ${HOME}/.local/share/gnome-mines
 
 mkdir ${HOME}/.local/share/gnome-mines
-whitelist ${HOME}/.local/share/gnome-mines
-whitelist /usr/share/gnome-mines
+allow  ${HOME}/.local/share/gnome-mines
+allow  /usr/share/gnome-mines
 
 private-bin gnome-mines
 
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
index 43fe71f5e..c1cbc796a 100644
--- a/etc/profile-a-l/gnome-mplayer.profile
+++ b/etc/profile-a-l/gnome-mplayer.profile
@@ -6,9 +6,9 @@ include gnome-mplayer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gnome-mplayer
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/gnome-mplayer
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index 2fcbe9910..8fd0826c4 100644
--- a/etc/profile-a-l/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -6,8 +6,8 @@ include gnome-music.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-music
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.local/share/gnome-music
+nodeny  ${MUSIC}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
index 814751db3..a929582f8 100644
--- a/etc/profile-a-l/gnome-nettool.profile
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -14,7 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/gnome-nettool
+allow  /usr/share/gnome-nettool
 #include whitelist-common.inc -- see #903
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-nibbles.profile b/etc/profile-a-l/gnome-nibbles.profile
index b22810d34..d4c037a41 100644
--- a/etc/profile-a-l/gnome-nibbles.profile
+++ b/etc/profile-a-l/gnome-nibbles.profile
@@ -9,11 +9,11 @@ include globals.local
 ignore machine-id
 ignore nosound
 
-noblacklist ${HOME}/.local/share/gnome-nibbles
+nodeny  ${HOME}/.local/share/gnome-nibbles
 
 mkdir ${HOME}/.local/share/gnome-nibbles
-whitelist ${HOME}/.local/share/gnome-nibbles
-whitelist /usr/share/gnome-nibbles
+allow  ${HOME}/.local/share/gnome-nibbles
+allow  /usr/share/gnome-nibbles
 
 private-bin gnome-nibbles
 
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index 763d67b92..d2cf828cc 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -6,13 +6,15 @@ include gnome-passwordsafe.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/*.kdb
-noblacklist ${HOME}/*.kdbx
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/*.kdb
+nodeny  ${HOME}/*.kdbx
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
+deny  /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -22,8 +24,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/cracklib
-whitelist /usr/share/passwordsafe
+allow  /usr/share/cracklib
+allow  /usr/share/passwordsafe
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 58bf3f349..3702da2c7 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -8,7 +8,7 @@ include globals.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ${HOME}/.local/share/gnome-photos
+nodeny  ${HOME}/.local/share/gnome-photos
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index 41903b136..e9ae2bcb0 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -6,7 +6,7 @@ include gnome-pie.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gnome-pie
+nodeny  ${HOME}/.config/gnome-pie
 
 #include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index c2ba7556d..bec23910c 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -6,7 +6,7 @@ include gnome-pomodoro.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-pomodoro
+nodeny  ${HOME}/.local/share/gnome-pomodoro
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/gnome-pomodoro
-whitelist ${HOME}/.local/share/gnome-pomodoro
-whitelist /usr/share/gnome-pomodoro
+allow  ${HOME}/.local/share/gnome-pomodoro
+allow  /usr/share/gnome-pomodoro
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index 48c98ebe0..5ef33fdd8 100644
--- a/etc/profile-a-l/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -7,8 +7,8 @@ include gnome-recipes.local
 include globals.local
 
 
-noblacklist ${HOME}/.cache/gnome-recipes
-noblacklist ${HOME}/.local/share/gnome-recipes
+nodeny  ${HOME}/.cache/gnome-recipes
+nodeny  ${HOME}/.local/share/gnome-recipes
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-shell.inc
 
 mkdir ${HOME}/.cache/gnome-recipes
 mkdir ${HOME}/.local/share/gnome-recipes
-whitelist ${HOME}/.cache/gnome-recipes
-whitelist ${HOME}/.local/share/gnome-recipes
-whitelist /usr/share/gnome-recipes
+allow  ${HOME}/.cache/gnome-recipes
+allow  ${HOME}/.local/share/gnome-recipes
+allow  /usr/share/gnome-recipes
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
index 78ceb9c4f..b34d264f4 100644
--- a/etc/profile-a-l/gnome-ring.profile
+++ b/etc/profile-a-l/gnome-ring.profile
@@ -5,7 +5,7 @@ include gnome-ring.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-ring
+nodeny  ${HOME}/.local/share/gnome-ring
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-robots.profile b/etc/profile-a-l/gnome-robots.profile
index 8835f2b93..836d4e2b2 100644
--- a/etc/profile-a-l/gnome-robots.profile
+++ b/etc/profile-a-l/gnome-robots.profile
@@ -9,7 +9,7 @@ include globals.local
 ignore machine-id
 ignore nosound
 
-whitelist /usr/share/gnome-robots
+allow  /usr/share/gnome-robots
 
 private-bin gnome-robots
 
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
index 69c90b33d..146f8bc4e 100644
--- a/etc/profile-a-l/gnome-schedule.profile
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -6,17 +6,17 @@ include gnome-schedule.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnome/gnome-schedule
+nodeny  ${HOME}/.gnome/gnome-schedule
 
 # Needs at and crontab to read/write user cron
-noblacklist ${PATH}/at
-noblacklist ${PATH}/crontab
+nodeny  ${PATH}/at
+nodeny  ${PATH}/crontab
 
 # Needs access to these files/dirs
-noblacklist /etc/cron.allow
-noblacklist /etc/cron.deny
-noblacklist /etc/shadow
-noblacklist /var/spool/cron
+nodeny  /etc/cron.allow
+nodeny  /etc/cron.deny
+nodeny  /etc/shadow
+nodeny  /var/spool/cron
 
 # cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc)
 # add 'noblacklist ${PATH}/your-terminal' to gnome-schedule.local if you need that functionality
@@ -34,10 +34,10 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.gnome/gnome-schedule
-whitelist ${HOME}/.gnome/gnome-schedule
-whitelist /usr/share/gnome-schedule
-whitelist /var/spool/atd
-whitelist /var/spool/cron
+allow  ${HOME}/.gnome/gnome-schedule
+allow  /usr/share/gnome-schedule
+allow  /var/spool/atd
+allow  /var/spool/cron
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index b683b6f6c..175549e99 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -6,8 +6,8 @@ include gnome-screenshot.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
-noblacklist ${HOME}/.cache/gnome-screenshot
+nodeny  ${PICTURES}
+nodeny  ${HOME}/.cache/gnome-screenshot
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index 34f5fdeff..c2fb14fa4 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -6,8 +6,8 @@ include gnome-sound-recorder.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
-noblacklist ${HOME}/.local/share/Trash
+nodeny  ${MUSIC}
+nodeny  ${HOME}/.local/share/Trash
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gnome-sudoku.profile b/etc/profile-a-l/gnome-sudoku.profile
index 12fd48a86..3b7835e52 100644
--- a/etc/profile-a-l/gnome-sudoku.profile
+++ b/etc/profile-a-l/gnome-sudoku.profile
@@ -6,10 +6,10 @@ include gnome-sudoku.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/gnome-sudoku
+nodeny  ${HOME}/.local/share/gnome-sudoku
 
 mkdir ${HOME}/.local/share/gnome-sudoku
-whitelist ${HOME}/.local/share/gnome-sudoku
+allow  ${HOME}/.local/share/gnome-sudoku
 
 private-bin gnome-sudoku
 
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index 8a818695d..6978f7cab 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /var/log
+allow  /var/log
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gnome-taquin.profile b/etc/profile-a-l/gnome-taquin.profile
index 2341334f7..ac87cf70f 100644
--- a/etc/profile-a-l/gnome-taquin.profile
+++ b/etc/profile-a-l/gnome-taquin.profile
@@ -9,7 +9,7 @@ include globals.local
 ignore machine-id
 ignore nosound
 
-whitelist /usr/share/gnome-taquin
+allow  /usr/share/gnome-taquin
 
 private-bin gnome-taquin
 
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 3b147cd48..092fd58a3 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/gnome-todo
+allow  /usr/share/gnome-todo
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile
index b8ec195d3..d76872ea6 100644
--- a/etc/profile-a-l/gnome-twitch.profile
+++ b/etc/profile-a-l/gnome-twitch.profile
@@ -6,8 +6,8 @@ include gnome-twitch.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/gnome-twitch
-noblacklist ${HOME}/.local/share/gnome-twitch
+nodeny  ${HOME}/.cache/gnome-twitch
+nodeny  ${HOME}/.local/share/gnome-twitch
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/gnome-twitch
 mkdir ${HOME}/.local/share/gnome-twitch
-whitelist ${HOME}/.cache/gnome-twitch
-whitelist ${HOME}/.local/share/gnome-twitch
+allow  ${HOME}/.cache/gnome-twitch
+allow  ${HOME}/.local/share/gnome-twitch
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index 2e08fa41d..6f557ff8d 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -8,7 +8,7 @@ include globals.local
 
 # when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 
-noblacklist ${HOME}/.cache/libgweather
+nodeny  ${HOME}/.cache/libgweather
 
 # Allow gjs (blacklisted by disable-interpreters.inc)
 include allow-gjs.inc
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index c3014a288..261efefac 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -6,8 +6,8 @@ include gnote.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gnote
-noblacklist ${HOME}/.local/share/gnote
+nodeny  ${HOME}/.config/gnote
+nodeny  ${HOME}/.local/share/gnote
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/gnote
 mkdir ${HOME}/.local/share/gnote
-whitelist ${HOME}/.config/gnote
-whitelist ${HOME}/.local/share/gnote
-whitelist /usr/share/gnote
+allow  ${HOME}/.config/gnote
+allow  ${HOME}/.local/share/gnote
+allow  /usr/share/gnote
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index 22851ce9f..e6fbca26f 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/gnubik
+allow  /usr/share/gnubik
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index 09ca17caa..f35a53ca4 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -6,9 +6,9 @@ include godot.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/godot
-noblacklist ${HOME}/.config/godot
-noblacklist ${HOME}/.local/share/godot
+nodeny  ${HOME}/.cache/godot
+nodeny  ${HOME}/.config/godot
+nodeny  ${HOME}/.local/share/godot
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile
index 8399d77c4..95dd41c2a 100644
--- a/etc/profile-a-l/goobox.profile
+++ b/etc/profile-a-l/goobox.profile
@@ -6,7 +6,7 @@ include goobox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile
index ebe5e870b..07f0e587d 100644
--- a/etc/profile-a-l/google-chrome-beta.profile
+++ b/etc/profile-a-l/google-chrome-beta.profile
@@ -10,19 +10,19 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/google-chrome-beta
-noblacklist ${HOME}/.config/google-chrome-beta
+nodeny  ${HOME}/.cache/google-chrome-beta
+nodeny  ${HOME}/.config/google-chrome-beta
 
-noblacklist ${HOME}/.config/chrome-beta-flags.conf
-noblacklist ${HOME}/.config/chrome-beta-flags.config
+nodeny  ${HOME}/.config/chrome-beta-flags.conf
+nodeny  ${HOME}/.config/chrome-beta-flags.config
 
 mkdir ${HOME}/.cache/google-chrome-beta
 mkdir ${HOME}/.config/google-chrome-beta
-whitelist ${HOME}/.cache/google-chrome-beta
-whitelist ${HOME}/.config/google-chrome-beta
+allow  ${HOME}/.cache/google-chrome-beta
+allow  ${HOME}/.config/google-chrome-beta
 
-whitelist ${HOME}/.config/chrome-beta-flags.conf
-whitelist ${HOME}/.config/chrome-beta-flags.config
+allow  ${HOME}/.config/chrome-beta-flags.conf
+allow  ${HOME}/.config/chrome-beta-flags.config
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile
index 4d303f71b..229904411 100644
--- a/etc/profile-a-l/google-chrome-unstable.profile
+++ b/etc/profile-a-l/google-chrome-unstable.profile
@@ -10,19 +10,19 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/google-chrome-unstable
-noblacklist ${HOME}/.config/google-chrome-unstable
+nodeny  ${HOME}/.cache/google-chrome-unstable
+nodeny  ${HOME}/.config/google-chrome-unstable
 
-noblacklist ${HOME}/.config/chrome-unstable-flags.conf
-noblacklist ${HOME}/.config/chrome-unstable-flags.config
+nodeny  ${HOME}/.config/chrome-unstable-flags.conf
+nodeny  ${HOME}/.config/chrome-unstable-flags.config
 
 mkdir ${HOME}/.cache/google-chrome-unstable
 mkdir ${HOME}/.config/google-chrome-unstable
-whitelist ${HOME}/.cache/google-chrome-unstable
-whitelist ${HOME}/.config/google-chrome-unstable
+allow  ${HOME}/.cache/google-chrome-unstable
+allow  ${HOME}/.config/google-chrome-unstable
 
-whitelist ${HOME}/.config/chrome-unstable-flags.conf
-whitelist ${HOME}/.config/chrome-unstable-flags.config
+allow  ${HOME}/.config/chrome-unstable-flags.conf
+allow  ${HOME}/.config/chrome-unstable-flags.config
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile
index ed2595f72..f61642f17 100644
--- a/etc/profile-a-l/google-chrome.profile
+++ b/etc/profile-a-l/google-chrome.profile
@@ -10,19 +10,19 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/google-chrome
-noblacklist ${HOME}/.config/google-chrome
+nodeny  ${HOME}/.cache/google-chrome
+nodeny  ${HOME}/.config/google-chrome
 
-noblacklist ${HOME}/.config/chrome-flags.conf
-noblacklist ${HOME}/.config/chrome-flags.config
+nodeny  ${HOME}/.config/chrome-flags.conf
+nodeny  ${HOME}/.config/chrome-flags.config
 
 mkdir ${HOME}/.cache/google-chrome
 mkdir ${HOME}/.config/google-chrome
-whitelist ${HOME}/.cache/google-chrome
-whitelist ${HOME}/.config/google-chrome
+allow  ${HOME}/.cache/google-chrome
+allow  ${HOME}/.config/google-chrome
 
-whitelist ${HOME}/.config/chrome-flags.conf
-whitelist ${HOME}/.config/chrome-flags.config
+allow  ${HOME}/.config/chrome-flags.conf
+allow  ${HOME}/.config/chrome-flags.config
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
index 65ac04771..6039f7cbd 100644
--- a/etc/profile-a-l/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
@@ -5,8 +5,8 @@ include google-earth.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Google
-noblacklist ${HOME}/.googleearth
+nodeny  ${HOME}/.config/Google
+nodeny  ${HOME}/.googleearth
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.config/Google
 mkdir ${HOME}/.googleearth
-whitelist ${HOME}/.config/Google
-whitelist ${HOME}/.googleearth
+allow  ${HOME}/.config/Google
+allow  ${HOME}/.googleearth
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
index a7aabe105..fdb65b93c 100644
--- a/etc/profile-a-l/google-play-music-desktop-player.profile
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
@@ -8,7 +8,7 @@ include globals.local
 # noexec /tmp breaks mpris support
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/Google Play Music Desktop Player
+nodeny  ${HOME}/.config/Google Play Music Desktop Player
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,7 +20,7 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Google Play Music Desktop Player
 # whitelist ${HOME}/.config/pulse
 # whitelist ${HOME}/.pulse
-whitelist ${HOME}/.config/Google Play Music Desktop Player
+allow  ${HOME}/.config/Google Play Music Desktop Player
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
new file mode 100644
index 000000000..952c9c1d4
--- /dev/null
+++ b/etc/profile-a-l/googler-common.profile
@@ -0,0 +1,62 @@
+# Firejail profile for googler clones
+# Description: common profile for googler clones
+# This file is overwritten after every install/update
+# Persistent local customizations
+include googler-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
+
+nodeny  ${HOME}/.w3m
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+allow  ${HOME}/.w3m
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin env,python3*,sh,w3m
+private-cache
+private-dev
+private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/googler.profile b/etc/profile-a-l/googler.profile
new file mode 100644
index 000000000..9d67006f6
--- /dev/null
+++ b/etc/profile-a-l/googler.profile
@@ -0,0 +1,13 @@
+# Firejail profile for googler
+# Description: Search Google from your terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include googler.local
+# Persistent global definitions
+include globals.local
+
+private-bin googler
+
+# Redirect
+include googler-common.profile
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile
index 37b4f0b1c..9b8da361b 100644
--- a/etc/profile-a-l/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
@@ -6,7 +6,7 @@ include gpa.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
index 7f0b614b1..5fa66bb55 100644
--- a/etc/profile-a-l/gpg-agent.profile
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -7,10 +7,10 @@ include gpg-agent.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,11 +20,11 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.gnupg
-whitelist ${HOME}/.gnupg
-whitelist ${RUNUSER}/gnupg
-whitelist ${RUNUSER}/keyring
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
+allow  ${HOME}/.gnupg
+allow  ${RUNUSER}/gnupg
+allow  ${RUNUSER}/keyring
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile
index 4a4d6527c..2ad896abe 100644
--- a/etc/profile-a-l/gpg.profile
+++ b/etc/profile-a-l/gpg.profile
@@ -7,10 +7,10 @@ include gpg.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,11 +18,11 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist ${RUNUSER}/gnupg
-whitelist ${RUNUSER}/keyring
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-whitelist /usr/share/pacman/keyrings
+allow  ${RUNUSER}/gnupg
+allow  ${RUNUSER}/keyring
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
+allow  /usr/share/pacman/keyrings
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
index fa53c26c8..0552dc3d7 100644
--- a/etc/profile-a-l/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -6,7 +6,7 @@ include gpicview.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gpicview
+nodeny  ${HOME}/.config/gpicview
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
-whitelist /usr/share/gpicview
+allow  /usr/share/gpicview
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
index 253d644f1..c9e62a73f 100644
--- a/etc/profile-a-l/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -6,7 +6,7 @@ include gpredict.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Gpredict
+nodeny  ${HOME}/.config/Gpredict
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Gpredict
-whitelist ${HOME}/.config/Gpredict
+allow  ${HOME}/.config/Gpredict
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index 2b4c536d2..2aebe2338 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -5,8 +5,8 @@ include gradio.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/gradio
-noblacklist ${HOME}/.local/share/gradio
+nodeny  ${HOME}/.cache/gradio
+nodeny  ${HOME}/.local/share/gradio
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/gradio
 mkdir ${HOME}/.local/share/gradio
-whitelist ${HOME}/.cache/gradio
-whitelist ${HOME}/.local/share/gradio
+allow  ${HOME}/.cache/gradio
+allow  ${HOME}/.local/share/gradio
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile
index c7e0c2977..53f0baccb 100644
--- a/etc/profile-a-l/gramps.profile
+++ b/etc/profile-a-l/gramps.profile
@@ -6,7 +6,7 @@ include gramps.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gramps
+nodeny  ${HOME}/.gramps
 
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
@@ -21,7 +21,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.gramps
-whitelist ${HOME}/.gramps
+allow  ${HOME}/.gramps
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index 890ba2560..ecc871c2e 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/gravity-beams-and-evaporating-stars
+allow  /usr/share/gravity-beams-and-evaporating-stars
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/gthumb.profile b/etc/profile-a-l/gthumb.profile
index 5927e8c4d..9a4f7b4fb 100644
--- a/etc/profile-a-l/gthumb.profile
+++ b/etc/profile-a-l/gthumb.profile
@@ -6,9 +6,9 @@ include gthumb.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/gthumb
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.steam
+nodeny  ${HOME}/.config/gthumb
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.steam
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gtk-pipe-viewer.profile b/etc/profile-a-l/gtk-pipe-viewer.profile
new file mode 100644
index 000000000..9c212ff6e
--- /dev/null
+++ b/etc/profile-a-l/gtk-pipe-viewer.profile
@@ -0,0 +1,12 @@
+# Firejail profile for gtk-pipe-viewer
+# Description: Gtk front-end to pipe-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-pipe-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+# Redirect
+include pipe-viewer.profile
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile
index e2721360b..978b3d896 100644
--- a/etc/profile-a-l/gtk-straw-viewer.profile
+++ b/etc/profile-a-l/gtk-straw-viewer.profile
@@ -8,7 +8,5 @@ include gtk-straw-viewer.local
 
 ignore quiet
 
-include whitelist-runuser-common.inc
-
 # Redirect
 include straw-viewer.profile
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index c8addae75..d6bb9902a 100644
--- a/etc/profile-a-l/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -7,7 +7,7 @@ include gtk-update-icon-cache.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gtk-youtube-viewer.profile b/etc/profile-a-l/gtk-youtube-viewer.profile
index 848979b52..c814f0fef 100644
--- a/etc/profile-a-l/gtk-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk-youtube-viewer.profile
@@ -8,7 +8,5 @@ include gtk-youtube-viewer.local
 
 ignore quiet
 
-include whitelist-runuser-common.inc
-
 # Redirect
 include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk2-youtube-viewer.profile b/etc/profile-a-l/gtk2-youtube-viewer.profile
index 787c7bd90..8241de43a 100644
--- a/etc/profile-a-l/gtk2-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk2-youtube-viewer.profile
@@ -8,8 +8,8 @@ include gtk2-youtube-viewer.local
 
 ignore quiet
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}
+nodeny  /tmp/.X11-unix
+nodeny  ${RUNUSER}
 
 include whitelist-runuser-common.inc
 
diff --git a/etc/profile-a-l/gtk3-youtube-viewer.profile b/etc/profile-a-l/gtk3-youtube-viewer.profile
index 988882622..6ea4ebbdc 100644
--- a/etc/profile-a-l/gtk3-youtube-viewer.profile
+++ b/etc/profile-a-l/gtk3-youtube-viewer.profile
@@ -8,8 +8,8 @@ include gtk3-youtube-viewer.local
 
 ignore quiet
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}
+nodeny  /tmp/.X11-unix
+nodeny  ${RUNUSER}
 
 include whitelist-runuser-common.inc
 
diff --git a/etc/profile-a-l/guayadeque.profile b/etc/profile-a-l/guayadeque.profile
index 3d2b71e9d..731bcad1d 100644
--- a/etc/profile-a-l/guayadeque.profile
+++ b/etc/profile-a-l/guayadeque.profile
@@ -5,8 +5,8 @@ include guayadeque.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.guayadeque
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.guayadeque
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gummi.profile b/etc/profile-a-l/gummi.profile
index 2223c37a1..5cdc2cc18 100644
--- a/etc/profile-a-l/gummi.profile
+++ b/etc/profile-a-l/gummi.profile
@@ -5,8 +5,8 @@ include gummi.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/gummi
-noblacklist ${HOME}/.config/gummi
+nodeny  ${HOME}/.cache/gummi
+nodeny  ${HOME}/.config/gummi
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
diff --git a/etc/profile-a-l/gunzip.profile b/etc/profile-a-l/gunzip.profile
index 6e97c6b78..584d88f85 100644
--- a/etc/profile-a-l/gunzip.profile
+++ b/etc/profile-a-l/gunzip.profile
@@ -7,5 +7,7 @@ include gunzip.local
 # added by included profile
 #include globals.local
 
+include allow-bin-sh.inc
+
 # Redirect
 include gzip.profile
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
index 9221ca31c..3404f5177 100644
--- a/etc/profile-a-l/guvcview.profile
+++ b/etc/profile-a-l/guvcview.profile
@@ -6,10 +6,10 @@ include guvcview.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/guvcview2
+nodeny  ${HOME}/.config/guvcview2
 
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
+nodeny  ${PICTURES}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,9 +21,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/guvcview2
-whitelist ${HOME}/.config/guvcview2
-whitelist ${PICTURES}
-whitelist ${VIDEOS}
+allow  ${HOME}/.config/guvcview2
+allow  ${PICTURES}
+allow  ${VIDEOS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index d33e2a673..132b5a2e2 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -6,17 +6,17 @@ include gwenview.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/GIMP
-noblacklist ${HOME}/.config/gwenviewrc
-noblacklist ${HOME}/.config/org.kde.gwenviewrc
-noblacklist ${HOME}/.gimp*
-noblacklist ${HOME}/.kde/share/apps/gwenview
-noblacklist ${HOME}/.kde/share/config/gwenviewrc
-noblacklist ${HOME}/.kde4/share/apps/gwenview
-noblacklist ${HOME}/.kde4/share/config/gwenviewrc
-noblacklist ${HOME}/.local/share/gwenview
-noblacklist ${HOME}/.local/share/kxmlgui5/gwenview
-noblacklist ${HOME}/.local/share/org.kde.gwenview
+nodeny  ${HOME}/.config/GIMP
+nodeny  ${HOME}/.config/gwenviewrc
+nodeny  ${HOME}/.config/org.kde.gwenviewrc
+nodeny  ${HOME}/.gimp*
+nodeny  ${HOME}/.kde/share/apps/gwenview
+nodeny  ${HOME}/.kde/share/config/gwenviewrc
+nodeny  ${HOME}/.kde4/share/apps/gwenview
+nodeny  ${HOME}/.kde4/share/config/gwenviewrc
+nodeny  ${HOME}/.local/share/gwenview
+nodeny  ${HOME}/.local/share/kxmlgui5/gwenview
+nodeny  ${HOME}/.local/share/org.kde.gwenview
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/gzip.profile b/etc/profile-a-l/gzip.profile
index b261c16f4..46c98bdc2 100644
--- a/etc/profile-a-l/gzip.profile
+++ b/etc/profile-a-l/gzip.profile
@@ -9,7 +9,7 @@ include globals.local
 
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
 # all capabilities this is automatically read-only.
-noblacklist /var/lib/pacman
+nodeny  /var/lib/pacman
 
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile
index 847e1ec1e..c102ac4cb 100644
--- a/etc/profile-a-l/handbrake.profile
+++ b/etc/profile-a-l/handbrake.profile
@@ -6,9 +6,9 @@ include handbrake.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ghb
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/ghb
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile
index aab4b0c21..d98a1b554 100644
--- a/etc/profile-a-l/hashcat.profile
+++ b/etc/profile-a-l/hashcat.profile
@@ -7,11 +7,11 @@ include hashcat.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.hashcat
-noblacklist /usr/include
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.hashcat
+nodeny  /usr/include
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
index 44584f26b..1c2a44e06 100644
--- a/etc/profile-a-l/hasher-common.profile
+++ b/etc/profile-a-l/hasher-common.profile
@@ -4,7 +4,7 @@ include hasher-common.local
 
 # common profile for hasher/checksum tools
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
 # Comment/uncomment the relevant include file(s) in your hasher-common.local
 # to (un)restrict file access for **all** hashers. Another option is to do this **per hasher**
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
index c0675d8ec..90833af91 100644
--- a/etc/profile-a-l/hedgewars.profile
+++ b/etc/profile-a-l/hedgewars.profile
@@ -6,7 +6,7 @@ include hedgewars.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.hedgewars
+nodeny  ${HOME}/.hedgewars
 
 include allow-lua.inc
 
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.hedgewars
-whitelist ${HOME}/.hedgewars
+allow  ${HOME}/.hedgewars
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index f72af0b4a..993efb591 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -6,7 +6,10 @@ include hexchat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/hexchat
+nodeny  ${HOME}/.config/hexchat
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
@@ -25,7 +28,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/hexchat
-whitelist ${HOME}/.config/hexchat
+allow  ${HOME}/.config/hexchat
 include whitelist-common.inc
 include whitelist-var-common.inc
 
@@ -48,7 +51,7 @@ tracelog
 
 disable-mnt
 # debug note: private-bin requires perl, python, etc on some systems
-private-bin hexchat,python*
+private-bin hexchat,python*,sh
 private-dev
 #private-lib - python problems
 private-tmp
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile
index 643736ac7..53db642dc 100644
--- a/etc/profile-a-l/highlight.profile
+++ b/etc/profile-a-l/highlight.profile
@@ -6,7 +6,7 @@ include highlight.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index 199b1a5e5..ef259cc00 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -6,7 +6,7 @@ include homebank.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/homebank
+nodeny  ${HOME}/.config/homebank
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/homebank
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/homebank
-whitelist /usr/share/homebank
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/homebank
+allow  /usr/share/homebank
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile
index 00d9f7a76..63e1be259 100644
--- a/etc/profile-a-l/host.profile
+++ b/etc/profile-a-l/host.profile
@@ -7,8 +7,8 @@ include host.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
-noblacklist ${PATH}/host
+deny  ${RUNUSER}
+nodeny  ${PATH}/host
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile
index 267712c87..db5cd29cc 100644
--- a/etc/profile-a-l/hugin.profile
+++ b/etc/profile-a-l/hugin.profile
@@ -6,9 +6,9 @@ include hugin.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.hugin
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.hugin
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index e66ffd7e1..1fb33ceb8 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -6,7 +6,7 @@ include hyperrogue.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/hyperrogue.ini
+nodeny  ${HOME}/hyperrogue.ini
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/hyperrogue.ini
-whitelist ${HOME}/hyperrogue.ini
-whitelist /usr/share/hyperrogue
+allow  ${HOME}/hyperrogue.ini
+allow  /usr/share/hyperrogue
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index 47c984175..c8a2e8a04 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -14,12 +14,12 @@ include globals.local
 # Only needed when i2prouter binary resides in home directory (official I2P java installer does so).
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.config/i2p
-noblacklist ${HOME}/.i2p
-noblacklist ${HOME}/.local/share/i2p
-noblacklist ${HOME}/i2p
+nodeny  ${HOME}/.config/i2p
+nodeny  ${HOME}/.i2p
+nodeny  ${HOME}/.local/share/i2p
+nodeny  ${HOME}/i2p
 # Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so).
-noblacklist /usr/sbin
+nodeny  /usr/sbin
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -36,12 +36,12 @@ mkdir ${HOME}/.config/i2p
 mkdir ${HOME}/.i2p
 mkdir ${HOME}/.local/share/i2p
 mkdir ${HOME}/i2p
-whitelist ${HOME}/.config/i2p
-whitelist ${HOME}/.i2p
-whitelist ${HOME}/.local/share/i2p
-whitelist ${HOME}/i2p
+allow  ${HOME}/.config/i2p
+allow  ${HOME}/.i2p
+allow  ${HOME}/.local/share/i2p
+allow  ${HOME}/i2p
 # Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so).
-whitelist /usr/sbin/wrapper*
+allow  /usr/sbin/wrapper*
 
 include whitelist-common.inc
 
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
index e96b1843c..95ddad221 100644
--- a/etc/profile-a-l/i3.profile
+++ b/etc/profile-a-l/i3.profile
@@ -7,7 +7,7 @@ include i3.local
 include globals.local
 
 # all applications started in i3 will run in this profile
-noblacklist ${HOME}/.config/i3
+nodeny  ${HOME}/.config/i3
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile
index 660343a29..0de2f658b 100644
--- a/etc/profile-a-l/icecat.profile
+++ b/etc/profile-a-l/icecat.profile
@@ -5,13 +5,13 @@ include icecat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/mozilla
-noblacklist ${HOME}/.mozilla
+nodeny  ${HOME}/.cache/mozilla
+nodeny  ${HOME}/.mozilla
 
 mkdir ${HOME}/.cache/mozilla/icecat
 mkdir ${HOME}/.mozilla
-whitelist ${HOME}/.cache/mozilla/icecat
-whitelist ${HOME}/.mozilla
+allow  ${HOME}/.cache/mozilla/icecat
+allow  ${HOME}/.mozilla
 
 # private-etc must first be enabled in firefox-common.profile
 #private-etc icecat
diff --git a/etc/profile-a-l/icedove.profile b/etc/profile-a-l/icedove.profile
index 19690cd5a..0c22d87d0 100644
--- a/etc/profile-a-l/icedove.profile
+++ b/etc/profile-a-l/icedove.profile
@@ -9,16 +9,16 @@ include icedove.local
 # Users have icedove set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
 
-noblacklist ${HOME}/.cache/icedove
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.icedove
+nodeny  ${HOME}/.cache/icedove
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.icedove
 
 mkdir ${HOME}/.cache/icedove
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.icedove
-whitelist ${HOME}/.cache/icedove
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.icedove
+allow  ${HOME}/.cache/icedove
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.icedove
 include whitelist-common.inc
 
 ignore private-tmp
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index 680b8e777..180b62ec2 100644
--- a/etc/profile-a-l/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -5,12 +5,12 @@ include idea.sh.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.IdeaIC*
-noblacklist ${HOME}/.android
-noblacklist ${HOME}/.jack-server
-noblacklist ${HOME}/.jack-settings
-noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.tooling
+nodeny  ${HOME}/.IdeaIC*
+nodeny  ${HOME}/.android
+nodeny  ${HOME}/.jack-server
+nodeny  ${HOME}/.jack-settings
+nodeny  ${HOME}/.local/share/JetBrains
+nodeny  ${HOME}/.tooling
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-a-l/imagej.profile b/etc/profile-a-l/imagej.profile
index 12ce7976b..5d28e7aca 100644
--- a/etc/profile-a-l/imagej.profile
+++ b/etc/profile-a-l/imagej.profile
@@ -6,7 +6,7 @@ include imagej.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.imagej
+nodeny  ${HOME}/.imagej
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile
index c26958d06..70d56a7dc 100644
--- a/etc/profile-a-l/img2txt.profile
+++ b/etc/profile-a-l/img2txt.profile
@@ -5,10 +5,10 @@ include img2txt.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/imlib2
+allow  /usr/share/imlib2
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/impressive.profile b/etc/profile-a-l/impressive.profile
index c152be01c..4914cd9d0 100644
--- a/etc/profile-a-l/impressive.profile
+++ b/etc/profile-a-l/impressive.profile
@@ -6,9 +6,9 @@ include impressive.local
 # Persistent global definitions
 #include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  ${DOCUMENTS}
+nodeny  /sbin
+nodeny  /usr/sbin
 
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
@@ -23,8 +23,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/mesa_shader_cache
-whitelist /usr/share/opengl-games-utils
-whitelist /usr/share/zenity
+allow  /usr/share/opengl-games-utils
+allow  /usr/share/zenity
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 35dd86b32..1a949b300 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -6,14 +6,14 @@ include inkscape.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/inkscape
-noblacklist ${HOME}/.config/inkscape
-noblacklist ${HOME}/.inkscape
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.cache/inkscape
+nodeny  ${HOME}/.config/inkscape
+nodeny  ${HOME}/.inkscape
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 # Allow exporting .xcf files
-noblacklist ${HOME}/.config/GIMP
-noblacklist ${HOME}/.gimp*
+nodeny  ${HOME}/.config/GIMP
+nodeny  ${HOME}/.gimp*
 
 
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -28,7 +28,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/inkscape
+allow  /usr/share/inkscape
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile
index a5cac12f2..1591ed7ea 100644
--- a/etc/profile-a-l/inox.profile
+++ b/etc/profile-a-l/inox.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/inox
-noblacklist ${HOME}/.config/inox
+nodeny  ${HOME}/.cache/inox
+nodeny  ${HOME}/.config/inox
 
 mkdir ${HOME}/.cache/inox
 mkdir ${HOME}/.config/inox
-whitelist ${HOME}/.cache/inox
-whitelist ${HOME}/.config/inox
+allow  ${HOME}/.cache/inox
+allow  ${HOME}/.config/inox
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile
index 3037d00e9..f361fd663 100644
--- a/etc/profile-a-l/iridium.profile
+++ b/etc/profile-a-l/iridium.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/iridium
-noblacklist ${HOME}/.config/iridium
+nodeny  ${HOME}/.cache/iridium
+nodeny  ${HOME}/.config/iridium
 
 mkdir ${HOME}/.cache/iridium
 mkdir ${HOME}/.config/iridium
-whitelist ${HOME}/.cache/iridium
-whitelist ${HOME}/.config/iridium
+allow  ${HOME}/.cache/iridium
+allow  ${HOME}/.config/iridium
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-a-l/itch.profile b/etc/profile-a-l/itch.profile
index e02dcbdb1..fa0bcf986 100644
--- a/etc/profile-a-l/itch.profile
+++ b/etc/profile-a-l/itch.profile
@@ -8,8 +8,8 @@ include globals.local
 # itch.io has native firejail/sandboxing support bundled in
 # See https://itch.io/docs/itch/using/sandbox/linux.html
 
-noblacklist ${HOME}/.itch
-noblacklist ${HOME}/.config/itch
+nodeny  ${HOME}/.itch
+nodeny  ${HOME}/.config/itch
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.itch
 mkdir ${HOME}/.config/itch
-whitelist ${HOME}/.itch
-whitelist ${HOME}/.config/itch
+allow  ${HOME}/.itch
+allow  ${HOME}/.config/itch
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile
index 3e9abf369..e4be574df 100644
--- a/etc/profile-a-l/jami-gnome.profile
+++ b/etc/profile-a-l/jami-gnome.profile
@@ -6,8 +6,8 @@ include jami-gnome.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/jami
-noblacklist ${HOME}/.local/share/jami
+nodeny  ${HOME}/.config/jami
+nodeny  ${HOME}/.local/share/jami
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.config/jami
 mkdir ${HOME}/.local/share/jami
-whitelist ${HOME}/.config/jami
-whitelist ${HOME}/.local/share/jami
+allow  ${HOME}/.config/jami
+allow  ${HOME}/.local/share/jami
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/jd-gui.profile b/etc/profile-a-l/jd-gui.profile
index 7d29f1068..bfea84c69 100644
--- a/etc/profile-a-l/jd-gui.profile
+++ b/etc/profile-a-l/jd-gui.profile
@@ -5,7 +5,7 @@ include jd-gui.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/jd-gui.cfg
+nodeny  ${HOME}/.config/jd-gui.cfg
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
index 85b1f2120..c41027618 100644
--- a/etc/profile-a-l/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -6,7 +6,7 @@ include jerry.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/dkl
+nodeny  ${HOME}/.config/dkl
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/jitsi-meet-desktop.profile b/etc/profile-a-l/jitsi-meet-desktop.profile
index edb7ed840..9ca30c36d 100644
--- a/etc/profile-a-l/jitsi-meet-desktop.profile
+++ b/etc/profile-a-l/jitsi-meet-desktop.profile
@@ -13,12 +13,12 @@ ignore shell none
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/Jitsi Meet
+nodeny  ${HOME}/.config/Jitsi Meet
 
-nowhitelist ${DOWNLOADS}
+noallow  ${DOWNLOADS}
 
 mkdir ${HOME}/.config/Jitsi Meet
-whitelist ${HOME}/.config/Jitsi Meet
+allow  ${HOME}/.config/Jitsi Meet
 
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],jitsi-meet-desktop,sh
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
diff --git a/etc/profile-a-l/jitsi.profile b/etc/profile-a-l/jitsi.profile
index 223c360b8..f53e6ca32 100644
--- a/etc/profile-a-l/jitsi.profile
+++ b/etc/profile-a-l/jitsi.profile
@@ -5,7 +5,7 @@ include jitsi.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.jitsi
+nodeny  ${HOME}/.jitsi
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index 9954b8aea..c0a78ecc0 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -6,7 +6,7 @@ include jumpnbump.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.jumpnbump
+nodeny  ${HOME}/.jumpnbump
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.jumpnbump
-whitelist ${HOME}/.jumpnbump
-whitelist /usr/share/jumpnbump
+allow  ${HOME}/.jumpnbump
+allow  /usr/share/jumpnbump
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
index 5ae90dff6..73ce8670f 100644
--- a/etc/profile-a-l/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -6,11 +6,11 @@ include k3b.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/k3brc
-noblacklist ${HOME}/.kde/share/config/k3brc
-noblacklist ${HOME}/.kde4/share/config/k3brc
-noblacklist ${HOME}/.local/share/kxmlgui5/k3b
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/k3brc
+nodeny  ${HOME}/.kde/share/config/k3brc
+nodeny  ${HOME}/.kde4/share/config/k3brc
+nodeny  ${HOME}/.local/share/kxmlgui5/k3b
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index d55fd22cb..e6a00e350 100644
--- a/etc/profile-a-l/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
@@ -6,14 +6,14 @@ include kaffeine.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/kaffeinerc
-noblacklist ${HOME}/.kde/share/apps/kaffeine
-noblacklist ${HOME}/.kde/share/config/kaffeinerc
-noblacklist ${HOME}/.kde4/share/apps/kaffeine
-noblacklist ${HOME}/.kde4/share/config/kaffeinerc
-noblacklist ${HOME}/.local/share/kaffeine
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/kaffeinerc
+nodeny  ${HOME}/.kde/share/apps/kaffeine
+nodeny  ${HOME}/.kde/share/config/kaffeinerc
+nodeny  ${HOME}/.kde4/share/apps/kaffeine
+nodeny  ${HOME}/.kde4/share/config/kaffeinerc
+nodeny  ${HOME}/.local/share/kaffeine
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index 503dac4b6..98b04353e 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -6,8 +6,8 @@ include kalgebra.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/kalgebrarc
-noblacklist ${HOME}/.local/share/kalgebra
+nodeny  ${HOME}/.config/kalgebrarc
+nodeny  ${HOME}/.local/share/kalgebra
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/kalgebramobile
+allow  /usr/share/kalgebramobile
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/karbon.profile b/etc/profile-a-l/karbon.profile
index 231299a2f..db5394550 100644
--- a/etc/profile-a-l/karbon.profile
+++ b/etc/profile-a-l/karbon.profile
@@ -6,7 +6,7 @@ include karbon.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/karbon
+nodeny  ${HOME}/.local/share/kxmlgui5/karbon
 
 # Redirect
 include krita.profile
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
index 27b87e7c3..d2b180492 100644
--- a/etc/profile-a-l/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -8,20 +8,20 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.config/katemetainfos
-noblacklist ${HOME}/.config/katepartrc
-noblacklist ${HOME}/.config/katerc
-noblacklist ${HOME}/.config/kateschemarc
-noblacklist ${HOME}/.config/katesyntaxhighlightingrc
-noblacklist ${HOME}/.config/katevirc
-noblacklist ${HOME}/.local/share/kate
-noblacklist ${HOME}/.local/share/kxmlgui5/kate
-noblacklist ${HOME}/.local/share/kxmlgui5/katefiletree
-noblacklist ${HOME}/.local/share/kxmlgui5/katekonsole
-noblacklist ${HOME}/.local/share/kxmlgui5/kateopenheaderplugin
-noblacklist ${HOME}/.local/share/kxmlgui5/katepart
-noblacklist ${HOME}/.local/share/kxmlgui5/kateproject
-noblacklist ${HOME}/.local/share/kxmlgui5/katesearch
+nodeny  ${HOME}/.config/katemetainfos
+nodeny  ${HOME}/.config/katepartrc
+nodeny  ${HOME}/.config/katerc
+nodeny  ${HOME}/.config/kateschemarc
+nodeny  ${HOME}/.config/katesyntaxhighlightingrc
+nodeny  ${HOME}/.config/katevirc
+nodeny  ${HOME}/.local/share/kate
+nodeny  ${HOME}/.local/share/kxmlgui5/kate
+nodeny  ${HOME}/.local/share/kxmlgui5/katefiletree
+nodeny  ${HOME}/.local/share/kxmlgui5/katekonsole
+nodeny  ${HOME}/.local/share/kxmlgui5/kateopenheaderplugin
+nodeny  ${HOME}/.local/share/kxmlgui5/katepart
+nodeny  ${HOME}/.local/share/kxmlgui5/kateproject
+nodeny  ${HOME}/.local/share/kxmlgui5/katesearch
 
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 9795cf168..a4e2e64f4 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -8,9 +8,9 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
-noblacklist ${HOME}/.config/kazam
+nodeny  ${PICTURES}
+nodeny  ${VIDEOS}
+nodeny  ${HOME}/.config/kazam
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -25,7 +25,7 @@ include disable-passwdmgr.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/kazam
+allow  /usr/share/kazam
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index e36ee5ed2..fcb168d4d 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -6,7 +6,7 @@ include kcalc.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/kxmlgui5/kcalc
+nodeny  ${HOME}/.local/share/kxmlgui5/kcalc
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,13 +21,13 @@ mkdir ${HOME}/.local/share/kxmlgui5/kcalc
 mkfile ${HOME}/.config/kcalcrc
 mkfile ${HOME}/.kde/share/config/kcalcrc
 mkfile ${HOME}/.kde4/share/config/kcalcrc
-whitelist ${HOME}/.config/kcalcrc
-whitelist ${HOME}/.kde/share/config/kcalcrc
-whitelist ${HOME}/.kde4/share/config/kcalcrc
-whitelist ${HOME}/.local/share/kxmlgui5/kcalc
-whitelist /usr/share/config.kcfg/kcalc.kcfg
-whitelist /usr/share/kcalc
-whitelist /usr/share/kconf_update/kcalcrc.upd
+allow  ${HOME}/.config/kcalcrc
+allow  ${HOME}/.kde/share/config/kcalcrc
+allow  ${HOME}/.kde4/share/config/kcalcrc
+allow  ${HOME}/.local/share/kxmlgui5/kcalc
+allow  /usr/share/config.kcfg/kcalc.kcfg
+allow  /usr/share/kcalc
+allow  /usr/share/kconf_update/kcalcrc.upd
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
index d2a08a269..4acafbf2a 100644
--- a/etc/profile-a-l/kdenlive.profile
+++ b/etc/profile-a-l/kdenlive.profile
@@ -8,10 +8,10 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/kdenlive
-noblacklist ${HOME}/.config/kdenliverc
-noblacklist ${HOME}/.local/share/kdenlive
-noblacklist ${HOME}/.local/share/kxmlgui5/kdenlive
+nodeny  ${HOME}/.cache/kdenlive
+nodeny  ${HOME}/.config/kdenliverc
+nodeny  ${HOME}/.local/share/kdenlive
+nodeny  ${HOME}/.local/share/kxmlgui5/kdenlive
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 7c1cb2294..0c37f7968 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -6,14 +6,14 @@ include kdiff3.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/kdiff3fileitemactionrc
-noblacklist ${HOME}/.config/kdiff3rc
+nodeny  ${HOME}/.config/kdiff3fileitemactionrc
+nodeny  ${HOME}/.config/kdiff3rc
 
 # Add the next line to your kdiff3.local if you don't need to compare files in disable-common.inc.
 # By default we deny access only to .ssh and .gnupg.
 #include disable-common.inc
-blacklist ${HOME}/.ssh
-blacklist ${HOME}/.gnupg
+deny  ${HOME}/.ssh
+deny  ${HOME}/.gnupg
 
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/keepass.profile b/etc/profile-a-l/keepass.profile
index ae8971ab4..9c06962bc 100644
--- a/etc/profile-a-l/keepass.profile
+++ b/etc/profile-a-l/keepass.profile
@@ -6,14 +6,14 @@ include keepass.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/*.kdb
-noblacklist ${HOME}/*.kdbx
-noblacklist ${HOME}/.config/KeePass
-noblacklist ${HOME}/.config/keepass
-noblacklist ${HOME}/.keepass
-noblacklist ${HOME}/.local/share/KeePass
-noblacklist ${HOME}/.local/share/keepass
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/*.kdb
+nodeny  ${HOME}/*.kdbx
+nodeny  ${HOME}/.config/KeePass
+nodeny  ${HOME}/.config/keepass
+nodeny  ${HOME}/.keepass
+nodeny  ${HOME}/.local/share/KeePass
+nodeny  ${HOME}/.local/share/keepass
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
index ac364986d..2772fa8bf 100644
--- a/etc/profile-a-l/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -6,11 +6,11 @@ include keepassx.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/*.kdb
-noblacklist ${HOME}/*.kdbx
-noblacklist ${HOME}/.config/keepassx
-noblacklist ${HOME}/.keepassx
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/*.kdb
+nodeny  ${HOME}/*.kdbx
+nodeny  ${HOME}/.config/keepassx
+nodeny  ${HOME}/.keepassx
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index c352a5d89..9c530b20d 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -6,21 +6,23 @@ include keepassxc.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/*.kdb
-noblacklist ${HOME}/*.kdbx
-noblacklist ${HOME}/.cache/keepassxc
-noblacklist ${HOME}/.config/keepassxc
-noblacklist ${HOME}/.config/KeePassXCrc
-noblacklist ${HOME}/.keepassxc
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/*.kdb
+nodeny  ${HOME}/*.kdbx
+nodeny  ${HOME}/.cache/keepassxc
+nodeny  ${HOME}/.config/keepassxc
+nodeny  ${HOME}/.config/KeePassXCrc
+nodeny  ${HOME}/.keepassxc
+nodeny  ${DOCUMENTS}
 
 # Allow browser profiles, required for browser integration.
-noblacklist ${HOME}/.config/BraveSoftware
-noblacklist ${HOME}/.config/chromium
-noblacklist ${HOME}/.config/google-chrome
-noblacklist ${HOME}/.config/vivaldi
-noblacklist ${HOME}/.local/share/torbrowser
-noblacklist ${HOME}/.mozilla
+nodeny  ${HOME}/.config/BraveSoftware
+nodeny  ${HOME}/.config/chromium
+nodeny  ${HOME}/.config/google-chrome
+nodeny  ${HOME}/.config/vivaldi
+nodeny  ${HOME}/.local/share/torbrowser
+nodeny  ${HOME}/.mozilla
+
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -55,7 +57,7 @@ include disable-xdg.inc
 #whitelist ${HOME}/.config/KeePassXCrc
 #include whitelist-common.inc
 
-whitelist /usr/share/keepassxc
+allow  /usr/share/keepassxc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
index 2c684504b..30c041cbc 100644
--- a/etc/profile-a-l/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -6,13 +6,13 @@ include kget.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/kgetrc
-noblacklist ${HOME}/.kde/share/apps/kget
-noblacklist ${HOME}/.kde/share/config/kgetrc
-noblacklist ${HOME}/.kde4/share/apps/kget
-noblacklist ${HOME}/.kde4/share/config/kgetrc
-noblacklist ${HOME}/.local/share/kget
-noblacklist ${HOME}/.local/share/kxmlgui5/kget
+nodeny  ${HOME}/.config/kgetrc
+nodeny  ${HOME}/.kde/share/apps/kget
+nodeny  ${HOME}/.kde/share/config/kgetrc
+nodeny  ${HOME}/.kde4/share/apps/kget
+nodeny  ${HOME}/.kde4/share/config/kgetrc
+nodeny  ${HOME}/.local/share/kget
+nodeny  ${HOME}/.local/share/kxmlgui5/kget
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kid3-qt.profile b/etc/profile-a-l/kid3-qt.profile
index 9bcede077..84d135fc3 100644
--- a/etc/profile-a-l/kid3-qt.profile
+++ b/etc/profile-a-l/kid3-qt.profile
@@ -2,7 +2,7 @@
 # This file is overwritten after every install/update
 include kid3-qt.local
 
-noblacklist ${HOME}/.config/Kid3
+nodeny  ${HOME}/.config/Kid3
 
 # Redirect
 include kid3.profile
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
index e18292e99..0ef2a7845 100644
--- a/etc/profile-a-l/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -6,9 +6,9 @@ include kid3.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
-noblacklist ${HOME}/.config/kid3rc
-noblacklist ${HOME}/.local/share/kxmlgui5/kid3
+nodeny  ${MUSIC}
+nodeny  ${HOME}/.config/kid3rc
+nodeny  ${HOME}/.local/share/kxmlgui5/kid3
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kino.profile b/etc/profile-a-l/kino.profile
index 74014ffe6..833c1d22a 100644
--- a/etc/profile-a-l/kino.profile
+++ b/etc/profile-a-l/kino.profile
@@ -6,8 +6,8 @@ include kino.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.kino-history
-noblacklist ${HOME}/.kinorc
+nodeny  ${HOME}/.kino-history
+nodeny  ${HOME}/.kinorc
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 40ee0bbc7..b188ba0e3 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -6,8 +6,8 @@ include kiwix-desktop.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/kiwix
-noblacklist ${HOME}/.local/share/kiwix-desktop
+nodeny  ${HOME}/.local/share/kiwix
+nodeny  ${HOME}/.local/share/kiwix-desktop
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/kiwix
 mkdir ${HOME}/.local/share/kiwix-desktop
-whitelist ${HOME}/.local/share/kiwix
-whitelist ${HOME}/.local/share/kiwix-desktop
+allow  ${HOME}/.local/share/kiwix
+allow  ${HOME}/.local/share/kiwix-desktop
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/klatexformula.profile b/etc/profile-a-l/klatexformula.profile
index c6a9023f1..e087e4973 100644
--- a/etc/profile-a-l/klatexformula.profile
+++ b/etc/profile-a-l/klatexformula.profile
@@ -6,8 +6,8 @@ include klatexformula.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.kde/share/apps/klatexformula
-noblacklist ${HOME}/.klatexformula
+nodeny  ${HOME}/.kde/share/apps/klatexformula
+nodeny  ${HOME}/.klatexformula
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
index f5cd3a48c..ec3912419 100644
--- a/etc/profile-a-l/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -6,8 +6,8 @@ include klavaro.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/klavaro
-noblacklist ${HOME}/.local/share/klavaro
+nodeny  ${HOME}/.config/klavaro
+nodeny  ${HOME}/.local/share/klavaro
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/klavaro
 mkdir ${HOME}/.config/klavaro
-whitelist ${HOME}/.local/share/klavaro
-whitelist ${HOME}/.config/klavaro
+allow  ${HOME}/.local/share/klavaro
+allow  ${HOME}/.config/klavaro
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 95ae98e53..3c582c08c 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -9,27 +9,27 @@ include globals.local
 # kmail has problems launching akonadi in debian and ubuntu.
 # one solution is to have akonadi already running when kmail is started
 
-noblacklist ${HOME}/.cache/akonadi*
-noblacklist ${HOME}/.cache/kmail2
-noblacklist ${HOME}/.config/akonadi*
-noblacklist ${HOME}/.config/baloorc
-noblacklist ${HOME}/.config/emaildefaults
-noblacklist ${HOME}/.config/emailidentities
-noblacklist ${HOME}/.config/kmail2rc
-noblacklist ${HOME}/.config/kmailsearchindexingrc
-noblacklist ${HOME}/.config/mailtransports
-noblacklist ${HOME}/.config/specialmailcollectionsrc
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.local/share/akonadi*
-noblacklist ${HOME}/.local/share/apps/korganizer
-noblacklist ${HOME}/.local/share/contacts
-noblacklist ${HOME}/.local/share/emailidentities
-noblacklist ${HOME}/.local/share/kmail2
-noblacklist ${HOME}/.local/share/kxmlgui5/kmail
-noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
-noblacklist ${HOME}/.local/share/local-mail
-noblacklist ${HOME}/.local/share/notes
-noblacklist /tmp/akonadi-*
+nodeny  ${HOME}/.cache/akonadi*
+nodeny  ${HOME}/.cache/kmail2
+nodeny  ${HOME}/.config/akonadi*
+nodeny  ${HOME}/.config/baloorc
+nodeny  ${HOME}/.config/emaildefaults
+nodeny  ${HOME}/.config/emailidentities
+nodeny  ${HOME}/.config/kmail2rc
+nodeny  ${HOME}/.config/kmailsearchindexingrc
+nodeny  ${HOME}/.config/mailtransports
+nodeny  ${HOME}/.config/specialmailcollectionsrc
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.local/share/akonadi*
+nodeny  ${HOME}/.local/share/apps/korganizer
+nodeny  ${HOME}/.local/share/contacts
+nodeny  ${HOME}/.local/share/emailidentities
+nodeny  ${HOME}/.local/share/kmail2
+nodeny  ${HOME}/.local/share/kxmlgui5/kmail
+nodeny  ${HOME}/.local/share/kxmlgui5/kmail2
+nodeny  ${HOME}/.local/share/local-mail
+nodeny  ${HOME}/.local/share/notes
+nodeny  /tmp/akonadi-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
index e88b53499..d2ce14ab6 100644
--- a/etc/profile-a-l/kmplayer.profile
+++ b/etc/profile-a-l/kmplayer.profile
@@ -6,11 +6,11 @@ include kmplayer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/kmplayerrc
-noblacklist ${HOME}/.kde/share/config/kmplayerrc
-noblacklist ${HOME}/.local/share/kmplayer
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/kmplayerrc
+nodeny  ${HOME}/.kde/share/config/kmplayerrc
+nodeny  ${HOME}/.local/share/kmplayer
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/knotes.profile b/etc/profile-a-l/knotes.profile
index f155d0ad6..5a9ac34da 100644
--- a/etc/profile-a-l/knotes.profile
+++ b/etc/profile-a-l/knotes.profile
@@ -10,9 +10,9 @@ include knotes.local
 # knotes has problems launching akonadi in debian and ubuntu.
 # one solution is to have akonadi already running when knotes is started
 
-noblacklist ${HOME}/.config/knotesrc
-noblacklist ${HOME}/.local/share/knotes
-noblacklist ${HOME}/.local/share/kxmlgui5/knotes
+nodeny  ${HOME}/.config/knotesrc
+nodeny  ${HOME}/.local/share/knotes
+nodeny  ${HOME}/.local/share/kxmlgui5/knotes
 
 # Redirect
 include kmail.profile
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
index b72632bf4..2725c87be 100644
--- a/etc/profile-a-l/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -8,11 +8,15 @@ include globals.local
 
 # noexec ${HOME} breaks plugins
 ignore noexec ${HOME}
+# Add the following to your kodi.local if you use a CEC Adapter.
+#ignore nogroups
+#ignore noroot
+#ignore private-dev
 
-noblacklist ${HOME}/.kodi
-noblacklist ${MUSIC}
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.kodi
+nodeny  ${MUSIC}
+nodeny  ${PICTURES}
+nodeny  ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
index 5b5ed6e24..d8ce33838 100644
--- a/etc/profile-a-l/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -6,11 +6,11 @@ include konversation.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/konversationrc
-noblacklist ${HOME}/.config/konversation.notifyrc
-noblacklist ${HOME}/.kde/share/config/konversationrc
-noblacklist ${HOME}/.kde4/share/config/konversationrc
-noblacklist ${HOME}/.local/share/kxmlgui5/konversation
+nodeny  ${HOME}/.config/konversationrc
+nodeny  ${HOME}/.config/konversation.notifyrc
+nodeny  ${HOME}/.kde/share/config/konversationrc
+nodeny  ${HOME}/.kde4/share/config/konversationrc
+nodeny  ${HOME}/.local/share/kxmlgui5/konversation
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile
index 88f47d1bf..749591f32 100644
--- a/etc/profile-a-l/kopete.profile
+++ b/etc/profile-a-l/kopete.profile
@@ -6,11 +6,11 @@ include kopete.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.kde/share/apps/kopete
-noblacklist ${HOME}/.kde/share/config/kopeterc
-noblacklist ${HOME}/.kde4/share/apps/kopete
-noblacklist ${HOME}/.kde4/share/config/kopeterc
-noblacklist ${HOME}/.local/share/kxmlgui5/kopete
+nodeny  ${HOME}/.kde/share/apps/kopete
+nodeny  ${HOME}/.kde/share/config/kopeterc
+nodeny  ${HOME}/.kde4/share/apps/kopete
+nodeny  ${HOME}/.kde4/share/config/kopeterc
+nodeny  ${HOME}/.local/share/kxmlgui5/kopete
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /var/lib/winpopup
+allow  /var/lib/winpopup
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile
index 8604e63d0..950341def 100644
--- a/etc/profile-a-l/krita.profile
+++ b/etc/profile-a-l/krita.profile
@@ -9,10 +9,10 @@ include globals.local
 # noexec ${HOME} may break krita, see issue #1953
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.config/kritarc
-noblacklist ${HOME}/.local/share/krita
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/kritarc
+nodeny  ${HOME}/.local/share/krita
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index 9cb5eff87..7b325d273 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -13,9 +13,9 @@ include globals.local
 # noblacklist ${HOME}/.cache/krunner
 # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
 # noblacklist ${HOME}/.config/chromium
-noblacklist ${HOME}/.config/krunnerrc
-noblacklist ${HOME}/.kde/share/config/krunnerrc
-noblacklist ${HOME}/.kde4/share/config/krunnerrc
+nodeny  ${HOME}/.config/krunnerrc
+nodeny  ${HOME}/.kde/share/config/krunnerrc
+nodeny  ${HOME}/.kde4/share/config/krunnerrc
 # noblacklist ${HOME}/.local/share/baloo
 # noblacklist ${HOME}/.mozilla
 
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index 5a85194e0..ac9fee585 100644
--- a/etc/profile-a-l/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -6,13 +6,13 @@ include ktorrent.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ktorrentrc
-noblacklist ${HOME}/.kde/share/apps/ktorrent
-noblacklist ${HOME}/.kde/share/config/ktorrentrc
-noblacklist ${HOME}/.kde4/share/apps/ktorrent
-noblacklist ${HOME}/.kde4/share/config/ktorrentrc
-noblacklist ${HOME}/.local/share/ktorrent
-noblacklist ${HOME}/.local/share/kxmlgui5/ktorrent
+nodeny  ${HOME}/.config/ktorrentrc
+nodeny  ${HOME}/.kde/share/apps/ktorrent
+nodeny  ${HOME}/.kde/share/config/ktorrentrc
+nodeny  ${HOME}/.kde4/share/apps/ktorrent
+nodeny  ${HOME}/.kde4/share/config/ktorrentrc
+nodeny  ${HOME}/.local/share/ktorrent
+nodeny  ${HOME}/.local/share/kxmlgui5/ktorrent
 
 include disable-common.inc
 include disable-devel.inc
@@ -29,14 +29,14 @@ mkdir ${HOME}/.local/share/kxmlgui5/ktorrent
 mkfile ${HOME}/.config/ktorrentrc
 mkfile ${HOME}/.kde/share/config/ktorrentrc
 mkfile ${HOME}/.kde4/share/config/ktorrentrc
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/ktorrentrc
-whitelist ${HOME}/.kde/share/apps/ktorrent
-whitelist ${HOME}/.kde/share/config/ktorrentrc
-whitelist ${HOME}/.kde4/share/apps/ktorrent
-whitelist ${HOME}/.kde4/share/config/ktorrentrc
-whitelist ${HOME}/.local/share/ktorrent
-whitelist ${HOME}/.local/share/kxmlgui5/ktorrent
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/ktorrentrc
+allow  ${HOME}/.kde/share/apps/ktorrent
+allow  ${HOME}/.kde/share/config/ktorrentrc
+allow  ${HOME}/.kde4/share/apps/ktorrent
+allow  ${HOME}/.kde4/share/config/ktorrentrc
+allow  ${HOME}/.local/share/ktorrent
+allow  ${HOME}/.local/share/kxmlgui5/ktorrent
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 4cf72b74c..71f8e4977 100644
--- a/etc/profile-a-l/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -6,8 +6,8 @@ include ktouch.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ktouch2rc
-noblacklist ${HOME}/.local/share/ktouch
+nodeny  ${HOME}/.config/ktouch2rc
+nodeny  ${HOME}/.local/share/ktouch
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,8 +20,8 @@ include disable-xdg.inc
 
 mkfile ${HOME}/.config/ktouch2rc
 mkdir ${HOME}/.local/share/ktouch
-whitelist ${HOME}/.config/ktouch2rc
-whitelist ${HOME}/.local/share/ktouch
+allow  ${HOME}/.config/ktouch2rc
+allow  ${HOME}/.local/share/ktouch
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 4e9a12e5f..74ffd1162 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -6,13 +6,13 @@ include kube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.cache/kube
-noblacklist ${HOME}/.config/kube
-noblacklist ${HOME}/.config/sink
-noblacklist ${HOME}/.local/share/kube
-noblacklist ${HOME}/.local/share/sink
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.mozilla
+nodeny  ${HOME}/.cache/kube
+nodeny  ${HOME}/.config/kube
+nodeny  ${HOME}/.config/sink
+nodeny  ${HOME}/.local/share/kube
+nodeny  ${HOME}/.local/share/sink
 
 include disable-common.inc
 include disable-devel.inc
@@ -29,17 +29,17 @@ mkdir ${HOME}/.config/kube
 mkdir ${HOME}/.config/sink
 mkdir ${HOME}/.local/share/kube
 mkdir ${HOME}/.local/share/sink
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-whitelist ${HOME}/.cache/kube
-whitelist ${HOME}/.config/kube
-whitelist ${HOME}/.config/sink
-whitelist ${HOME}/.local/share/kube
-whitelist ${HOME}/.local/share/sink
-whitelist ${RUNUSER}/gnupg
-whitelist /usr/share/kube
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.mozilla/firefox/profiles.ini
+allow  ${HOME}/.cache/kube
+allow  ${HOME}/.config/kube
+allow  ${HOME}/.config/sink
+allow  ${HOME}/.local/share/kube
+allow  ${HOME}/.local/share/sink
+allow  ${RUNUSER}/gnupg
+allow  /usr/share/kube
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 15e7ceb17..580f93736 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -8,10 +8,10 @@ include globals.local
 # fix automatical kwin_x11 sandboxing:
 # echo KDEWM=kwin_x11 >> ~/.pam_environment
 
-noblacklist ${HOME}/.cache/kwin
-noblacklist ${HOME}/.config/kwinrc
-noblacklist ${HOME}/.config/kwinrulesrc
-noblacklist ${HOME}/.local/share/kwin
+nodeny  ${HOME}/.cache/kwin
+nodeny  ${HOME}/.config/kwinrc
+nodeny  ${HOME}/.config/kwinrulesrc
+nodeny  ${HOME}/.local/share/kwin
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 804ffafeb..08b0e0224 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -6,15 +6,15 @@ include kwrite.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/katepartrc
-noblacklist ${HOME}/.config/katerc
-noblacklist ${HOME}/.config/kateschemarc
-noblacklist ${HOME}/.config/katesyntaxhighlightingrc
-noblacklist ${HOME}/.config/katevirc
-noblacklist ${HOME}/.config/kwriterc
-noblacklist ${HOME}/.local/share/kwrite
-noblacklist ${HOME}/.local/share/kxmlgui5/kwrite
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/katepartrc
+nodeny  ${HOME}/.config/katerc
+nodeny  ${HOME}/.config/kateschemarc
+nodeny  ${HOME}/.config/katesyntaxhighlightingrc
+nodeny  ${HOME}/.config/katevirc
+nodeny  ${HOME}/.config/kwriterc
+nodeny  ${HOME}/.local/share/kwrite
+nodeny  ${HOME}/.local/share/kxmlgui5/kwrite
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/latex-common.profile b/etc/profile-a-l/latex-common.profile
index ac1b8785d..91693bfc1 100644
--- a/etc/profile-a-l/latex-common.profile
+++ b/etc/profile-a-l/latex-common.profile
@@ -13,7 +13,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /var/lib
+allow  /var/lib
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile
index 4bbb0a86d..e154708eb 100644
--- a/etc/profile-a-l/leafpad.profile
+++ b/etc/profile-a-l/leafpad.profile
@@ -6,7 +6,7 @@ include leafpad.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/leafpad
+nodeny  ${HOME}/.config/leafpad
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
index 8eb5ad0c2..abee392de 100644
--- a/etc/profile-a-l/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -7,9 +7,9 @@ include less.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
-noblacklist ${HOME}/.lesshst
+nodeny  ${HOME}/.lesshst
 
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/librecad.profile b/etc/profile-a-l/librecad.profile
new file mode 100644
index 000000000..8ec41eee3
--- /dev/null
+++ b/etc/profile-a-l/librecad.profile
@@ -0,0 +1,51 @@
+# Firejail profile for librecad
+# Persistent local customizations
+include librecad.local
+# Persistent global definitions
+include globals.local
+
+nodeny  ${HOME}/.config/LibreCAD
+nodeny  ${HOME}/.local/share/LibreCAD
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+allow  /usr/share/librecad
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+#nogroups
+#noinput
+nonewprivs
+noroot
+notv
+#nou2f
+novideo
+protocol unix,inet,inet6
+netfilter
+seccomp
+shell none
+#tracelog
+
+#disable-mnt
+private-bin librecad
+private-dev
+# private-etc cups,drirc,fonts,passwd,xdg
+#private-lib
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index e4440eac0..ae01d39b8 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -6,14 +6,16 @@ include libreoffice.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /usr/local/sbin
-noblacklist ${HOME}/.config/libreoffice
+nodeny  /usr/local/sbin
+nodeny  ${HOME}/.config/libreoffice
 
 # libreoffice uses java for some functionality.
 # Add 'ignore include allow-java.inc' to your libreoffice.local if you don't need that functionality.
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
 
+deny  /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 8e3e58f19..5c614ab8e 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -6,13 +6,13 @@ include librewolf.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/librewolf
-noblacklist ${HOME}/.librewolf
+nodeny  ${HOME}/.cache/librewolf
+nodeny  ${HOME}/.librewolf
 
 mkdir ${HOME}/.cache/librewolf
 mkdir ${HOME}/.librewolf
-whitelist ${HOME}/.cache/librewolf
-whitelist ${HOME}/.librewolf
+allow  ${HOME}/.cache/librewolf
+allow  ${HOME}/.librewolf
 
 # Add the next lines to your librewolf.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
@@ -23,10 +23,10 @@ whitelist ${HOME}/.librewolf
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 
-whitelist /usr/share/doc
-whitelist /usr/share/gtk-doc/html
-whitelist /usr/share/mozilla
-whitelist /usr/share/webext
+allow  /usr/share/doc
+allow  /usr/share/gtk-doc/html
+allow  /usr/share/mozilla
+allow  /usr/share/webext
 include whitelist-usr-share-common.inc
 
 # Add the next line to your librewolf.local to enable private-bin (Arch Linux).
@@ -44,8 +44,9 @@ dbus-user filter
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Add the next lines to your librewolf.local to allow screensharing under Wayland.
+# Add the next three lines to your librewolf.local to allow screensharing under Wayland.
 #whitelist ${RUNUSER}/pipewire-0
+#whitelist /usr/share/pipewire/client.conf
 #dbus-user.talk org.freedesktop.portal.*
 # Also add the next line to your librewolf.local if screensharing does not work with
 # the above lines (depends on the portal implementation).
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index 7afca1d5f..595ecc257 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -6,9 +6,9 @@ include liferea.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/liferea
-noblacklist ${HOME}/.config/liferea
-noblacklist ${HOME}/.local/share/liferea
+nodeny  ${HOME}/.cache/liferea
+nodeny  ${HOME}/.config/liferea
+nodeny  ${HOME}/.local/share/liferea
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -24,10 +24,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/liferea
 mkdir ${HOME}/.config/liferea
 mkdir ${HOME}/.local/share/liferea
-whitelist ${HOME}/.cache/liferea
-whitelist ${HOME}/.config/liferea
-whitelist ${HOME}/.local/share/liferea
-whitelist /usr/share/liferea
+allow  ${HOME}/.cache/liferea
+allow  ${HOME}/.config/liferea
+allow  ${HOME}/.local/share/liferea
+allow  /usr/share/liferea
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-a-l/lightsoff.profile b/etc/profile-a-l/lightsoff.profile
index c065c44a9..58d5bcd6d 100644
--- a/etc/profile-a-l/lightsoff.profile
+++ b/etc/profile-a-l/lightsoff.profile
@@ -6,7 +6,7 @@ include lightsoff.local
 # Persistent global definitions
 include globals.local
 
-whitelist /usr/share/lightsoff
+allow  /usr/share/lightsoff
 
 private-bin lightsoff
 
diff --git a/etc/profile-a-l/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile
index 4254b7f33..e14c50d77 100644
--- a/etc/profile-a-l/lincity-ng.profile
+++ b/etc/profile-a-l/lincity-ng.profile
@@ -6,7 +6,7 @@ include lincity-ng.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.lincity-ng
+nodeny  ${HOME}/.lincity-ng
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.lincity-ng
-whitelist ${HOME}/.lincity-ng
+allow  ${HOME}/.lincity-ng
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
new file mode 100644
index 000000000..51e3d5b94
--- /dev/null
+++ b/etc/profile-a-l/links-common.profile
@@ -0,0 +1,63 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include links-common.local
+
+# common profile for links browsers
+
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Additional noblacklist files/directories (blacklisted in disable-programs.inc)
+# used as associated programs can be added in your links-common.local.
+include disable-programs.inc
+include disable-xdg.inc
+
+allow  ${DOWNLOADS}
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+# Add 'ignore machine-id' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+machine-id
+netfilter
+# Add 'ignore no3d' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+# Add 'ignore nosound' to your links-common.local if you want to restrict access to
+# the user-configured associated media player.
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# Add  'private-bin PROGRAM1,PROGRAM2' to your links-common.local  if you want to use user-configured programs.
+private-bin sh
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+# Add the next line to your links-common.local to allow external media players.
+# private-etc alsa,asound.conf,machine-id,openal,pulse
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index a1eeda14a..ae57601ca 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -7,60 +7,12 @@ include links.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.links
-
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-# Additional noblacklist files/directories (blacklisted in disable-programs.inc)
-# used as associated programs can be added in your links.local.
-include disable-programs.inc
-include disable-xdg.inc
+nodeny  ${HOME}/.links
 
 mkdir ${HOME}/.links
-whitelist ${HOME}/.links
-whitelist ${DOWNLOADS}
-include whitelist-runuser-common.inc
-include whitelist-var-common.inc
-
-caps.drop all
-ipc-namespace
-# Add 'ignore machine-id' to your links.local if you want to restrict access to
-# the user-configured associated media player.
-machine-id
-netfilter
-# Add 'ignore no3d' to your links.local if you want to restrict access to
-# the user-configured associated media player.
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-# Add 'ignore nosound' to your links.local if you want to restrict access to
-# the user-configured associated media player.
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
+allow  ${HOME}/.links
 
-disable-mnt
-# Add  'private-bin PROGRAM1,PROGRAM2' to your links.local  if you want to use user-configured programs.
-private-bin links,sh
-private-cache
-private-dev
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
-# Add the next line to your links.local to allow external media players.
-# private-etc alsa,asound.conf,machine-id,openal,pulse
-private-tmp
+private-bin links
 
-memory-deny-write-execute
+# Redirect
+include links-common.profile
diff --git a/etc/profile-a-l/links2.profile b/etc/profile-a-l/links2.profile
new file mode 100644
index 000000000..eb349c73a
--- /dev/null
+++ b/etc/profile-a-l/links2.profile
@@ -0,0 +1,18 @@
+# Firejail profile for links2
+# Description: Text WWW browser with a graphic version
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include links2.local
+# Persistent global definitions
+include globals.local
+
+nodeny  ${HOME}/.links2
+
+mkdir ${HOME}/.links2
+allow  ${HOME}/.links2
+
+private-bin links2
+
+# Redirect
+include links-common.profile
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile
index 7ebdbef4c..dd1dac05b 100644
--- a/etc/profile-a-l/linphone.profile
+++ b/etc/profile-a-l/linphone.profile
@@ -6,10 +6,10 @@ include linphone.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/linphone
-noblacklist ${HOME}/.linphone-history.db
-noblacklist ${HOME}/.linphonerc
-noblacklist ${HOME}/.local/share/linphone
+nodeny  ${HOME}/.config/linphone
+nodeny  ${HOME}/.linphone-history.db
+nodeny  ${HOME}/.linphonerc
+nodeny  ${HOME}/.local/share/linphone
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,11 +23,11 @@ include disable-programs.inc
 # ${HOME}/.linphone-history.db and ${HOME}/.linphonerc but no longer mkfile.
 mkdir ${HOME}/.config/linphone
 mkdir ${HOME}/.local/share/linphone
-whitelist ${HOME}/.config/linphone
-whitelist ${HOME}/.linphone-history.db
-whitelist ${HOME}/.linphonerc
-whitelist ${HOME}/.local/share/linphone
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/linphone
+allow  ${HOME}/.linphone-history.db
+allow  ${HOME}/.linphonerc
+allow  ${HOME}/.local/share/linphone
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/lmms.profile b/etc/profile-a-l/lmms.profile
index 48b0e14dc..b22110fdc 100644
--- a/etc/profile-a-l/lmms.profile
+++ b/etc/profile-a-l/lmms.profile
@@ -6,9 +6,9 @@ include lmms.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.lmmsrc.xml
-noblacklist ${DOCUMENTS}
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.lmmsrc.xml
+nodeny  ${DOCUMENTS}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
index f2676fec5..0a7ce86e8 100644
--- a/etc/profile-a-l/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
@@ -6,8 +6,8 @@ include lollypop.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/lollypop
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.local/share/lollypop
+nodeny  ${MUSIC}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/lugaru.profile b/etc/profile-a-l/lugaru.profile
index 174c65a65..30802b3b7 100644
--- a/etc/profile-a-l/lugaru.profile
+++ b/etc/profile-a-l/lugaru.profile
@@ -8,8 +8,8 @@ include globals.local
 
 # note: crashes after entering
 
-noblacklist ${HOME}/.config/lugaru
-noblacklist ${HOME}/.local/share/lugaru
+nodeny  ${HOME}/.config/lugaru
+nodeny  ${HOME}/.local/share/lugaru
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +22,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/lugaru
 mkdir ${HOME}/.local/share/lugaru
-whitelist ${HOME}/.config/lugaru
-whitelist ${HOME}/.local/share/lugaru
+allow  ${HOME}/.config/lugaru
+allow  ${HOME}/.local/share/lugaru
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile
index 31067034e..73400dbd6 100644
--- a/etc/profile-a-l/luminance-hdr.profile
+++ b/etc/profile-a-l/luminance-hdr.profile
@@ -6,8 +6,8 @@ include luminance-hdr.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Luminance
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/Luminance
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 80a3aba86..9d5169b80 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -6,18 +6,18 @@ include lutris.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PATH}/llvm*
-noblacklist ${HOME}/Games
-noblacklist ${HOME}/.cache/lutris
-noblacklist ${HOME}/.cache/winetricks
-noblacklist ${HOME}/.config/lutris
-noblacklist ${HOME}/.local/share/lutris
+nodeny  ${PATH}/llvm*
+nodeny  ${HOME}/Games
+nodeny  ${HOME}/.cache/lutris
+nodeny  ${HOME}/.cache/winetricks
+nodeny  ${HOME}/.config/lutris
+nodeny  ${HOME}/.local/share/lutris
 # noblacklist ${HOME}/.wine
-noblacklist /tmp/.wine-*
+nodeny  /tmp/.wine-*
 # Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
 # Lutris won't even start.
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
 ignore noexec ${HOME}
 
@@ -39,15 +39,15 @@ mkdir ${HOME}/.cache/winetricks
 mkdir ${HOME}/.config/lutris
 mkdir ${HOME}/.local/share/lutris
 # mkdir ${HOME}/.wine
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/Games
-whitelist ${HOME}/.cache/lutris
-whitelist ${HOME}/.cache/winetricks
-whitelist ${HOME}/.config/lutris
-whitelist ${HOME}/.local/share/lutris
+allow  ${DOWNLOADS}
+allow  ${HOME}/Games
+allow  ${HOME}/.cache/lutris
+allow  ${HOME}/.cache/winetricks
+allow  ${HOME}/.config/lutris
+allow  ${HOME}/.local/share/lutris
 # whitelist ${HOME}/.wine
-whitelist /usr/share/lutris
-whitelist /usr/share/wine
+allow  /usr/share/lutris
+allow  /usr/share/wine
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-a-l/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile
index b2a56012e..43147211b 100644
--- a/etc/profile-a-l/lximage-qt.profile
+++ b/etc/profile-a-l/lximage-qt.profile
@@ -6,7 +6,7 @@ include lximage-qt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/lximage-qt
+nodeny  ${HOME}/.config/lximage-qt
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lxmusic.profile b/etc/profile-a-l/lxmusic.profile
index cc4b95551..c849f2ad2 100644
--- a/etc/profile-a-l/lxmusic.profile
+++ b/etc/profile-a-l/lxmusic.profile
@@ -6,9 +6,9 @@ include lxmusic.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/xmms2
-noblacklist ${HOME}/.config/xmms2
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.cache/xmms2
+nodeny  ${HOME}/.config/xmms2
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index a919e924b..15c8f1faa 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -7,8 +7,8 @@ include lynx.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index fa69463d1..358dbf2f2 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -8,8 +8,8 @@ include globals.local
 
 ignore private-tmp
 
-noblacklist ${HOME}/.config/LyX
-noblacklist ${HOME}/.lyx
+nodeny  ${HOME}/.config/LyX
+nodeny  ${HOME}/.lyx
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -21,11 +21,11 @@ include allow-perl.inc
 include allow-python2.inc
 include allow-python3.inc
 
-whitelist /usr/share/lyx
-whitelist /usr/share/texinfo
-whitelist /usr/share/texlive
-whitelist /usr/share/texmf-dist
-whitelist /usr/share/tlpkg
+allow  /usr/share/lyx
+allow  /usr/share/texinfo
+allow  /usr/share/texlive
+allow  /usr/share/texmf-dist
+allow  /usr/share/tlpkg
 include whitelist-usr-share-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/sway.profile b/etc/profile-a-l/sway.profile
index 4637419bf..3a4edcf69 100644
--- a/etc/profile-a-l/sway.profile
+++ b/etc/profile-a-l/sway.profile
@@ -7,9 +7,9 @@ include sway.local
 include globals.local
 
 # all applications started in sway will run in this profile
-noblacklist ${HOME}/.config/sway
+nodeny  ${HOME}/.config/sway
 # sway uses ~/.config/i3 as fallback if there is no ~/.config/sway
-noblacklist ${HOME}/.config/i3
+nodeny  ${HOME}/.config/i3
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile
index 62d0a8b3a..e6c43007d 100644
--- a/etc/profile-m-z/Maelstrom.profile
+++ b/etc/profile-m-z/Maelstrom.profile
@@ -6,7 +6,7 @@ include Maelstrom.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/lib/games/Maelstrom-Scores
+nodeny  /var/lib/games/Maelstrom-Scores
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /var/lib/games
+allow  /var/lib/games
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/Mathematica.profile b/etc/profile-m-z/Mathematica.profile
index c2734b1c1..bd929d21a 100644
--- a/etc/profile-m-z/Mathematica.profile
+++ b/etc/profile-m-z/Mathematica.profile
@@ -5,8 +5,8 @@ include Mathematica.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.Mathematica
-noblacklist ${HOME}/.Wolfram Research
+nodeny  ${HOME}/.Mathematica
+nodeny  ${HOME}/.Wolfram Research
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,9 +17,9 @@ include disable-programs.inc
 mkdir ${HOME}/.Mathematica
 mkdir ${HOME}/.Wolfram Research
 mkdir ${HOME}/Documents/Wolfram Mathematica
-whitelist ${HOME}/.Mathematica
-whitelist ${HOME}/.Wolfram Research
-whitelist ${HOME}/Documents/Wolfram Mathematica
+allow  ${HOME}/.Mathematica
+allow  ${HOME}/.Wolfram Research
+allow  ${HOME}/Documents/Wolfram Mathematica
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
index e678b7204..f833b9446 100644
--- a/etc/profile-m-z/PCSX2.profile
+++ b/etc/profile-m-z/PCSX2.profile
@@ -8,7 +8,7 @@ include globals.local
 
 # Note: you must whitelist your games folder in your PCSX2.local.
 
-noblacklist ${HOME}/.config/PCSX2
+nodeny  ${HOME}/.config/PCSX2
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,7 +21,7 @@ include disable-write-mnt.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/PCSX2
-whitelist ${HOME}/.config/PCSX2
+allow  ${HOME}/.config/PCSX2
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index 86120587b..d7b01fe06 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -6,18 +6,18 @@ include QMediathekView.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/QMediathekView
-noblacklist ${HOME}/.local/share/QMediathekView
-
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.config/smplayer
-noblacklist ${HOME}/.config/totem
-noblacklist ${HOME}/.config/vlc
-noblacklist ${HOME}/.config/xplayer
-noblacklist ${HOME}/.local/share/totem
-noblacklist ${HOME}/.local/share/xplayer
-noblacklist ${HOME}/.mplayer
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/QMediathekView
+nodeny  ${HOME}/.local/share/QMediathekView
+
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.config/smplayer
+nodeny  ${HOME}/.config/totem
+nodeny  ${HOME}/.config/vlc
+nodeny  ${HOME}/.config/xplayer
+nodeny  ${HOME}/.local/share/totem
+nodeny  ${HOME}/.local/share/xplayer
+nodeny  ${HOME}/.mplayer
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -28,7 +28,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/qtchooser
+allow  /usr/share/qtchooser
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index 660378089..4ca42730a 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -6,10 +6,10 @@ include QOwnNotes.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/Nextcloud/Notes
-noblacklist ${HOME}/.config/PBE
-noblacklist ${HOME}/.local/share/PBE
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/Nextcloud/Notes
+nodeny  ${HOME}/.config/PBE
+nodeny  ${HOME}/.local/share/PBE
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,10 +23,10 @@ include disable-xdg.inc
 mkdir ${HOME}/Nextcloud/Notes
 mkdir ${HOME}/.config/PBE
 mkdir ${HOME}/.local/share/PBE
-whitelist ${DOCUMENTS}
-whitelist ${HOME}/Nextcloud/Notes
-whitelist ${HOME}/.config/PBE
-whitelist ${HOME}/.local/share/PBE
+allow  ${DOCUMENTS}
+allow  ${HOME}/Nextcloud/Notes
+allow  ${HOME}/.config/PBE
+allow  ${HOME}/.local/share/PBE
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index 3195e39fa..b98847d3a 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -5,8 +5,8 @@ include Viber.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.ViberPC
-noblacklist ${PATH}/dig
+nodeny  ${HOME}/.ViberPC
+nodeny  ${PATH}/dig
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.ViberPC
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.ViberPC
+allow  ${DOWNLOADS}
+allow  ${HOME}/.ViberPC
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile
index d78e04595..c9cf7adf7 100644
--- a/etc/profile-m-z/XMind.profile
+++ b/etc/profile-m-z/XMind.profile
@@ -5,7 +5,7 @@ include XMind.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.xmind
+nodeny  ${HOME}/.xmind
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,8 +15,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.xmind
-whitelist ${HOME}/.xmind
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.xmind
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index 5cf5161ce..7ba1cdac9 100644
--- a/etc/profile-m-z/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
@@ -15,7 +15,7 @@ include globals.local
 # or run "sudo firecfg"
 #
 
-whitelist /var/lib/xkb
+allow  /var/lib/xkb
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 1acd43023..a246ccb23 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -18,7 +18,7 @@ include globals.local
 # some Linux distributions. Also, older versions of Xpra use Xvfb.
 #
 
-whitelist /var/lib/xkb
+allow  /var/lib/xkb
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/ZeGrapher.profile b/etc/profile-m-z/ZeGrapher.profile
index 7686c3442..4f65ad7d1 100644
--- a/etc/profile-m-z/ZeGrapher.profile
+++ b/etc/profile-m-z/ZeGrapher.profile
@@ -6,7 +6,7 @@ include ZeGrapher.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ZeGrapher Project
+nodeny  ${HOME}/.config/ZeGrapher Project
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
-whitelist /usr/share/ZeGrapher
+allow  /usr/share/ZeGrapher
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/macrofusion.profile b/etc/profile-m-z/macrofusion.profile
index d1dcb6fe0..763d475bb 100644
--- a/etc/profile-m-z/macrofusion.profile
+++ b/etc/profile-m-z/macrofusion.profile
@@ -5,8 +5,8 @@ include macrofusion.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mfusion
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/mfusion
+nodeny  ${PICTURES}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
index 8a27b2626..d561a5095 100644
--- a/etc/profile-m-z/magicor.profile
+++ b/etc/profile-m-z/magicor.profile
@@ -6,7 +6,7 @@ include magicor.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.magicor
+nodeny  ${HOME}/.magicor
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -21,8 +21,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.magicor
-whitelist ${HOME}/.magicor
-whitelist /usr/share/magicor
+allow  ${HOME}/.magicor
+allow  /usr/share/magicor
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index 513fcae55..a7c486c9f 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -6,8 +6,8 @@ include makepkg.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 # Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
 # for potential issues and their solutions when Firejailing makepkg
@@ -17,18 +17,18 @@ blacklist ${RUNUSER}/wayland-*
 # whitelist ${HOME}/.gnupg
 
 # Enable severely restricted access to ${HOME}/.gnupg
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 read-only ${HOME}/.gnupg/gpg.conf
 read-only ${HOME}/.gnupg/trustdb.gpg
 read-only ${HOME}/.gnupg/pubring.kbx
-blacklist ${HOME}/.gnupg/random_seed
-blacklist ${HOME}/.gnupg/pubring.kbx~
-blacklist ${HOME}/.gnupg/private-keys-v1.d
-blacklist ${HOME}/.gnupg/crls.d
-blacklist ${HOME}/.gnupg/openpgp-revocs.d
+deny  ${HOME}/.gnupg/random_seed
+deny  ${HOME}/.gnupg/pubring.kbx~
+deny  ${HOME}/.gnupg/private-keys-v1.d
+deny  ${HOME}/.gnupg/crls.d
+deny  ${HOME}/.gnupg/openpgp-revocs.d
 
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only.
-noblacklist /var/lib/pacman
+nodeny  /var/lib/pacman
 
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index bd510fcac..383eeeeb7 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -7,10 +7,10 @@ include man.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
-noblacklist ${HOME}/.local/share/man
-noblacklist ${HOME}/.rustup
+nodeny  ${HOME}/.local/share/man
+nodeny  ${HOME}/.rustup
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,12 +23,12 @@ include disable-xdg.inc
 #mkdir ${HOME}/.local/share/man
 #whitelist ${HOME}/.local/share/man
 #whitelist ${HOME}/.manpath
-whitelist /usr/share/groff
-whitelist /usr/share/info
-whitelist /usr/share/lintian
-whitelist /usr/share/locale
-whitelist /usr/share/man
-whitelist /var/cache/man
+allow  /usr/share/groff
+allow  /usr/share/info
+allow  /usr/share/lintian
+allow  /usr/share/locale
+allow  /usr/share/man
+allow  /var/cache/man
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/manaplus.profile b/etc/profile-m-z/manaplus.profile
index f59a56ac6..67ee783a6 100644
--- a/etc/profile-m-z/manaplus.profile
+++ b/etc/profile-m-z/manaplus.profile
@@ -6,8 +6,8 @@ include manaplus.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mana
-noblacklist ${HOME}/.local/share/mana
+nodeny  ${HOME}/.config/mana
+nodeny  ${HOME}/.local/share/mana
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,8 +21,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/mana
 mkdir ${HOME}/.config/mana/mana
 mkdir ${HOME}/.local/share/mana
-whitelist ${HOME}/.config/mana
-whitelist ${HOME}/.local/share/mana
+allow  ${HOME}/.config/mana
+allow  ${HOME}/.local/share/mana
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index 087c02964..7645ad335 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -11,8 +11,8 @@ include globals.local
 #protocol unix,inet,inet6
 #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf
 
-noblacklist ${HOME}/.cache/marker
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/marker
+nodeny  ${DOCUMENTS}
 
 include allow-python3.inc
 
@@ -25,7 +25,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/com.github.fabiocolacio.marker
+allow  /usr/libexec/webkit2gtk-4.0
+allow  /usr/share/com.github.fabiocolacio.marker
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index de1135071..d8b215b7f 100644
--- a/etc/profile-m-z/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -6,8 +6,8 @@ include masterpdfeditor.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Code Industry
-noblacklist ${HOME}/.masterpdfeditor
+nodeny  ${HOME}/.config/Code Industry
+nodeny  ${HOME}/.masterpdfeditor
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index 39ee7439d..92832783e 100644
--- a/etc/profile-m-z/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -6,7 +6,7 @@ include mate-calc.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mate-calc
+nodeny  ${HOME}/.config/mate-calc
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/mate-calc
 mkdir ${HOME}/.config/caja
 mkdir ${HOME}/.config/mate-menu
-whitelist ${HOME}/.cache/mate-calc
-whitelist ${HOME}/.config/caja
-whitelist ${HOME}/.config/mate-menu
+allow  ${HOME}/.cache/mate-calc
+allow  ${HOME}/.config/caja
+allow  ${HOME}/.config/mate-menu
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index ae1fcbf62..90c9d0993 100644
--- a/etc/profile-m-z/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -5,7 +5,7 @@ include mate-dictionary.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mate/mate-dictionary
+nodeny  ${HOME}/.config/mate/mate-dictionary
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.config/mate/mate-dictionary
-whitelist ${HOME}/.config/mate/mate-dictionary
+allow  ${HOME}/.config/mate/mate-dictionary
 include whitelist-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/matrix-mirage.profile b/etc/profile-m-z/matrix-mirage.profile
index b3080df88..8ee470a50 100644
--- a/etc/profile-m-z/matrix-mirage.profile
+++ b/etc/profile-m-z/matrix-mirage.profile
@@ -7,16 +7,16 @@ include matrix-mirage.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/matrix-mirage
-noblacklist ${HOME}/.config/matrix-mirage
-noblacklist ${HOME}/.local/share/matrix-mirage
+nodeny  ${HOME}/.cache/matrix-mirage
+nodeny  ${HOME}/.config/matrix-mirage
+nodeny  ${HOME}/.local/share/matrix-mirage
 
 mkdir ${HOME}/.cache/matrix-mirage
 mkdir ${HOME}/.config/matrix-mirage
 mkdir ${HOME}/.local/share/matrix-mirage
-whitelist ${HOME}/.cache/matrix-mirage
-whitelist ${HOME}/.config/matrix-mirage
-whitelist ${HOME}/.local/share/matrix-mirage
+allow  ${HOME}/.cache/matrix-mirage
+allow  ${HOME}/.config/matrix-mirage
+allow  ${HOME}/.local/share/matrix-mirage
 
 private-bin matrix-mirage
 
diff --git a/etc/profile-m-z/mattermost-desktop.profile b/etc/profile-m-z/mattermost-desktop.profile
index 3c2bf4fa3..01076a90a 100644
--- a/etc/profile-m-z/mattermost-desktop.profile
+++ b/etc/profile-m-z/mattermost-desktop.profile
@@ -10,12 +10,12 @@ ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/Mattermost
+nodeny  ${HOME}/.config/Mattermost
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Mattermost
-whitelist ${HOME}/.config/Mattermost
+allow  ${HOME}/.config/Mattermost
 
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile
index 38d2d8d63..ae749114a 100644
--- a/etc/profile-m-z/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -6,8 +6,8 @@ include mcabber.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.mcabber
-noblacklist ${HOME}/.mcabberrc
+nodeny  ${HOME}/.mcabber
+nodeny  ${HOME}/.mcabberrc
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile
new file mode 100644
index 000000000..d9e12fb5d
--- /dev/null
+++ b/etc/profile-m-z/mcomix.profile
@@ -0,0 +1,74 @@
+# Firejail profile for mcomix
+# Description: A comic book and manga viewer in python
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mcomix.local
+# Persistent global definitions
+include globals.local
+
+nodeny  ${HOME}/.config/mcomix
+nodeny  ${HOME}/.local/share/mcomix
+nodeny  ${DOCUMENTS}
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+# mcomix <= 1.2 uses python2
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/mcomix
+mkdir ${HOME}/.local/share/mcomix
+allow  /usr/share/mcomix
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+include whitelist-runuser-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+# mcomix <= 1.2 uses python2
+private-bin 7z,lha,mcomix,mutool,python*,rar,sh,unrar,unzip
+private-cache
+private-dev
+# mcomix <= 1.2 uses gtk-2.0
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.config/mcomix
+read-write ${HOME}/.local/share/mcomix
+#to allow ${HOME}/.local/share/recently-used.xbel
+read-write ${HOME}/.local/share
+# used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails
+read-write ${HOME}/.thumbnails
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index 5d3f8dc41..9e8656290 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -5,7 +5,7 @@ include mdr.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index 17363624f..ae34ea321 100644
--- a/etc/profile-m-z/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -6,7 +6,7 @@ include mediainfo.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
index 0063badd8..3459ad4cf 100644
--- a/etc/profile-m-z/mediathekview.profile
+++ b/etc/profile-m-z/mediathekview.profile
@@ -6,16 +6,16 @@ include mediathekview.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.config/smplayer
-noblacklist ${HOME}/.config/totem
-noblacklist ${HOME}/.config/vlc
-noblacklist ${HOME}/.config/xplayer
-noblacklist ${HOME}/.local/share/totem
-noblacklist ${HOME}/.local/share/xplayer
-noblacklist ${HOME}/.mediathek3
-noblacklist ${HOME}/.mplayer
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.config/smplayer
+nodeny  ${HOME}/.config/totem
+nodeny  ${HOME}/.config/vlc
+nodeny  ${HOME}/.config/xplayer
+nodeny  ${HOME}/.local/share/totem
+nodeny  ${HOME}/.local/share/xplayer
+nodeny  ${HOME}/.mediathek3
+nodeny  ${HOME}/.mplayer
+nodeny  ${VIDEOS}
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index 972838729..ad9094ddf 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -6,7 +6,7 @@ include megaglest.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.megaglest
+nodeny  ${HOME}/.megaglest
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.megaglest
-whitelist ${HOME}/.megaglest
-whitelist /usr/share/megaglest
+allow  ${HOME}/.megaglest
+allow  /usr/share/megaglest
+allow  /usr/share/games/megaglest       # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 1225cc107..06ee572c9 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -13,12 +13,12 @@ include globals.local
 # Calling it by its absolute path (example for git mergetool):
 # $ git config --global mergetool.meld.cmd /usr/bin/meld
 
-noblacklist ${HOME}/.config/meld
-noblacklist ${HOME}/.config/git
-noblacklist ${HOME}/.gitconfig
-noblacklist ${HOME}/.git-credentials
-noblacklist ${HOME}/.local/share/meld
-noblacklist ${HOME}/.subversion
+nodeny  ${HOME}/.config/meld
+nodeny  ${HOME}/.config/git
+nodeny  ${HOME}/.gitconfig
+nodeny  ${HOME}/.git-credentials
+nodeny  ${HOME}/.local/share/meld
+nodeny  ${HOME}/.subversion
 
 # Allow python (blacklisted by disable-interpreters.inc)
 # Python 2 is EOL (see #3164). Add the next line to your meld.local if you understand the risks
@@ -29,6 +29,8 @@ include allow-python3.inc
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
+deny  /usr/libexec
+
 # Add the next line to your meld.local if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile
index c0bdbb230..e33d6c157 100644
--- a/etc/profile-m-z/mendeleydesktop.profile
+++ b/etc/profile-m-z/mendeleydesktop.profile
@@ -6,13 +6,13 @@ include mendeleydesktop.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/.cache/Mendeley Ltd.
-noblacklist ${HOME}/.config/Mendeley Ltd.
-noblacklist ${HOME}/.local/share/Mendeley Ltd.
-noblacklist ${HOME}/.local/share/data/Mendeley Ltd.
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.cache/Mendeley Ltd.
+nodeny  ${HOME}/.config/Mendeley Ltd.
+nodeny  ${HOME}/.local/share/Mendeley Ltd.
+nodeny  ${HOME}/.local/share/data/Mendeley Ltd.
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 2081b8c96..52808a5b5 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -19,13 +19,13 @@ include disable-passwdmgr.inc
 include disable-xdg.inc
 
 # Whitelist your system icon directory,varies by distro
-whitelist /usr/share/app-info
-whitelist /usr/share/desktop-directories
-whitelist /usr/share/icons
-whitelist /usr/share/menulibre
-whitelist /var/lib/app-info/icons
-whitelist /var/lib/flatpak/exports/share/applications
-whitelist /var/lib/flatpak/exports/share/icons
+allow  /usr/share/app-info
+allow  /usr/share/desktop-directories
+allow  /usr/share/icons
+allow  /usr/share/menulibre
+allow  /var/lib/app-info/icons
+allow  /var/lib/flatpak/exports/share/applications
+allow  /var/lib/flatpak/exports/share/icons
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile
index 85ed7bc74..48f936632 100644
--- a/etc/profile-m-z/meteo-qt.profile
+++ b/etc/profile-m-z/meteo-qt.profile
@@ -6,8 +6,8 @@ include meteo-qt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/autostart
-noblacklist ${HOME}/.config/meteo-qt
+nodeny  ${HOME}/.config/autostart
+nodeny  ${HOME}/.config/meteo-qt
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -22,8 +22,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/meteo-qt
-whitelist ${HOME}/.config/autostart
-whitelist ${HOME}/.config/meteo-qt
+allow  ${HOME}/.config/autostart
+allow  ${HOME}/.config/meteo-qt
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile
index 039cd36a8..96465866c 100644
--- a/etc/profile-m-z/microsoft-edge-dev.profile
+++ b/etc/profile-m-z/microsoft-edge-dev.profile
@@ -6,13 +6,13 @@ include microsoft-edge-dev.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/microsoft-edge-dev
-noblacklist ${HOME}/.config/microsoft-edge-dev
+nodeny  ${HOME}/.cache/microsoft-edge-dev
+nodeny  ${HOME}/.config/microsoft-edge-dev
 
 mkdir ${HOME}/.cache/microsoft-edge-dev
 mkdir ${HOME}/.config/microsoft-edge-dev
-whitelist ${HOME}/.cache/microsoft-edge-dev
-whitelist ${HOME}/.config/microsoft-edge-dev
+allow  ${HOME}/.cache/microsoft-edge-dev
+allow  ${HOME}/.config/microsoft-edge-dev
 
 private-opt microsoft
 
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile
index e15259608..c4a444e0d 100644
--- a/etc/profile-m-z/midori.profile
+++ b/etc/profile-m-z/midori.profile
@@ -9,17 +9,17 @@ include globals.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/midori
-noblacklist ${HOME}/.config/midori
-noblacklist ${HOME}/.local/share/midori
+nodeny  ${HOME}/.cache/midori
+nodeny  ${HOME}/.config/midori
+nodeny  ${HOME}/.local/share/midori
 # noblacklist ${HOME}/.local/share/webkit
 # noblacklist ${HOME}/.local/share/webkitgtk
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
-noblacklist ${HOME}/.cache/gnome-mplayer
-noblacklist ${HOME}/.config/gnome-mplayer
-noblacklist ${HOME}/.lastpass
+nodeny  ${HOME}/.cache/gnome-mplayer
+nodeny  ${HOME}/.config/gnome-mplayer
+nodeny  ${HOME}/.lastpass
 
 include disable-common.inc
 include disable-devel.inc
@@ -36,17 +36,17 @@ mkdir ${HOME}/.local/share/webkit
 mkdir ${HOME}/.local/share/webkitgtk
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
-whitelist ${HOME}/.cache/midori
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/midori
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.local/share/midori
-whitelist ${HOME}/.local/share/webkit
-whitelist ${HOME}/.local/share/webkitgtk
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/gnome-mplayer/plugin
+allow  ${HOME}/.cache/midori
+allow  ${HOME}/.config/gnome-mplayer
+allow  ${HOME}/.config/midori
+allow  ${HOME}/.lastpass
+allow  ${HOME}/.local/share/midori
+allow  ${HOME}/.local/share/webkit
+allow  ${HOME}/.local/share/webkitgtk
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile
index 7f3aeab44..214332184 100644
--- a/etc/profile-m-z/min.profile
+++ b/etc/profile-m-z/min.profile
@@ -6,10 +6,10 @@ include min.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Min
+nodeny  ${HOME}/.config/Min
 
 mkdir ${HOME}/.config/Min
-whitelist ${HOME}/.config/Min
+allow  ${HOME}/.config/Min
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
index fbf6b58e8..ee8402b87 100644
--- a/etc/profile-m-z/mindless.profile
+++ b/etc/profile-m-z/mindless.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/mindless
+allow  /usr/share/mindless
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
index 2536d0b38..595313851 100644
--- a/etc/profile-m-z/minecraft-launcher.profile
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -11,7 +11,7 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.minecraft
+nodeny  ${HOME}/.minecraft
 
 include allow-java.inc
 
@@ -25,13 +25,12 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.minecraft
-whitelist ${HOME}/.minecraft
+allow  ${HOME}/.minecraft
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-apparmor
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index cad1adbda..11d0859b7 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -9,8 +9,8 @@ include globals.local
 # In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:
 #   screenshot_path = /home/<USER>/.minetest/screenshots
 
-noblacklist ${HOME}/.cache/minetest
-noblacklist ${HOME}/.minetest
+nodeny  ${HOME}/.cache/minetest
+nodeny  ${HOME}/.minetest
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -26,10 +26,10 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/minetest
 mkdir ${HOME}/.minetest
-whitelist ${HOME}/.cache/minetest
-whitelist ${HOME}/.minetest
-whitelist /usr/share/games/minetest
-whitelist /usr/share/minetest
+allow  ${HOME}/.cache/minetest
+allow  ${HOME}/.minetest
+allow  /usr/share/games/minetest
+allow  /usr/share/minetest
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
index 3fe3428d0..192913dbf 100644
--- a/etc/profile-m-z/minitube.profile
+++ b/etc/profile-m-z/minitube.profile
@@ -6,10 +6,10 @@ include minitube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
-noblacklist ${HOME}/.cache/Flavio Tordini
-noblacklist ${HOME}/.config/Flavio Tordini
-noblacklist ${HOME}/.local/share/Flavio Tordini
+nodeny  ${PICTURES}
+nodeny  ${HOME}/.cache/Flavio Tordini
+nodeny  ${HOME}/.config/Flavio Tordini
+nodeny  ${HOME}/.local/share/Flavio Tordini
 
 include allow-lua.inc
 
@@ -25,11 +25,11 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/Flavio Tordini
 mkdir ${HOME}/.config/Flavio Tordini
 mkdir ${HOME}/.local/share/Flavio Tordini
-whitelist ${PICTURES}
-whitelist ${HOME}/.cache/Flavio Tordini
-whitelist ${HOME}/.config/Flavio Tordini
-whitelist ${HOME}/.local/share/Flavio Tordini
-whitelist /usr/share/minitube
+allow  ${PICTURES}
+allow  ${HOME}/.cache/Flavio Tordini
+allow  ${HOME}/.config/Flavio Tordini
+allow  ${HOME}/.local/share/Flavio Tordini
+allow  /usr/share/minitube
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
index 505009283..b2f2cc5b1 100644
--- a/etc/profile-m-z/mirage.profile
+++ b/etc/profile-m-z/mirage.profile
@@ -6,10 +6,10 @@ include mirage.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/mirage
-noblacklist ${HOME}/.config/mirage
-noblacklist ${HOME}/.local/share/mirage
-noblacklist /sbin
+nodeny  ${HOME}/.cache/mirage
+nodeny  ${HOME}/.config/mirage
+nodeny  ${HOME}/.local/share/mirage
+nodeny  /sbin
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -27,10 +27,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/mirage
 mkdir ${HOME}/.config/mirage
 mkdir ${HOME}/.local/share/mirage
-whitelist ${HOME}/.cache/mirage
-whitelist ${HOME}/.config/mirage
-whitelist ${HOME}/.local/share/mirage
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/mirage
+allow  ${HOME}/.config/mirage
+allow  ${HOME}/.local/share/mirage
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index 58dfd56f5..d5ebfd4b0 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -6,7 +6,7 @@ include mirrormagic.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.mirrormagic
+nodeny  ${HOME}/.mirrormagic
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.mirrormagic
-whitelist ${HOME}/.mirrormagic
-whitelist /usr/share/mirrormagic
+allow  ${HOME}/.mirrormagic
+allow  /usr/share/mirrormagic
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index e71ba4569..b734bd7c0 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -7,8 +7,8 @@ include mocp.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.moc
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.moc
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mousepad.profile b/etc/profile-m-z/mousepad.profile
index 98063fa7c..a02b29b61 100644
--- a/etc/profile-m-z/mousepad.profile
+++ b/etc/profile-m-z/mousepad.profile
@@ -6,7 +6,7 @@ include mousepad.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Mousepad
+nodeny  ${HOME}/.config/Mousepad
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index 37ce60e04..f47384753 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -6,7 +6,7 @@ include mp3splt-gtk.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.mp3splt-gtk
+nodeny  ${HOME}/.mp3splt-gtk
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index 070de8451..8a2ab15bd 100644
--- a/etc/profile-m-z/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -6,9 +6,9 @@ include mp3splt.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index 55a0b5897..6994b0429 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -6,13 +6,13 @@ include mpDris2.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mpDris2
+nodeny  ${HOME}/.config/mpDris2
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,10 +23,10 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${MUSIC}
+allow  ${MUSIC}
 
 mkdir ${HOME}/.config/mpDris2
-whitelist ${HOME}/.config/mpDris2
+allow  ${HOME}/.config/mpDris2
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile
index b517d4ab2..8b3350ac8 100644
--- a/etc/profile-m-z/mpd.profile
+++ b/etc/profile-m-z/mpd.profile
@@ -6,10 +6,10 @@ include mpd.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mpd
-noblacklist ${HOME}/.mpd
-noblacklist ${HOME}/.mpdconf
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/mpd
+nodeny  ${HOME}/.mpd
+nodeny  ${HOME}/.mpdconf
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile
index 25187e894..03bd44daa 100644
--- a/etc/profile-m-z/mpg123.profile
+++ b/etc/profile-m-z/mpg123.profile
@@ -7,7 +7,7 @@ include mpg123.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index 5d023b7f1..84754aeb2 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -6,7 +6,7 @@ include mplayer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.mplayer
+nodeny  ${HOME}/.mplayer
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 
 read-only ${DESKTOP}
 mkdir ${HOME}/.mplayer
-whitelist ${HOME}/.mplayer
+allow  ${HOME}/.mplayer
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index bfe57a132..d35519103 100644
--- a/etc/profile-m-z/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -6,12 +6,12 @@ include mpsyt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mps-youtube
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.mplayer
-noblacklist ${HOME}/.netrc
-noblacklist ${HOME}/mps
+nodeny  ${HOME}/.config/mps-youtube
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.config/youtube-dl
+nodeny  ${HOME}/.mplayer
+nodeny  ${HOME}/.netrc
+nodeny  ${HOME}/mps
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -20,8 +20,8 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -37,12 +37,12 @@ mkdir ${HOME}/.config/mpv
 mkdir ${HOME}/.config/youtube-dl
 mkdir ${HOME}/.mplayer
 mkdir ${HOME}/mps
-whitelist ${HOME}/.config/mps-youtube
-whitelist ${HOME}/.config/mpv
-whitelist ${HOME}/.config/youtube-dl
-whitelist ${HOME}/.mplayer
-whitelist ${HOME}/.netrc
-whitelist ${HOME}/mps
+allow  ${HOME}/.config/mps-youtube
+allow  ${HOME}/.config/mpv
+allow  ${HOME}/.config/youtube-dl
+allow  ${HOME}/.mplayer
+allow  ${HOME}/.netrc
+allow  ${HOME}/mps
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 310f36ea1..4ea2dd348 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -24,9 +24,9 @@ include globals.local
 #include allow-bin-sh.inc
 #private-bin sh
 
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.netrc
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.config/youtube-dl
+nodeny  ${HOME}/.netrc
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -35,6 +35,8 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
+deny  /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -47,14 +49,14 @@ read-only ${DESKTOP}
 mkdir ${HOME}/.config/mpv
 mkdir ${HOME}/.config/youtube-dl
 mkfile ${HOME}/.netrc
-whitelist ${HOME}/.config/mpv
-whitelist ${HOME}/.config/youtube-dl
-whitelist ${HOME}/.netrc
+allow  ${HOME}/.config/mpv
+allow  ${HOME}/.config/youtube-dl
+allow  ${HOME}/.netrc
 include whitelist-common.inc
 include whitelist-player-common.inc
-whitelist /usr/share/lua
-whitelist /usr/share/lua*
-whitelist /usr/share/vulkan
+allow  /usr/share/lua
+allow  /usr/share/lua*
+allow  /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 035a7e625..a8c49a690 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -6,7 +6,7 @@ include mrrescue.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/love
+nodeny  ${HOME}/.local/share/love
 
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
@@ -14,6 +14,8 @@ include allow-bin-sh.inc
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
 
+deny  /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -24,8 +26,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/love
-whitelist ${HOME}/.local/share/love
-whitelist /usr/share/mrrescue
+allow  ${HOME}/.local/share/love
+allow  /usr/share/mrrescue
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/ms-excel.profile b/etc/profile-m-z/ms-excel.profile
index db24e8f9b..5fea86ae7 100644
--- a/etc/profile-m-z/ms-excel.profile
+++ b/etc/profile-m-z/ms-excel.profile
@@ -6,7 +6,7 @@ include ms-excel.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/ms-excel-online
+nodeny  ${HOME}/.cache/ms-excel-online
 private-bin ms-excel
 
 # Redirect
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
index 38fc84ecc..4033627f7 100644
--- a/etc/profile-m-z/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -5,8 +5,8 @@ include ms-office.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/ms-office-online
-noblacklist ${HOME}/.jak
+nodeny  ${HOME}/.cache/ms-office-online
+nodeny  ${HOME}/.jak
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/ms-onenote.profile b/etc/profile-m-z/ms-onenote.profile
index 9ea0637bd..805de5102 100644
--- a/etc/profile-m-z/ms-onenote.profile
+++ b/etc/profile-m-z/ms-onenote.profile
@@ -6,7 +6,7 @@ include ms-onenote.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/ms-onenote-online
+nodeny  ${HOME}/.cache/ms-onenote-online
 private-bin ms-onenote
 
 # Redirect
diff --git a/etc/profile-m-z/ms-outlook.profile b/etc/profile-m-z/ms-outlook.profile
index fc3e7c009..bd14fb7d3 100644
--- a/etc/profile-m-z/ms-outlook.profile
+++ b/etc/profile-m-z/ms-outlook.profile
@@ -6,7 +6,7 @@ include ms-outlook.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/ms-outlook-online
+nodeny  ${HOME}/.cache/ms-outlook-online
 private-bin ms-outlook
 
 # Redirect
diff --git a/etc/profile-m-z/ms-powerpoint.profile b/etc/profile-m-z/ms-powerpoint.profile
index dadcd5b1e..02a7424e2 100644
--- a/etc/profile-m-z/ms-powerpoint.profile
+++ b/etc/profile-m-z/ms-powerpoint.profile
@@ -6,7 +6,7 @@ include ms-powerpoint.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/ms-powerpoint-online
+nodeny  ${HOME}/.cache/ms-powerpoint-online
 private-bin ms-powerpoint
 
 # Redirect
diff --git a/etc/profile-m-z/ms-skype.profile b/etc/profile-m-z/ms-skype.profile
index df1618361..01729f9a2 100644
--- a/etc/profile-m-z/ms-skype.profile
+++ b/etc/profile-m-z/ms-skype.profile
@@ -8,7 +8,7 @@ include ms-skype.local
 
 ignore novideo
 
-noblacklist ${HOME}/.cache/ms-skype-online
+nodeny  ${HOME}/.cache/ms-skype-online
 
 private-bin ms-skype
 
diff --git a/etc/profile-m-z/ms-word.profile b/etc/profile-m-z/ms-word.profile
index 5a617a893..34cf02128 100644
--- a/etc/profile-m-z/ms-word.profile
+++ b/etc/profile-m-z/ms-word.profile
@@ -6,7 +6,7 @@ include ms-word.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/ms-word-online
+nodeny  ${HOME}/.cache/ms-word-online
 private-bin ms-word
 
 # Redirect
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile
index 85c3ee9f2..ec7cd5d04 100644
--- a/etc/profile-m-z/mtpaint.profile
+++ b/etc/profile-m-z/mtpaint.profile
@@ -6,7 +6,7 @@ include mtpaint.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 6df681df1..447e7753f 100644
--- a/etc/profile-m-z/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
@@ -5,9 +5,9 @@ include multimc5.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/multimc
-noblacklist ${HOME}/.local/share/multimc5
-noblacklist ${HOME}/.multimc5
+nodeny  ${HOME}/.local/share/multimc
+nodeny  ${HOME}/.local/share/multimc5
+nodeny  ${HOME}/.multimc5
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -22,9 +22,9 @@ include disable-programs.inc
 mkdir ${HOME}/.local/share/multimc
 mkdir ${HOME}/.local/share/multimc5
 mkdir ${HOME}/.multimc5
-whitelist ${HOME}/.local/share/multimc
-whitelist ${HOME}/.local/share/multimc5
-whitelist ${HOME}/.multimc5
+allow  ${HOME}/.local/share/multimc
+allow  ${HOME}/.local/share/multimc5
+allow  ${HOME}/.multimc5
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile
index c7f59c5ee..1d72e07b8 100644
--- a/etc/profile-m-z/mumble.profile
+++ b/etc/profile-m-z/mumble.profile
@@ -6,9 +6,9 @@ include mumble.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Mumble
-noblacklist ${HOME}/.local/share/data/Mumble
-noblacklist ${HOME}/.local/share/Mumble
+nodeny  ${HOME}/.config/Mumble
+nodeny  ${HOME}/.local/share/data/Mumble
+nodeny  ${HOME}/.local/share/Mumble
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,9 +21,9 @@ include disable-shell.inc
 mkdir ${HOME}/.config/Mumble
 mkdir ${HOME}/.local/share/data/Mumble
 mkdir ${HOME}/.local/share/Mumble
-whitelist ${HOME}/.config/Mumble
-whitelist ${HOME}/.local/share/data/Mumble
-whitelist ${HOME}/.local/share/Mumble
+allow  ${HOME}/.config/Mumble
+allow  ${HOME}/.local/share/data/Mumble
+allow  ${HOME}/.local/share/Mumble
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mupdf-gl.profile b/etc/profile-m-z/mupdf-gl.profile
index be94a9083..c208a5e54 100644
--- a/etc/profile-m-z/mupdf-gl.profile
+++ b/etc/profile-m-z/mupdf-gl.profile
@@ -7,7 +7,7 @@ include mupdf-gl.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.mupdf.history
+nodeny  ${HOME}/.mupdf.history
 
 # Redirect
 include mupdf.profile
diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile
index 9e4609c48..e602b1429 100644
--- a/etc/profile-m-z/mupdf.profile
+++ b/etc/profile-m-z/mupdf.profile
@@ -6,7 +6,7 @@ include mupdf.local
 # Persistent global definitions
 #include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mupen64plus.profile b/etc/profile-m-z/mupen64plus.profile
index 00983a8f3..ecc7e2957 100644
--- a/etc/profile-m-z/mupen64plus.profile
+++ b/etc/profile-m-z/mupen64plus.profile
@@ -6,8 +6,8 @@ include mupen64plus.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mupen64plus
-noblacklist ${HOME}/.local/share/mupen64plus
+nodeny  ${HOME}/.config/mupen64plus
+nodeny  ${HOME}/.local/share/mupen64plus
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 # you'll need to manually whitelist ROM files
 mkdir ${HOME}/.config/mupen64plus
 mkdir ${HOME}/.local/share/mupen64plus
-whitelist ${HOME}/.config/mupen64plus
-whitelist ${HOME}/.local/share/mupen64plus
+allow  ${HOME}/.config/mupen64plus
+allow  ${HOME}/.local/share/mupen64plus
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile
index 679e82ae8..aa141f9c0 100644
--- a/etc/profile-m-z/musescore.profile
+++ b/etc/profile-m-z/musescore.profile
@@ -6,12 +6,12 @@ include musescore.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/MusE
-noblacklist ${HOME}/.config/MuseScore
-noblacklist ${HOME}/.local/share/data/MusE
-noblacklist ${HOME}/.local/share/data/MuseScore
-noblacklist ${DOCUMENTS}
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/MusE
+nodeny  ${HOME}/.config/MuseScore
+nodeny  ${HOME}/.local/share/data/MusE
+nodeny  ${HOME}/.local/share/data/MuseScore
+nodeny  ${DOCUMENTS}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile
index 04500ac6a..5ab1303a2 100644
--- a/etc/profile-m-z/musictube.profile
+++ b/etc/profile-m-z/musictube.profile
@@ -6,9 +6,9 @@ include musictube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Flavio Tordini
-noblacklist ${HOME}/.config/Flavio Tordini
-noblacklist ${HOME}/.local/share/Flavio Tordini
+nodeny  ${HOME}/.cache/Flavio Tordini
+nodeny  ${HOME}/.config/Flavio Tordini
+nodeny  ${HOME}/.local/share/Flavio Tordini
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +22,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/Flavio Tordini
 mkdir ${HOME}/.config/Flavio Tordini
 mkdir ${HOME}/.local/share/Flavio Tordini
-whitelist ${HOME}/.cache/Flavio Tordini
-whitelist ${HOME}/.config/Flavio Tordini
-whitelist ${HOME}/.local/share/Flavio Tordini
-whitelist /usr/share/musictube
+allow  ${HOME}/.cache/Flavio Tordini
+allow  ${HOME}/.config/Flavio Tordini
+allow  ${HOME}/.local/share/Flavio Tordini
+allow  /usr/share/musictube
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 74b3e9a5f..9390f9dcf 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -5,7 +5,7 @@ include musixmatch.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index debf81659..91606bdfa 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -7,36 +7,36 @@ include mutt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/mail
-noblacklist /var/spool/mail
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/.Mail
-noblacklist ${HOME}/.bogofilter
-noblacklist ${HOME}/.cache/mutt
-noblacklist ${HOME}/.config/mutt
-noblacklist ${HOME}/.config/nano
-noblacklist ${HOME}/.elinks
-noblacklist ${HOME}/.emacs
-noblacklist ${HOME}/.emacs.d
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mail
-noblacklist ${HOME}/.mailcap
-noblacklist ${HOME}/.msmtprc
-noblacklist ${HOME}/.mutt
-noblacklist ${HOME}/.muttrc
-noblacklist ${HOME}/.nanorc
-noblacklist ${HOME}/.signature
-noblacklist ${HOME}/.vim
-noblacklist ${HOME}/.viminfo
-noblacklist ${HOME}/.vimrc
-noblacklist ${HOME}/.w3m
-noblacklist ${HOME}/Mail
-noblacklist ${HOME}/mail
-noblacklist ${HOME}/postponed
-noblacklist ${HOME}/sent
+nodeny  /var/mail
+nodeny  /var/spool/mail
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.Mail
+nodeny  ${HOME}/.bogofilter
+nodeny  ${HOME}/.cache/mutt
+nodeny  ${HOME}/.config/mutt
+nodeny  ${HOME}/.config/nano
+nodeny  ${HOME}/.elinks
+nodeny  ${HOME}/.emacs
+nodeny  ${HOME}/.emacs.d
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.mail
+nodeny  ${HOME}/.mailcap
+nodeny  ${HOME}/.msmtprc
+nodeny  ${HOME}/.mutt
+nodeny  ${HOME}/.muttrc
+nodeny  ${HOME}/.nanorc
+nodeny  ${HOME}/.signature
+nodeny  ${HOME}/.vim
+nodeny  ${HOME}/.viminfo
+nodeny  ${HOME}/.vimrc
+nodeny  ${HOME}/.w3m
+nodeny  ${HOME}/Mail
+nodeny  ${HOME}/mail
+nodeny  ${HOME}/postponed
+nodeny  ${HOME}/sent
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 # Add the next lines to your mutt.local for oauth.py,S/MIME support.
 #include allow-perl.inc
@@ -75,37 +75,37 @@ mkfile ${HOME}/.nanorc
 mkfile ${HOME}/.signature
 mkfile ${HOME}/.viminfo
 mkfile ${HOME}/.vimrc
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.Mail
-whitelist ${HOME}/.bogofilter
-whitelist ${HOME}/.cache/mutt
-whitelist ${HOME}/.config/mutt
-whitelist ${HOME}/.config/nano
-whitelist ${HOME}/.elinks
-whitelist ${HOME}/.emacs
-whitelist ${HOME}/.emacs.d
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mail
-whitelist ${HOME}/.mailcap
-whitelist ${HOME}/.msmtprc
-whitelist ${HOME}/.mutt
-whitelist ${HOME}/.muttrc
-whitelist ${HOME}/.nanorc
-whitelist ${HOME}/.signature
-whitelist ${HOME}/.vim
-whitelist ${HOME}/.viminfo
-whitelist ${HOME}/.vimrc
-whitelist ${HOME}/.w3m
-whitelist ${HOME}/Mail
-whitelist ${HOME}/mail
-whitelist ${HOME}/postponed
-whitelist ${HOME}/sent
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-whitelist /usr/share/mutt
-whitelist /var/mail
-whitelist /var/spool/mail
+allow  ${DOCUMENTS}
+allow  ${DOWNLOADS}
+allow  ${HOME}/.Mail
+allow  ${HOME}/.bogofilter
+allow  ${HOME}/.cache/mutt
+allow  ${HOME}/.config/mutt
+allow  ${HOME}/.config/nano
+allow  ${HOME}/.elinks
+allow  ${HOME}/.emacs
+allow  ${HOME}/.emacs.d
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.mail
+allow  ${HOME}/.mailcap
+allow  ${HOME}/.msmtprc
+allow  ${HOME}/.mutt
+allow  ${HOME}/.muttrc
+allow  ${HOME}/.nanorc
+allow  ${HOME}/.signature
+allow  ${HOME}/.vim
+allow  ${HOME}/.viminfo
+allow  ${HOME}/.vimrc
+allow  ${HOME}/.w3m
+allow  ${HOME}/Mail
+allow  ${HOME}/mail
+allow  ${HOME}/postponed
+allow  ${HOME}/sent
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
+allow  /usr/share/mutt
+allow  /var/mail
+allow  /var/spool/mail
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
index d8d487fe7..19af47498 100644
--- a/etc/profile-m-z/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -6,10 +6,10 @@ include mypaint.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/mypaint
-noblacklist ${HOME}/.config/mypaint
-noblacklist ${HOME}/.local/share/mypaint
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.cache/mypaint
+nodeny  ${HOME}/.config/mypaint
+nodeny  ${HOME}/.local/share/mypaint
+nodeny  ${PICTURES}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 4698c2287..f0553bed5 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -7,10 +7,10 @@ include nano.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.config/nano
-noblacklist ${HOME}/.nanorc
+nodeny  ${HOME}/.config/nano
+nodeny  ${HOME}/.nanorc
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/nano
+allow  /usr/share/nano
 include whitelist-usr-share-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile
index 5bf152f84..35d152748 100644
--- a/etc/profile-m-z/natron.profile
+++ b/etc/profile-m-z/natron.profile
@@ -5,9 +5,9 @@ include natron.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.Natron
-noblacklist ${HOME}/.cache/INRIA/Natron
-noblacklist ${HOME}/.config/INRIA
+nodeny  ${HOME}/.Natron
+nodeny  ${HOME}/.cache/INRIA/Natron
+nodeny  ${HOME}/.config/INRIA
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile
index 063e30366..38646dc90 100644
--- a/etc/profile-m-z/ncdu.profile
+++ b/etc/profile-m-z/ncdu.profile
@@ -6,7 +6,7 @@ include ncdu.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-exec.inc
 
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index 9f00448c8..ceb885908 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -6,12 +6,12 @@ include neochat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/KDE/neochat
-noblacklist ${HOME}/.config/KDE
-noblacklist ${HOME}/.config/KDE/neochat
-noblacklist ${HOME}/.config/neochatrc
-noblacklist ${HOME}/.config/neochat.notifyrc
-noblacklist ${HOME}/.local/share/KDE/neochat
+nodeny  ${HOME}/.cache/KDE/neochat
+nodeny  ${HOME}/.config/KDE
+nodeny  ${HOME}/.config/KDE/neochat
+nodeny  ${HOME}/.config/neochatrc
+nodeny  ${HOME}/.config/neochat.notifyrc
+nodeny  ${HOME}/.local/share/KDE/neochat
 
 include disable-common.inc
 include disable-devel.inc
@@ -24,9 +24,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/KDE/neochat
 mkdir ${HOME}/.local/share/KDE/neochat
-whitelist ${HOME}/.cache/KDE/neochat
-whitelist ${HOME}/.local/share/KDE/neochat
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/KDE/neochat
+allow  ${HOME}/.local/share/KDE/neochat
+allow  ${DOWNLOADS}
 include whitelist-1793-workaround.inc
 include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index fafa129e4..939d6f111 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -7,38 +7,38 @@ include neomutt.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${HOME}/.Mail
-noblacklist ${HOME}/.bogofilter
-noblacklist ${HOME}/.config/mutt
-noblacklist ${HOME}/.config/nano
-noblacklist ${HOME}/.config/neomutt
-noblacklist ${HOME}/.elinks
-noblacklist ${HOME}/.emacs
-noblacklist ${HOME}/.emacs.d
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mail
-noblacklist ${HOME}/.mailcap
-noblacklist ${HOME}/.msmtprc
-noblacklist ${HOME}/.mutt
-noblacklist ${HOME}/.muttrc
-noblacklist ${HOME}/.nanorc
-noblacklist ${HOME}/.neomutt
-noblacklist ${HOME}/.neomuttrc
-noblacklist ${HOME}/.signature
-noblacklist ${HOME}/.vim
-noblacklist ${HOME}/.viminfo
-noblacklist ${HOME}/.vimrc
-noblacklist ${HOME}/.w3m
-noblacklist ${HOME}/Mail
-noblacklist ${HOME}/mail
-noblacklist ${HOME}/postponed
-noblacklist ${HOME}/sent
-noblacklist /var/mail
-noblacklist /var/spool/mail
+nodeny  ${DOCUMENTS}
+nodeny  ${HOME}/.Mail
+nodeny  ${HOME}/.bogofilter
+nodeny  ${HOME}/.config/mutt
+nodeny  ${HOME}/.config/nano
+nodeny  ${HOME}/.config/neomutt
+nodeny  ${HOME}/.elinks
+nodeny  ${HOME}/.emacs
+nodeny  ${HOME}/.emacs.d
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.mail
+nodeny  ${HOME}/.mailcap
+nodeny  ${HOME}/.msmtprc
+nodeny  ${HOME}/.mutt
+nodeny  ${HOME}/.muttrc
+nodeny  ${HOME}/.nanorc
+nodeny  ${HOME}/.neomutt
+nodeny  ${HOME}/.neomuttrc
+nodeny  ${HOME}/.signature
+nodeny  ${HOME}/.vim
+nodeny  ${HOME}/.viminfo
+nodeny  ${HOME}/.vimrc
+nodeny  ${HOME}/.w3m
+nodeny  ${HOME}/Mail
+nodeny  ${HOME}/mail
+nodeny  ${HOME}/postponed
+nodeny  ${HOME}/sent
+nodeny  /var/mail
+nodeny  /var/spool/mail
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include allow-lua.inc
 
@@ -76,39 +76,39 @@ mkfile ${HOME}/.neomuttrc
 mkfile ${HOME}/.signature
 mkfile ${HOME}/.viminfo
 mkfile ${HOME}/.vimrc
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.Mail
-whitelist ${HOME}/.bogofilter
-whitelist ${HOME}/.config/mutt
-whitelist ${HOME}/.config/nano
-whitelist ${HOME}/.config/neomutt
-whitelist ${HOME}/.elinks
-whitelist ${HOME}/.emacs
-whitelist ${HOME}/.emacs.d
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mail
-whitelist ${HOME}/.mailcap
-whitelist ${HOME}/.msmtprc
-whitelist ${HOME}/.mutt
-whitelist ${HOME}/.muttrc
-whitelist ${HOME}/.nanorc
-whitelist ${HOME}/.neomutt
-whitelist ${HOME}/.neomuttrc
-whitelist ${HOME}/.signature
-whitelist ${HOME}/.vim
-whitelist ${HOME}/.viminfo
-whitelist ${HOME}/.vimrc
-whitelist ${HOME}/.w3m
-whitelist ${HOME}/Mail
-whitelist ${HOME}/mail
-whitelist ${HOME}/postponed
-whitelist ${HOME}/sent
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-whitelist /usr/share/neomutt
-whitelist /var/mail
-whitelist /var/spool/mail
+allow  ${DOCUMENTS}
+allow  ${DOWNLOADS}
+allow  ${HOME}/.Mail
+allow  ${HOME}/.bogofilter
+allow  ${HOME}/.config/mutt
+allow  ${HOME}/.config/nano
+allow  ${HOME}/.config/neomutt
+allow  ${HOME}/.elinks
+allow  ${HOME}/.emacs
+allow  ${HOME}/.emacs.d
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.mail
+allow  ${HOME}/.mailcap
+allow  ${HOME}/.msmtprc
+allow  ${HOME}/.mutt
+allow  ${HOME}/.muttrc
+allow  ${HOME}/.nanorc
+allow  ${HOME}/.neomutt
+allow  ${HOME}/.neomuttrc
+allow  ${HOME}/.signature
+allow  ${HOME}/.vim
+allow  ${HOME}/.viminfo
+allow  ${HOME}/.vimrc
+allow  ${HOME}/.w3m
+allow  ${HOME}/Mail
+allow  ${HOME}/mail
+allow  ${HOME}/postponed
+allow  ${HOME}/sent
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
+allow  /usr/share/neomutt
+allow  /var/mail
+allow  /var/spool/mail
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
index 5d45dd7bc..68297c110 100644
--- a/etc/profile-m-z/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -6,7 +6,7 @@ include netactview.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.netactview
+nodeny  ${HOME}/.netactview
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.netactview
-whitelist ${HOME}/.netactview
-whitelist /usr/share/netactview
+allow  ${HOME}/.netactview
+allow  /usr/share/netactview
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile
index c9a537370..d5bf8a52a 100644
--- a/etc/profile-m-z/nethack-vultures.profile
+++ b/etc/profile-m-z/nethack-vultures.profile
@@ -6,7 +6,7 @@ include nethack.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.vultures
+nodeny  ${HOME}/.vultures
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.vultures
-whitelist ${HOME}/.vultures
-whitelist /var/log/vultures
+allow  ${HOME}/.vultures
+allow  /var/log/vultures
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/nethack.profile b/etc/profile-m-z/nethack.profile
index b57abe260..23b57bb52 100644
--- a/etc/profile-m-z/nethack.profile
+++ b/etc/profile-m-z/nethack.profile
@@ -6,7 +6,7 @@ include nethack.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/games/nethack
+nodeny  /var/games/nethack
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,7 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /var/games/nethack
+allow  /var/games/nethack
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/netsurf.profile b/etc/profile-m-z/netsurf.profile
index 0ddb7bbbe..b099d6f0c 100644
--- a/etc/profile-m-z/netsurf.profile
+++ b/etc/profile-m-z/netsurf.profile
@@ -6,8 +6,8 @@ include netsurf.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/netsurf
-noblacklist ${HOME}/.config/netsurf
+nodeny  ${HOME}/.cache/netsurf
+nodeny  ${HOME}/.config/netsurf
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/netsurf
 mkdir ${HOME}/.config/netsurf
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/netsurf
-whitelist ${HOME}/.config/netsurf
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/netsurf
+allow  ${HOME}/.config/netsurf
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile
index ecfbb14e4..dad90a66c 100644
--- a/etc/profile-m-z/neverball.profile
+++ b/etc/profile-m-z/neverball.profile
@@ -6,7 +6,7 @@ include neverball.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.neverball
+nodeny  ${HOME}/.neverball
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.neverball
-whitelist ${HOME}/.neverball
-whitelist /usr/share/neverball
+allow  ${HOME}/.neverball
+allow  /usr/share/neverball
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/newsbeuter.profile b/etc/profile-m-z/newsbeuter.profile
index 6efb19502..c26ba4be0 100644
--- a/etc/profile-m-z/newsbeuter.profile
+++ b/etc/profile-m-z/newsbeuter.profile
@@ -11,15 +11,15 @@ ignore include newsboat.local
 ignore mkdir ${HOME}/.config/newsboat
 ignore mkdir ${HOME}/.local/share/newsboat
 ignore mkdir ${HOME}/.newsboat
-blacklist ${PATH}/newsboat
+deny  ${PATH}/newsboat
 
-blacklist ${HOME}/.config/newsboat
-blacklist ${HOME}/.local/share/newsboat
-blacklist ${HOME}/.newsboat
+deny  ${HOME}/.config/newsboat
+deny  ${HOME}/.local/share/newsboat
+deny  ${HOME}/.newsboat
 
-nowhitelist ${HOME}/.config/newsboat
-nowhitelist ${HOME}/.local/share/newsboat
-nowhitelist ${HOME}/.newsboat
+noallow  ${HOME}/.config/newsboat
+noallow  ${HOME}/.local/share/newsboat
+noallow  ${HOME}/.newsboat
 
 mkdir ${HOME}/.config/newsbeuter
 mkdir ${HOME}/.local/share/newsbeuter
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index 13bc3a615..e34752b55 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -6,12 +6,12 @@ include newsboat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/newsbeuter
-noblacklist ${HOME}/.config/newsboat
-noblacklist ${HOME}/.local/share/newsbeuter
-noblacklist ${HOME}/.local/share/newsboat
-noblacklist ${HOME}/.newsbeuter
-noblacklist ${HOME}/.newsboat
+nodeny  ${HOME}/.config/newsbeuter
+nodeny  ${HOME}/.config/newsboat
+nodeny  ${HOME}/.local/share/newsbeuter
+nodeny  ${HOME}/.local/share/newsboat
+nodeny  ${HOME}/.newsbeuter
+nodeny  ${HOME}/.newsboat
 
 include disable-common.inc
 include disable-devel.inc
@@ -24,12 +24,12 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/newsboat
 mkdir ${HOME}/.local/share/newsboat
 mkdir ${HOME}/.newsboat
-whitelist ${HOME}/.config/newsbeuter
-whitelist ${HOME}/.config/newsboat
-whitelist ${HOME}/.local/share/newsbeuter
-whitelist ${HOME}/.local/share/newsboat
-whitelist ${HOME}/.newsbeuter
-whitelist ${HOME}/.newsboat
+allow  ${HOME}/.config/newsbeuter
+allow  ${HOME}/.config/newsboat
+allow  ${HOME}/.local/share/newsbeuter
+allow  ${HOME}/.local/share/newsboat
+allow  ${HOME}/.newsbeuter
+allow  ${HOME}/.newsboat
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
index 18d8c6ed4..273628ea2 100644
--- a/etc/profile-m-z/newsflash.profile
+++ b/etc/profile-m-z/newsflash.profile
@@ -6,9 +6,9 @@ include newsflash.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/NewsFlashGTK
-noblacklist ${HOME}/.config/news-flash
-noblacklist ${HOME}/.local/share/news-flash
+nodeny  ${HOME}/.cache/NewsFlashGTK
+nodeny  ${HOME}/.config/news-flash
+nodeny  ${HOME}/.local/share/news-flash
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,9 +22,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/NewsFlashGTK
 mkdir ${HOME}/.config/news-flash
 mkdir ${HOME}/.local/share/news-flash
-whitelist ${HOME}/.cache/NewsFlashGTK
-whitelist ${HOME}/.config/news-flash
-whitelist ${HOME}/.local/share/news-flash
+allow  ${HOME}/.cache/NewsFlashGTK
+allow  ${HOME}/.config/news-flash
+allow  ${HOME}/.local/share/news-flash
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index 9fd76fbe7..7ba46691d 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -6,9 +6,9 @@ include nextcloud.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/Nextcloud
-noblacklist ${HOME}/.config/Nextcloud
-noblacklist ${HOME}/.local/share/Nextcloud
+nodeny  ${HOME}/Nextcloud
+nodeny  ${HOME}/.config/Nextcloud
+nodeny  ${HOME}/.local/share/Nextcloud
 # Add the next lines to your nextcloud.local to allow sync in more directories.
 #noblacklist ${DOCUMENTS}
 #noblacklist ${MUSIC}
@@ -27,9 +27,9 @@ include disable-xdg.inc
 mkdir ${HOME}/Nextcloud
 mkdir ${HOME}/.config/Nextcloud
 mkdir ${HOME}/.local/share/Nextcloud
-whitelist ${HOME}/Nextcloud
-whitelist ${HOME}/.config/Nextcloud
-whitelist ${HOME}/.local/share/Nextcloud
+allow  ${HOME}/Nextcloud
+allow  ${HOME}/.config/Nextcloud
+allow  ${HOME}/.local/share/Nextcloud
 # Add the next lines to your nextcloud.local to allow sync in more directories.
 #whitelist ${DOCUMENTS}
 #whitelist ${MUSIC}
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index f8062891c..0149e0737 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -6,9 +6,9 @@ include nheko.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/nheko
-noblacklist ${HOME}/.config/nheko
-noblacklist ${HOME}/.local/share/nheko
+nodeny  ${HOME}/.cache/nheko
+nodeny  ${HOME}/.config/nheko
+nodeny  ${HOME}/.local/share/nheko
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +22,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/nheko
 mkdir ${HOME}/.config/nheko
 mkdir ${HOME}/.local/share/nheko
-whitelist ${HOME}/.cache/nheko
-whitelist ${HOME}/.config/nheko
-whitelist ${HOME}/.local/share/nheko
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/nheko
+allow  ${HOME}/.config/nheko
+allow  ${HOME}/.local/share/nheko
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index 1c7dbc009..b31a7babf 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -6,7 +6,7 @@ include nicotine.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.nicotine
+nodeny  ${HOME}/.nicotine
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -21,9 +21,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.nicotine
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.nicotine
-whitelist /usr/share/GeoIP
+allow  ${DOWNLOADS}
+allow  ${HOME}/.nicotine
+allow  /usr/share/GeoIP
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index 8dba84f02..70fffd5d4 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -6,8 +6,8 @@ include nitroshare.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Nathan Osman
-noblacklist ${HOME}/.config/NitroShare
+nodeny  ${HOME}/.config/Nathan Osman
+nodeny  ${HOME}/.config/NitroShare
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index fa69f9214..7981ba6ae 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,22 +7,22 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 ignore read-only ${HOME}/.npm-packages
 ignore read-only ${HOME}/.npmrc
 ignore read-only ${HOME}/.nvm
 ignore read-only ${HOME}/.yarnrc
 
-noblacklist ${HOME}/.node-gyp
-noblacklist ${HOME}/.npm
-noblacklist ${HOME}/.npmrc
-noblacklist ${HOME}/.nvm
-noblacklist ${HOME}/.yarn
-noblacklist ${HOME}/.yarn-config
-noblacklist ${HOME}/.yarncache
-noblacklist ${HOME}/.yarnrc
+nodeny  ${HOME}/.node-gyp
+nodeny  ${HOME}/.npm
+nodeny  ${HOME}/.npmrc
+nodeny  ${HOME}/.nvm
+nodeny  ${HOME}/.yarn
+nodeny  ${HOME}/.yarn-config
+nodeny  ${HOME}/.yarncache
+nodeny  ${HOME}/.yarnrc
 
 ignore noexec ${HOME}
 
@@ -58,9 +58,9 @@ include disable-xdg.inc
 #whitelist ${HOME}/Projects
 #include whitelist-common.inc
 
-whitelist /usr/share/doc/node
-whitelist /usr/share/nvm
-whitelist /usr/share/systemtap/tapset/node.stp
+allow  /usr/share/doc/node
+allow  /usr/share/nvm
+allow  /usr/share/systemtap/tapset/node.stp
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index a36dee874..80fbd0fcb 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -6,10 +6,10 @@ include nomacs.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/nomacs
-noblacklist ${HOME}/.local/share/nomacs
-noblacklist ${HOME}/.local/share/data/nomacs
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/nomacs
+nodeny  ${HOME}/.local/share/nomacs
+nodeny  ${HOME}/.local/share/data/nomacs
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index 650118c98..a3bcc040c 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -7,7 +7,7 @@ include notify-send.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile
index c7a131a2c..b3002ad0e 100644
--- a/etc/profile-m-z/nslookup.profile
+++ b/etc/profile-m-z/nslookup.profile
@@ -7,10 +7,10 @@ include nslookup.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
-noblacklist ${PATH}/nslookup
+nodeny  ${PATH}/nslookup
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,7 +20,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${HOME}/.nslookuprc
+allow  ${HOME}/.nslookuprc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 886403b9e..67f54f9fc 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -8,12 +8,12 @@ include globals.local
 
 ignore dbus-user
 
-noblacklist ${HOME}/.config/nuclear
+nodeny  ${HOME}/.config/nuclear
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/nuclear
-whitelist ${HOME}/.config/nuclear
+allow  ${HOME}/.config/nuclear
 
 no3d
 
diff --git a/etc/profile-m-z/nylas.profile b/etc/profile-m-z/nylas.profile
index fe0c2116b..ee7710b9c 100644
--- a/etc/profile-m-z/nylas.profile
+++ b/etc/profile-m-z/nylas.profile
@@ -5,8 +5,8 @@ include nylas.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Nylas Mail
-noblacklist ${HOME}/.nylas-mail
+nodeny  ${HOME}/.config/Nylas Mail
+nodeny  ${HOME}/.nylas-mail
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,9 +16,9 @@ include disable-programs.inc
 
 mkdir ${HOME}/.config/Nylas Mail
 mkdir ${HOME}/.nylas-mail
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/Nylas Mail
-whitelist ${HOME}/.nylas-mail
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/Nylas Mail
+allow  ${HOME}/.nylas-mail
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
index d040d42af..1d606f70c 100644
--- a/etc/profile-m-z/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -10,7 +10,7 @@ include globals.local
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${HOME}/.nyx
+nodeny  ${HOME}/.nyx
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,7 +22,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.nyx
-whitelist ${HOME}/.nyx
+allow  ${HOME}/.nyx
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile
index 9345cee4f..f70bdc55a 100644
--- a/etc/profile-m-z/obs.profile
+++ b/etc/profile-m-z/obs.profile
@@ -5,10 +5,10 @@ include obs.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/obs-studio
-noblacklist ${MUSIC}
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/obs-studio
+nodeny  ${MUSIC}
+nodeny  ${PICTURES}
+nodeny  ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 7be68a201..792c2ffc6 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -6,9 +6,9 @@ include ocenaudio.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/ocenaudio
-noblacklist ${DOCUMENTS}
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.local/share/ocenaudio
+nodeny  ${DOCUMENTS}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index 6163d2e22..61b71ec10 100644
--- a/etc/profile-m-z/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -6,9 +6,9 @@ include odt2txt.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index ab8ccf623..feeed86cb 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -6,18 +6,18 @@ include okular.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/okular
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde/share/config/okularpartrc
-noblacklist ${HOME}/.kde/share/config/okularrc
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.kde4/share/config/okularpartrc
-noblacklist ${HOME}/.kde4/share/config/okularrc
-noblacklist ${HOME}/.local/share/kxmlgui5/okular
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/okular
+nodeny  ${HOME}/.config/okularpartrc
+nodeny  ${HOME}/.config/okularrc
+nodeny  ${HOME}/.kde/share/apps/okular
+nodeny  ${HOME}/.kde/share/config/okularpartrc
+nodeny  ${HOME}/.kde/share/config/okularrc
+nodeny  ${HOME}/.kde4/share/apps/okular
+nodeny  ${HOME}/.kde4/share/config/okularpartrc
+nodeny  ${HOME}/.kde4/share/config/okularrc
+nodeny  ${HOME}/.local/share/kxmlgui5/okular
+nodeny  ${HOME}/.local/share/okular
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -28,15 +28,15 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/config.kcfg/gssettings.kcfg
-whitelist /usr/share/config.kcfg/pdfsettings.kcfg
-whitelist /usr/share/config.kcfg/okular.kcfg
-whitelist /usr/share/config.kcfg/okular_core.kcfg
-whitelist /usr/share/ghostscript
-whitelist /usr/share/kconf_update/okular.upd
-whitelist /usr/share/kxmlgui5/okular
-whitelist /usr/share/okular
-whitelist /usr/share/poppler
+allow  /usr/share/config.kcfg/gssettings.kcfg
+allow  /usr/share/config.kcfg/pdfsettings.kcfg
+allow  /usr/share/config.kcfg/okular.kcfg
+allow  /usr/share/config.kcfg/okular_core.kcfg
+allow  /usr/share/ghostscript
+allow  /usr/share/kconf_update/okular.upd
+allow  /usr/share/kxmlgui5/okular
+allow  /usr/share/okular
+allow  /usr/share/poppler
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index 5b367b639..748d17995 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -6,7 +6,7 @@ include onboard.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/onboard
+nodeny  ${HOME}/.config/onboard
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +22,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/onboard
-whitelist ${HOME}/.config/onboard
-whitelist /usr/share/onboard
+allow  ${HOME}/.config/onboard
+allow  /usr/share/onboard
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index 960df9034..188818a7f 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -5,7 +5,7 @@ include onionshare-gui.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/onionshare
+nodeny  ${HOME}/.config/onionshare
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index 7a840d4a9..6e2b31def 100644
--- a/etc/profile-m-z/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -6,7 +6,7 @@ include open-invaders.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.openinvaders
+nodeny  ${HOME}/.openinvaders
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.openinvaders
-whitelist ${HOME}/.openinvaders
+allow  ${HOME}/.openinvaders
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 36ce0316f..dfc78e5a9 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -6,7 +6,7 @@ include openarena.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.openarena
+nodeny  ${HOME}/.openarena
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.openarena
-whitelist ${HOME}/.openarena
-whitelist /usr/share/openarena
+allow  ${HOME}/.openarena
+allow  /usr/share/openarena
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
index b49fd9932..5a6b378f0 100644
--- a/etc/profile-m-z/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
@@ -7,7 +7,7 @@ include openbox.local
 include globals.local
 
 # all applications started in openbox will run in this profile
-noblacklist ${HOME}/.config/openbox
+nodeny  ${HOME}/.config/openbox
 include disable-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/opencity.profile b/etc/profile-m-z/opencity.profile
index a3d371e15..268e7cee3 100644
--- a/etc/profile-m-z/opencity.profile
+++ b/etc/profile-m-z/opencity.profile
@@ -6,7 +6,7 @@ include opencity.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.opencity
+nodeny  ${HOME}/.opencity
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.opencity
-whitelist ${HOME}/.opencity
+allow  ${HOME}/.opencity
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 32b40df42..588191cb3 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -6,7 +6,7 @@ include openclonk.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.clonk
+nodeny  ${HOME}/.clonk
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.clonk
-whitelist ${HOME}/.clonk
+allow  ${HOME}/.clonk
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile
index d1fe67aed..95d507c98 100644
--- a/etc/profile-m-z/openmw.profile
+++ b/etc/profile-m-z/openmw.profile
@@ -6,8 +6,8 @@ include openmw.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/openmw
-noblacklist ${HOME}/.local/share/openmw
+nodeny  ${HOME}/.config/openmw
+nodeny  ${HOME}/.local/share/openmw
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,11 +21,11 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/openmw
 mkdir ${HOME}/.local/share/openmw
-whitelist ${HOME}/.config/openmw
+allow  ${HOME}/.config/openmw
 # Copy Morrowind data files into ${HOME}/.local/share/openmw or load them from /mnt.
 # Alternatively you can whitelist custom paths in your openmw.local.
-whitelist ${HOME}/.local/share/openmw
-whitelist /usr/share/openmw
+allow  ${HOME}/.local/share/openmw
+allow  /usr/share/openmw
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile
index 6118630c4..ebb536b3e 100644
--- a/etc/profile-m-z/openshot.profile
+++ b/etc/profile-m-z/openshot.profile
@@ -6,8 +6,8 @@ include openshot.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.openshot
-noblacklist ${HOME}/.openshot_qt
+nodeny  ${HOME}/.openshot
+nodeny  ${HOME}/.openshot_qt
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -19,8 +19,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/blender
-whitelist /usr/share/inkscape
+allow  /usr/share/blender
+allow  /usr/share/inkscape
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/openttd.profile b/etc/profile-m-z/openttd.profile
index 546958bb7..79c1f8ffa 100644
--- a/etc/profile-m-z/openttd.profile
+++ b/etc/profile-m-z/openttd.profile
@@ -6,7 +6,7 @@ include openttd.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.openttd
+nodeny  ${HOME}/.openttd
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.openttd
-whitelist ${HOME}/.openttd
+allow  ${HOME}/.openttd
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile
index 551f1aba4..548afc0b4 100644
--- a/etc/profile-m-z/opera-beta.profile
+++ b/etc/profile-m-z/opera-beta.profile
@@ -10,13 +10,13 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/opera
-noblacklist ${HOME}/.config/opera-beta
+nodeny  ${HOME}/.cache/opera
+nodeny  ${HOME}/.config/opera-beta
 
 mkdir ${HOME}/.cache/opera
 mkdir ${HOME}/.config/opera-beta
-whitelist ${HOME}/.cache/opera
-whitelist ${HOME}/.config/opera-beta
+allow  ${HOME}/.cache/opera
+allow  ${HOME}/.config/opera-beta
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile
index 2c7c5fc35..5a3fe064e 100644
--- a/etc/profile-m-z/opera.profile
+++ b/etc/profile-m-z/opera.profile
@@ -11,16 +11,16 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/opera
-noblacklist ${HOME}/.config/opera
-noblacklist ${HOME}/.opera
+nodeny  ${HOME}/.cache/opera
+nodeny  ${HOME}/.config/opera
+nodeny  ${HOME}/.opera
 
 mkdir ${HOME}/.cache/opera
 mkdir ${HOME}/.config/opera
 mkdir ${HOME}/.opera
-whitelist ${HOME}/.cache/opera
-whitelist ${HOME}/.config/opera
-whitelist ${HOME}/.opera
+allow  ${HOME}/.cache/opera
+allow  ${HOME}/.config/opera
+allow  ${HOME}/.opera
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile
index 4e4d8bea5..a49cbdb91 100644
--- a/etc/profile-m-z/orage.profile
+++ b/etc/profile-m-z/orage.profile
@@ -6,8 +6,8 @@ include orage.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/orage
-noblacklist ${HOME}/.local/share/orage
+nodeny  ${HOME}/.config/orage
+nodeny  ${HOME}/.local/share/orage
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile
index 310b90919..ed881816e 100644
--- a/etc/profile-m-z/ostrichriders.profile
+++ b/etc/profile-m-z/ostrichriders.profile
@@ -6,7 +6,7 @@ include ostrichriders.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.ostrichriders
+nodeny  ${HOME}/.ostrichriders
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.ostrichriders
-whitelist ${HOME}/.ostrichriders
-whitelist /usr/share/ostrichriders
+allow  ${HOME}/.ostrichriders
+allow  /usr/share/ostrichriders
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index 20a4e25ed..bc9e730a1 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -8,10 +8,10 @@ include globals.local
 
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/Otter
-noblacklist ${HOME}/.config/otter
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.cache/Otter
+nodeny  ${HOME}/.config/otter
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -25,12 +25,12 @@ mkdir ${HOME}/.cache/Otter
 mkdir ${HOME}/.config/otter
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/Otter
-whitelist ${HOME}/.config/otter
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
-whitelist /usr/share/otter-browser
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/Otter
+allow  ${HOME}/.config/otter
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
+allow  /usr/share/otter-browser
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
index acb2ce176..503c141d8 100644
--- a/etc/profile-m-z/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
@@ -5,13 +5,13 @@ include palemoon.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/moonchild productions/pale moon
-noblacklist ${HOME}/.moonchild productions/pale moon
+nodeny  ${HOME}/.cache/moonchild productions/pale moon
+nodeny  ${HOME}/.moonchild productions/pale moon
 
 mkdir ${HOME}/.cache/moonchild productions/pale moon
 mkdir ${HOME}/.moonchild productions
-whitelist ${HOME}/.cache/moonchild productions/pale moon
-whitelist ${HOME}/.moonchild productions
+allow  ${HOME}/.cache/moonchild productions/pale moon
+allow  ${HOME}/.moonchild productions
 
 # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
 seccomp
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index 513b4119e..a59f53298 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -7,9 +7,9 @@ include pandoc.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile
index 0a4422a73..a277d1cbc 100644
--- a/etc/profile-m-z/parole.profile
+++ b/etc/profile-m-z/parole.profile
@@ -6,8 +6,8 @@ include parole.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 0de968185..156c3956d 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -7,9 +7,9 @@ include patch.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pavucontrol-qt.profile b/etc/profile-m-z/pavucontrol-qt.profile
index f96ba14d2..dcd69cdd0 100644
--- a/etc/profile-m-z/pavucontrol-qt.profile
+++ b/etc/profile-m-z/pavucontrol-qt.profile
@@ -7,10 +7,10 @@ include pavucontrol-qt.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.config/pavucontrol-qt
+nodeny  ${HOME}/.config/pavucontrol-qt
 
 mkdir ${HOME}/.config/pavucontrol-qt
-whitelist ${HOME}/.config/pavucontrol-qt
+allow  ${HOME}/.config/pavucontrol-qt
 
 private-bin pavucontrol-qt
 ignore private-lib
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index b46fb3026..f44730c33 100644
--- a/etc/profile-m-z/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -6,7 +6,7 @@ include pavucontrol.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/pavucontrol.ini
+nodeny  ${HOME}/.config/pavucontrol.ini
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 # whitelisting in ${HOME} is broken, see #3112
 #mkfile ${HOME}/.config/pavucontrol.ini
 #whitelist ${HOME}/.config/pavucontrol.ini
-whitelist /usr/share/pavucontrol
-whitelist /usr/share/pavucontrol-qt
+allow  /usr/share/pavucontrol
+allow  /usr/share/pavucontrol-qt
 #include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile
index a6dab2a9a..3f920ced8 100644
--- a/etc/profile-m-z/pcsxr.profile
+++ b/etc/profile-m-z/pcsxr.profile
@@ -8,7 +8,7 @@ include globals.local
 
 # Note: you must whitelist your games folder in your pcsxr.local
 
-noblacklist ${HOME}/.pcsxr
+nodeny  ${HOME}/.pcsxr
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,7 +21,7 @@ include disable-write-mnt.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.pcsxr
-whitelist ${HOME}/.pcsxr
+allow  ${HOME}/.pcsxr
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index d72417914..13a011072 100644
--- a/etc/profile-m-z/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -5,7 +5,7 @@ include pdfchain.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pdfmod.profile b/etc/profile-m-z/pdfmod.profile
index a19826555..e49ce8073 100644
--- a/etc/profile-m-z/pdfmod.profile
+++ b/etc/profile-m-z/pdfmod.profile
@@ -6,9 +6,9 @@ include pdfmod.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/pdfmod
-noblacklist ${HOME}/.config/pdfmod
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/pdfmod
+nodeny  ${HOME}/.config/pdfmod
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pdfsam.profile b/etc/profile-m-z/pdfsam.profile
index e2808d4d2..67c14bbc3 100644
--- a/etc/profile-m-z/pdfsam.profile
+++ b/etc/profile-m-z/pdfsam.profile
@@ -6,7 +6,7 @@ include pdfsam.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index d3902a51c..1c7ebfad5 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -6,9 +6,9 @@ include pdftotext.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${DOCUMENTS}
-whitelist ${DOWNLOADS}
-whitelist /usr/share/poppler
+allow  ${DOCUMENTS}
+allow  ${DOWNLOADS}
+allow  /usr/share/poppler
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index c33953687..e809625ad 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -5,9 +5,9 @@ include peek.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/peek
-noblacklist ${PICTURES}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.cache/peek
+nodeny  ${PICTURES}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile
index f5ad0321d..5ebd7b462 100644
--- a/etc/profile-m-z/penguin-command.profile
+++ b/etc/profile-m-z/penguin-command.profile
@@ -6,7 +6,7 @@ include penguin-command.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.penguin-command
+nodeny  ${HOME}/.penguin-command
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
 
-whitelist ${HOME}/.penguin-command
+allow  ${HOME}/.penguin-command
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
index 40068ff78..8dd506850 100644
--- a/etc/profile-m-z/photoflare.profile
+++ b/etc/profile-m-z/photoflare.profile
@@ -6,7 +6,7 @@ include photoflare.local
 # Persistent global definitions
 include photoflare.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/picard.profile b/etc/profile-m-z/picard.profile
index a5ea47088..ac178ee6c 100644
--- a/etc/profile-m-z/picard.profile
+++ b/etc/profile-m-z/picard.profile
@@ -6,9 +6,9 @@ include picard.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/MusicBrainz
-noblacklist ${HOME}/.config/MusicBrainz
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.cache/MusicBrainz
+nodeny  ${HOME}/.config/MusicBrainz
+nodeny  ${MUSIC}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index 26872e9a1..a65abeb2e 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -9,7 +9,7 @@ include globals.local
 ignore noexec ${RUNUSER}
 ignore noexec /dev/shm
 
-noblacklist ${HOME}/.purple
+nodeny  ${HOME}/.purple
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.purple
-whitelist ${HOME}/.purple
-whitelist ${DOWNLOADS}
-whitelist ${PICTURES}
+allow  ${HOME}/.purple
+allow  ${DOWNLOADS}
+allow  ${PICTURES}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile
index 2e17be2ce..41e4fb6c0 100644
--- a/etc/profile-m-z/pinball.profile
+++ b/etc/profile-m-z/pinball.profile
@@ -6,7 +6,7 @@ include pinball.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/emilia
+nodeny  ${HOME}/.config/emilia
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,11 +18,11 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/emilia
-whitelist ${HOME}/.config/emilia
+allow  ${HOME}/.config/emilia
 
-whitelist /usr/share/pinball
+allow  /usr/share/pinball
 # on debian games are stored under /usr/share/games
-whitelist /usr/share/games/pinball
+allow  /usr/share/games/pinball
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index e914007c0..65e77abfa 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -7,8 +7,8 @@ include ping.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index 3889d87d2..aa2cfe203 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -6,11 +6,13 @@ include pingus.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.pingus
+nodeny  ${HOME}/.pingus
 
 # Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
 
+deny  /usr/libexec
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -21,8 +23,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.pingus
-whitelist ${HOME}/.pingus
-whitelist /usr/share/pingus
+allow  ${HOME}/.pingus
+allow  /usr/share/pingus
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/pinta.profile b/etc/profile-m-z/pinta.profile
index 19406c399..d0d4f1fce 100644
--- a/etc/profile-m-z/pinta.profile
+++ b/etc/profile-m-z/pinta.profile
@@ -6,9 +6,9 @@ include pinta.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Pinta
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/Pinta
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pioneer.profile b/etc/profile-m-z/pioneer.profile
index 721b3944a..6cfea28b6 100644
--- a/etc/profile-m-z/pioneer.profile
+++ b/etc/profile-m-z/pioneer.profile
@@ -6,7 +6,7 @@ include pioneer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.pioneer
+nodeny  ${HOME}/.pioneer
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.pioneer
-whitelist ${HOME}/.pioneer
+allow  ${HOME}/.pioneer
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/pipe-viewer.profile b/etc/profile-m-z/pipe-viewer.profile
new file mode 100644
index 000000000..acd7eeaf2
--- /dev/null
+++ b/etc/profile-m-z/pipe-viewer.profile
@@ -0,0 +1,21 @@
+# Firejail profile for pipe-viewer
+# Description: Fork of youtube-viewer, scrapes youtube directly and with invidious
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pipe-viewer.local
+# Persistent global definitions
+include globals.local
+
+nodeny  ${HOME}/.cache/pipe-viewer
+nodeny  ${HOME}/.config/pipe-viewer
+
+mkdir ${HOME}/.config/pipe-viewer
+mkdir ${HOME}/.cache/pipe-viewer
+allow  ${HOME}/.cache/pipe-viewer
+allow  ${HOME}/.config/pipe-viewer
+
+private-bin gtk-pipe-viewer,pipe-viewer
+
+# Redirect
+include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/pitivi.profile b/etc/profile-m-z/pitivi.profile
index a2dd809c4..abce4c911 100644
--- a/etc/profile-m-z/pitivi.profile
+++ b/etc/profile-m-z/pitivi.profile
@@ -6,7 +6,7 @@ include pitivi.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/pitivi
+nodeny  ${HOME}/.config/pitivi
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/pix.profile b/etc/profile-m-z/pix.profile
index 81d3e9370..63451d352 100644
--- a/etc/profile-m-z/pix.profile
+++ b/etc/profile-m-z/pix.profile
@@ -5,10 +5,10 @@ include pix.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/pix
-noblacklist ${HOME}/.local/share/pix
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.steam
+nodeny  ${HOME}/.config/pix
+nodeny  ${HOME}/.local/share/pix
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.steam
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
index 4eb41b3bd..13d7db7f7 100644
--- a/etc/profile-m-z/pkglog.profile
+++ b/etc/profile-m-z/pkglog.profile
@@ -17,9 +17,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /var/log/apt/history.log
-whitelist /var/log/dnf.rpm.log
-whitelist /var/log/pacman.log
+allow  /var/log/apt/history.log
+allow  /var/log/dnf.rpm.log
+allow  /var/log/pacman.log
 
 apparmor
 caps.drop all
diff --git a/etc/profile-m-z/playonlinux.profile b/etc/profile-m-z/playonlinux.profile
index 8e98905b5..9c23841e2 100644
--- a/etc/profile-m-z/playonlinux.profile
+++ b/etc/profile-m-z/playonlinux.profile
@@ -7,10 +7,10 @@ include playonlinux.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.PlayOnLinux
+nodeny  ${HOME}/.PlayOnLinux
 
 # nc is needed to run playonlinux
-noblacklist ${PATH}/nc
+nodeny  ${PATH}/nc
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile
index 10e12e5b1..ab7e0c64b 100644
--- a/etc/profile-m-z/pluma.profile
+++ b/etc/profile-m-z/pluma.profile
@@ -6,8 +6,8 @@ include pluma.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/enchant
-noblacklist ${HOME}/.config/pluma
+nodeny  ${HOME}/.config/enchant
+nodeny  ${HOME}/.config/pluma
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 5201fd853..02cb83ef6 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -6,7 +6,7 @@ include plv.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/PacmanLogViewer
+nodeny  ${HOME}/.config/PacmanLogViewer
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/PacmanLogViewer
-whitelist ${HOME}/.config/PacmanLogViewer
-whitelist /var/log/pacman.log
+allow  ${HOME}/.config/PacmanLogViewer
+allow  /var/log/pacman.log
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 8a181d5a8..2c4dda43e 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -7,9 +7,9 @@ include pngquant.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/polari.profile b/etc/profile-m-z/polari.profile
index a3d4f9851..115ac36ab 100644
--- a/etc/profile-m-z/polari.profile
+++ b/etc/profile-m-z/polari.profile
@@ -21,12 +21,12 @@ mkdir ${HOME}/.local/share/Empathy
 mkdir ${HOME}/.local/share/TpLogger
 mkdir ${HOME}/.local/share/telepathy
 mkdir ${HOME}/.purple
-whitelist ${HOME}/.cache/telepathy
-whitelist ${HOME}/.config/telepathy-account-widgets
-whitelist ${HOME}/.local/share/Empathy
-whitelist ${HOME}/.local/share/TpLogger
-whitelist ${HOME}/.local/share/telepathy
-whitelist ${HOME}/.purple
+allow  ${HOME}/.cache/telepathy
+allow  ${HOME}/.config/telepathy-account-widgets
+allow  ${HOME}/.local/share/Empathy
+allow  ${HOME}/.local/share/TpLogger
+allow  ${HOME}/.local/share/telepathy
+allow  ${HOME}/.purple
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index 1f73c1d89..10c59ea32 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -8,7 +8,7 @@ include globals.local
 
 # Note: you must whitelist your games folder in your ppsspp.local.
 
-noblacklist ${HOME}/.config/ppsspp
+nodeny  ${HOME}/.config/ppsspp
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,8 +20,8 @@ include disable-write-mnt.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/ppsspp
-whitelist ${HOME}/.config/ppsspp
-whitelist /usr/share/ppsspp
+allow  ${HOME}/.config/ppsspp
+allow  /usr/share/ppsspp
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
index f138d785e..9b03bf632 100644
--- a/etc/profile-m-z/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
@@ -6,8 +6,8 @@ include pragha.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/pragha
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/pragha
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
index 743458725..137b4cb20 100644
--- a/etc/profile-m-z/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -7,8 +7,8 @@ include profanity.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/profanity
-noblacklist ${HOME}/.local/share/profanity
+nodeny  ${HOME}/.config/profanity
+nodeny  ${HOME}/.local/share/profanity
 
 # Allow Python
 include allow-python2.inc
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
index 5ac58b0ac..b0e28baf7 100644
--- a/etc/profile-m-z/psi-plus.profile
+++ b/etc/profile-m-z/psi-plus.profile
@@ -6,8 +6,8 @@ include psi-plus.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/psi+
-noblacklist ${HOME}/.local/share/psi+
+nodeny  ${HOME}/.config/psi+
+nodeny  ${HOME}/.local/share/psi+
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,10 +19,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/psi+
 mkdir ${HOME}/.config/psi+
 mkdir ${HOME}/.local/share/psi+
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/psi+
-whitelist ${HOME}/.config/psi+
-whitelist ${HOME}/.local/share/psi+
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/psi+
+allow  ${HOME}/.config/psi+
+allow  ${HOME}/.local/share/psi+
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index 7e0ef99fc..2588c3b75 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -8,11 +8,11 @@ include globals.local
 
 # Add the next line to your psi.local to enable GPG support.
 #noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.cache/psi
-noblacklist ${HOME}/.cache/Psi
-noblacklist ${HOME}/.config/psi
-noblacklist ${HOME}/.local/share/psi
-noblacklist ${HOME}/.local/share/Psi
+nodeny  ${HOME}/.cache/psi
+nodeny  ${HOME}/.cache/Psi
+nodeny  ${HOME}/.config/psi
+nodeny  ${HOME}/.local/share/psi
+nodeny  ${HOME}/.local/share/Psi
 
 include disable-common.inc
 include disable-devel.inc
@@ -32,16 +32,16 @@ mkdir ${HOME}/.local/share/psi
 mkdir ${HOME}/.local/share/Psi
 # Add the next line to your psi.local to enable GPG support.
 #whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.cache/psi
-whitelist ${HOME}/.cache/Psi
-whitelist ${HOME}/.config/psi
-whitelist ${HOME}/.local/share/psi
-whitelist ${HOME}/.local/share/Psi
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/psi
+allow  ${HOME}/.cache/Psi
+allow  ${HOME}/.config/psi
+allow  ${HOME}/.local/share/psi
+allow  ${HOME}/.local/share/Psi
+allow  ${DOWNLOADS}
 # Add the next lines to your psi.local to enable GPG support.
 #whitelist /usr/share/gnupg
 #whitelist /usr/share/gnupg2
-whitelist /usr/share/psi
+allow  /usr/share/psi
 # Add the next lines to your psi.local to enable GPG support.
 #whitelist ${RUNUSER}/gnupg
 #whitelist ${RUNUSER}/keyring
diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile
index 60ae37930..1f0e83ab6 100644
--- a/etc/profile-m-z/pybitmessage.profile
+++ b/etc/profile-m-z/pybitmessage.profile
@@ -5,9 +5,9 @@ include pybitmessage.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /sbin
-noblacklist /usr/local/sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/local/sbin
+nodeny  /usr/sbin
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/pycharm-community.profile b/etc/profile-m-z/pycharm-community.profile
index 00d7239ae..b6c08290e 100644
--- a/etc/profile-m-z/pycharm-community.profile
+++ b/etc/profile-m-z/pycharm-community.profile
@@ -5,7 +5,7 @@ include pycharm-community.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.PyCharmCE*
+nodeny  ${HOME}/.PyCharmCE*
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile
index b754a18c9..fa0932cc0 100644
--- a/etc/profile-m-z/pycharm-professional.profile
+++ b/etc/profile-m-z/pycharm-professional.profile
@@ -6,7 +6,7 @@ include pyucharm-professional.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.PyCharm*
+nodeny  ${HOME}/.PyCharm*
 
 # Redirect
 include pycharm-community.profile
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index 506b738cc..fb8e622b0 100644
--- a/etc/profile-m-z/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -6,10 +6,10 @@ include qbittorrent.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/qBittorrent
-noblacklist ${HOME}/.config/qBittorrent
-noblacklist ${HOME}/.config/qBittorrentrc
-noblacklist ${HOME}/.local/share/data/qBittorrent
+nodeny  ${HOME}/.cache/qBittorrent
+nodeny  ${HOME}/.config/qBittorrent
+nodeny  ${HOME}/.config/qBittorrentrc
+nodeny  ${HOME}/.local/share/data/qBittorrent
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -27,11 +27,11 @@ mkdir ${HOME}/.cache/qBittorrent
 mkdir ${HOME}/.config/qBittorrent
 mkfile ${HOME}/.config/qBittorrentrc
 mkdir ${HOME}/.local/share/data/qBittorrent
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/qBittorrent
-whitelist ${HOME}/.config/qBittorrent
-whitelist ${HOME}/.config/qBittorrentrc
-whitelist ${HOME}/.local/share/data/qBittorrent
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/qBittorrent
+allow  ${HOME}/.config/qBittorrent
+allow  ${HOME}/.config/qBittorrentrc
+allow  ${HOME}/.local/share/data/qBittorrent
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile
new file mode 100644
index 000000000..7bcc4b065
--- /dev/null
+++ b/etc/profile-m-z/qcomicbook.profile
@@ -0,0 +1,68 @@
+# Firejail profile for qcomicbook
+# Description: A comic book and manga viewer in QT
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qcomicbook.local
+# Persistent global definitions
+include globals.local
+
+nodeny  ${HOME}/.cache/PawelStolowski
+nodeny  ${HOME}/.config/PawelStolowski
+nodeny  ${HOME}/.local/share/PawelStolowski
+nodeny  ${DOCUMENTS}
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/PawelStolowski
+mkdir ${HOME}/.config/PawelStolowski
+mkdir ${HOME}/.local/share/PawelStolowski
+allow  /usr/share/qcomicbook
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,Trolltech.conf,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
+read-write ${HOME}/.cache/PawelStolowski
+read-write ${HOME}/.config/PawelStolowski
+read-write ${HOME}/.local/share/PawelStolowski
+#to allow ${HOME}/.local/share/recently-used.xbel
+read-write ${HOME}/.local/share
diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile
index ac60384fd..d527a2b82 100644
--- a/etc/profile-m-z/qemu-launcher.profile
+++ b/etc/profile-m-z/qemu-launcher.profile
@@ -5,7 +5,7 @@ include qemu-launcher.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.qemu-launcher
+nodeny  ${HOME}/.qemu-launcher
 
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
index 2e97daea2..e99140c22 100644
--- a/etc/profile-m-z/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -6,10 +6,10 @@ include qgis.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/QGIS
-noblacklist ${HOME}/.local/share/QGIS
-noblacklist ${HOME}/.qgis2
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/QGIS
+nodeny  ${HOME}/.local/share/QGIS
+nodeny  ${HOME}/.qgis2
+nodeny  ${DOCUMENTS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
@@ -25,10 +25,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.local/share/QGIS
 mkdir ${HOME}/.qgis2
 mkdir ${HOME}/.config/QGIS
-whitelist ${HOME}/.local/share/QGIS
-whitelist ${HOME}/.qgis2
-whitelist ${HOME}/.config/QGIS
-whitelist ${DOCUMENTS}
+allow  ${HOME}/.local/share/QGIS
+allow  ${HOME}/.qgis2
+allow  ${HOME}/.config/QGIS
+allow  ${DOCUMENTS}
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/qlipper.profile b/etc/profile-m-z/qlipper.profile
index 6e94d5845..75dc58ae4 100644
--- a/etc/profile-m-z/qlipper.profile
+++ b/etc/profile-m-z/qlipper.profile
@@ -6,7 +6,7 @@ include qlipper.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Qlipper
+nodeny  ${HOME}/.config/Qlipper
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile
index c3d982c17..d37fce997 100644
--- a/etc/profile-m-z/qmmp.profile
+++ b/etc/profile-m-z/qmmp.profile
@@ -6,8 +6,8 @@ include qmmp.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.qmmp
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.qmmp
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
index ca11df5be..f12340052 100644
--- a/etc/profile-m-z/qnapi.profile
+++ b/etc/profile-m-z/qnapi.profile
@@ -6,7 +6,7 @@ include qnapi.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/qnapi.ini
+nodeny  ${HOME}/.config/qnapi.ini
 
 ignore noexec /tmp
 
@@ -20,8 +20,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.config/qnapi.ini
-whitelist ${HOME}/.config/qnapi.ini
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/qnapi.ini
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
index be690ffa4..62fae324c 100644
--- a/etc/profile-m-z/qpdfview.profile
+++ b/etc/profile-m-z/qpdfview.profile
@@ -6,9 +6,9 @@ include qpdfview.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/qpdfview
-noblacklist ${HOME}/.local/share/qpdfview
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/qpdfview
+nodeny  ${HOME}/.local/share/qpdfview
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
index 6cbf8519f..5f0aec804 100644
--- a/etc/profile-m-z/qrencode.profile
+++ b/etc/profile-m-z/qrencode.profile
@@ -7,7 +7,7 @@ include qrencode.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index 8ffe24d11..1ad46814e 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -6,8 +6,8 @@ include qtox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Tox
-noblacklist ${HOME}/.config/tox
+nodeny  ${HOME}/.cache/Tox
+nodeny  ${HOME}/.config/tox
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/tox
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/tox
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/tox
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/quadrapassel.profile b/etc/profile-m-z/quadrapassel.profile
index 91e0d9d0d..aee24925c 100644
--- a/etc/profile-m-z/quadrapassel.profile
+++ b/etc/profile-m-z/quadrapassel.profile
@@ -6,11 +6,11 @@ include quadrapassel.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/quadrapassel
+nodeny  ${HOME}/.local/share/quadrapassel
 
 mkdir ${HOME}/.local/share/quadrapassel
-whitelist ${HOME}/.local/share/quadrapassel
-whitelist /usr/share/quadrapassel
+allow  ${HOME}/.local/share/quadrapassel
+allow  /usr/share/quadrapassel
 
 private-bin quadrapassel
 
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile
index 1d146aa39..a319e1e12 100644
--- a/etc/profile-m-z/quaternion.profile
+++ b/etc/profile-m-z/quaternion.profile
@@ -6,8 +6,8 @@ include quaternion.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Quotient/quaternion
-noblacklist ${HOME}/.config/Quotient
+nodeny  ${HOME}/.cache/Quotient/quaternion
+nodeny  ${HOME}/.config/Quotient
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,10 +20,10 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/Quotient/quaternion
 mkdir ${HOME}/.config/Quotient
-whitelist ${HOME}/.cache/Quotient/quaternion
-whitelist ${HOME}/.config/Quotient
-whitelist ${DOWNLOADS}
-whitelist /usr/share/Quotient/quaternion
+allow  ${HOME}/.cache/Quotient/quaternion
+allow  ${HOME}/.config/Quotient
+allow  ${DOWNLOADS}
+allow  /usr/share/Quotient/quaternion
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile
index 9490089b2..2693f2ed5 100644
--- a/etc/profile-m-z/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -6,10 +6,10 @@ include quiterss.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/QuiteRss
-noblacklist ${HOME}/.config/QuiteRss
-noblacklist ${HOME}/.config/QuiteRssrc
-noblacklist ${HOME}/.local/share/QuiteRss
+nodeny  ${HOME}/.cache/QuiteRss
+nodeny  ${HOME}/.config/QuiteRss
+nodeny  ${HOME}/.config/QuiteRssrc
+nodeny  ${HOME}/.local/share/QuiteRss
 
 include disable-common.inc
 include disable-devel.inc
@@ -25,12 +25,12 @@ mkdir ${HOME}/.local/share/data
 mkdir ${HOME}/.local/share/data/QuiteRss
 mkdir ${HOME}/.local/share/QuiteRss
 mkfile ${HOME}/quiterssfeeds.opml
-whitelist ${HOME}/.cache/QuiteRss
-whitelist ${HOME}/.config/QuiteRss
-whitelist ${HOME}/.config/QuiteRssrc
-whitelist ${HOME}/.local/share/data/QuiteRss
-whitelist ${HOME}/.local/share/QuiteRss
-whitelist ${HOME}/quiterssfeeds.opml
+allow  ${HOME}/.cache/QuiteRss
+allow  ${HOME}/.config/QuiteRss
+allow  ${HOME}/.config/QuiteRssrc
+allow  ${HOME}/.local/share/data/QuiteRss
+allow  ${HOME}/.local/share/QuiteRss
+allow  ${HOME}/quiterssfeeds.opml
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/quodlibet.profile b/etc/profile-m-z/quodlibet.profile
index 92b02b2bf..52c120c08 100644
--- a/etc/profile-m-z/quodlibet.profile
+++ b/etc/profile-m-z/quodlibet.profile
@@ -6,10 +6,10 @@ include quodlibet.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/quodlibet
-noblacklist ${HOME}/.config/quodlibet
-noblacklist ${HOME}/.quodlibet
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.cache/quodlibet
+nodeny  ${HOME}/.config/quodlibet
+nodeny  ${HOME}/.quodlibet
+nodeny  ${MUSIC}
 
 include allow-bin-sh.inc
 
@@ -30,11 +30,11 @@ mkdir ${HOME}/.cache/quodlibet
 mkdir ${HOME}/.config/quodlibet
 mkdir ${HOME}/.quodlibet
 
-whitelist ${HOME}/.cache/quodlibet
-whitelist ${HOME}/.config/quodlibet
-whitelist ${HOME}/.quodlibet
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
+allow  ${HOME}/.cache/quodlibet
+allow  ${HOME}/.config/quodlibet
+allow  ${HOME}/.quodlibet
+allow  ${DOWNLOADS}
+allow  ${MUSIC}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/qupzilla.profile b/etc/profile-m-z/qupzilla.profile
index 7aa71c848..9bc91808b 100644
--- a/etc/profile-m-z/qupzilla.profile
+++ b/etc/profile-m-z/qupzilla.profile
@@ -6,8 +6,8 @@ include qupzilla.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/qupzilla
-noblacklist ${HOME}/.config/qupzilla
+nodeny  ${HOME}/.cache/qupzilla
+nodeny  ${HOME}/.config/qupzilla
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/qupzilla
 mkdir ${HOME}/.config/qupzilla
-whitelist ${HOME}/.cache/qupzilla
-whitelist ${HOME}/.config/qupzilla
+allow  ${HOME}/.cache/qupzilla
+allow  ${HOME}/.config/qupzilla
 
 # Redirect
 include falkon.profile
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index fc910b589..a342e2acd 100644
--- a/etc/profile-m-z/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -6,9 +6,9 @@ include qutebrowser.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/qutebrowser
-noblacklist ${HOME}/.config/qutebrowser
-noblacklist ${HOME}/.local/share/qutebrowser
+nodeny  ${HOME}/.cache/qutebrowser
+nodeny  ${HOME}/.config/qutebrowser
+nodeny  ${HOME}/.local/share/qutebrowser
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,10 +22,10 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/qutebrowser
 mkdir ${HOME}/.config/qutebrowser
 mkdir ${HOME}/.local/share/qutebrowser
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/qutebrowser
-whitelist ${HOME}/.config/qutebrowser
-whitelist ${HOME}/.local/share/qutebrowser
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/qutebrowser
+allow  ${HOME}/.config/qutebrowser
+allow  ${HOME}/.local/share/qutebrowser
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/rambox.profile b/etc/profile-m-z/rambox.profile
index ffa2022ee..b1059cee8 100644
--- a/etc/profile-m-z/rambox.profile
+++ b/etc/profile-m-z/rambox.profile
@@ -6,9 +6,9 @@ include rambox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Rambox
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.config/Rambox
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,10 +18,10 @@ include disable-programs.inc
 mkdir ${HOME}/.config/Rambox
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/Rambox
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/Rambox
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile
index 9bc196a16..3b56f651f 100644
--- a/etc/profile-m-z/redeclipse.profile
+++ b/etc/profile-m-z/redeclipse.profile
@@ -6,7 +6,7 @@ include redeclipse.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.redeclipse
+nodeny  ${HOME}/.redeclipse
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.redeclipse
-whitelist ${HOME}/.redeclipse
-whitelist /usr/share/redeclipse
+allow  ${HOME}/.redeclipse
+allow  /usr/share/redeclipse
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/redshift.profile b/etc/profile-m-z/redshift.profile
index f87c5f67c..3035e1d74 100644
--- a/etc/profile-m-z/redshift.profile
+++ b/etc/profile-m-z/redshift.profile
@@ -7,8 +7,8 @@ include redshift.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/redshift
-noblacklist ${HOME}/.config/redshift.conf
+nodeny  ${HOME}/.config/redshift
+nodeny  ${HOME}/.config/redshift.conf
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/redshift
-whitelist ${HOME}/.config/redshift
-whitelist ${HOME}/.config/redshift.conf
+allow  ${HOME}/.config/redshift
+allow  ${HOME}/.config/redshift.conf
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index f5131c5d0..82feafab9 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -15,7 +15,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/com.github.artemanufrij.regextester
+allow  /usr/share/com.github.artemanufrij.regextester
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
index aca22f187..3f385f602 100644
--- a/etc/profile-m-z/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -6,9 +6,9 @@ include remmina.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.remmina
-noblacklist ${HOME}/.config/remmina
-noblacklist ${HOME}/.local/share/remmina
+nodeny  ${HOME}/.remmina
+nodeny  ${HOME}/.config/remmina
+nodeny  ${HOME}/.local/share/remmina
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index 970e8ffba..c532d3dc1 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -6,9 +6,9 @@ include rhythmbox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${MUSIC}
-noblacklist ${HOME}/.cache/rhythmbox
-noblacklist ${HOME}/.local/share/rhythmbox
+nodeny  ${MUSIC}
+nodeny  ${HOME}/.cache/rhythmbox
+nodeny  ${HOME}/.local/share/rhythmbox
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -26,10 +26,10 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/rhythmbox
-whitelist /usr/share/lua
-whitelist /usr/share/libquvi-scripts
-whitelist /usr/share/tracker
+allow  /usr/share/rhythmbox
+allow  /usr/share/lua
+allow  /usr/share/libquvi-scripts
+allow  /usr/share/tracker
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/ricochet.profile b/etc/profile-m-z/ricochet.profile
index b664a2be3..c3ee57ef3 100644
--- a/etc/profile-m-z/ricochet.profile
+++ b/etc/profile-m-z/ricochet.profile
@@ -5,7 +5,7 @@ include ricochet.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/Ricochet
+nodeny  ${HOME}/.local/share/Ricochet
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.local/share/Ricochet
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.local/share/Ricochet
+allow  ${DOWNLOADS}
+allow  ${HOME}/.local/share/Ricochet
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/riot-web.profile b/etc/profile-m-z/riot-web.profile
index 687c943b0..782396a50 100644
--- a/etc/profile-m-z/riot-web.profile
+++ b/etc/profile-m-z/riot-web.profile
@@ -8,11 +8,11 @@ include globals.local
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/Riot
+nodeny  ${HOME}/.config/Riot
 
 mkdir ${HOME}/.config/Riot
-whitelist ${HOME}/.config/Riot
-whitelist /usr/share/webapps/element
+allow  ${HOME}/.config/Riot
+allow  /usr/share/webapps/element
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile
index be815e714..c97ac8090 100644
--- a/etc/profile-m-z/ripperx.profile
+++ b/etc/profile-m-z/ripperx.profile
@@ -6,8 +6,8 @@ include ripperx.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.ripperXrc
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.ripperXrc
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/ristretto.profile b/etc/profile-m-z/ristretto.profile
index 5572cab5a..109d2f8f1 100644
--- a/etc/profile-m-z/ristretto.profile
+++ b/etc/profile-m-z/ristretto.profile
@@ -6,9 +6,9 @@ include ristretto.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/ristretto
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.steam
+nodeny  ${HOME}/.config/ristretto
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.steam
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/rocketchat.profile b/etc/profile-m-z/rocketchat.profile
index 8d3607c75..1a76c4211 100644
--- a/etc/profile-m-z/rocketchat.profile
+++ b/etc/profile-m-z/rocketchat.profile
@@ -21,10 +21,10 @@ ignore private-cache
 ignore private-dev
 ignore private-tmp
 
-noblacklist ${HOME}/.config/Rocket.Chat
+nodeny  ${HOME}/.config/Rocket.Chat
 
 mkdir ${HOME}/.config/Rocket.Chat
-whitelist ${HOME}/.config/Rocket.Chat
+allow  ${HOME}/.config/Rocket.Chat
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 690b44bb1..4807b7d36 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -11,8 +11,8 @@ include globals.local
 # not as a daemon (rsync --daemon) nor to create backups.
 # Usage: firejail --profile=rsync-download_only rsync
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile
new file mode 100644
index 000000000..cd84ce05e
--- /dev/null
+++ b/etc/profile-m-z/rtin.profile
@@ -0,0 +1,8 @@
+# Firejail profile for rtin
+# Description: ncurses-based Usenet newsreader
+#              symlink to tin, same as `tin -r`
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rtin.local
+
+include tin.profile
diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile
index c9da0b628..6b7d6b155 100644
--- a/etc/profile-m-z/rtv-addons.profile
+++ b/etc/profile-m-z/rtv-addons.profile
@@ -11,13 +11,18 @@ ignore nosound
 ignore private-bin
 ignore dbus-user none
 
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.mailcap
-noblacklist ${HOME}/.netrc
-noblacklist ${HOME}/.w3m
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.mailcap
+nodeny  ${HOME}/.netrc
+nodeny  ${HOME}/.w3m
 
-whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
-whitelist ${HOME}/.config/mpv
-whitelist ${HOME}/.mailcap
-whitelist ${HOME}/.netrc
-whitelist ${HOME}/.w3m
+allow  ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+allow  ${HOME}/.config/mpv
+allow  ${HOME}/.mailcap
+allow  ${HOME}/.netrc
+allow  ${HOME}/.w3m
+
+#private-bin w3m,mpv,youtube-dl
+
+# tells rtv, which browser to use
+#env RTV_BROWSER=w3m
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile
index f0b8d31e9..074050792 100644
--- a/etc/profile-m-z/rtv.profile
+++ b/etc/profile-m-z/rtv.profile
@@ -6,11 +6,14 @@ include rtv.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.config/rtv
-noblacklist ${HOME}/.local/share/rtv
+nodeny  ${HOME}/.config/rtv
+nodeny  ${HOME}/.local/share/rtv
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -30,8 +33,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/rtv
 mkdir ${HOME}/.local/share/rtv
-whitelist ${HOME}/.config/rtv
-whitelist ${HOME}/.local/share/rtv
+allow  ${HOME}/.config/rtv
+allow  ${HOME}/.local/share/rtv
 include whitelist-var-common.inc
 
 apparmor
@@ -54,10 +57,10 @@ shell none
 tracelog
 
 disable-mnt
-private-bin python*,rtv,sh,xdg-settings
+private-bin less,python*,rtv,sh,xdg-settings
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/sayonara.profile b/etc/profile-m-z/sayonara.profile
index de79913cc..963f5da02 100644
--- a/etc/profile-m-z/sayonara.profile
+++ b/etc/profile-m-z/sayonara.profile
@@ -5,8 +5,8 @@ include sayonara.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.Sayonara
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.Sayonara
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/scallion.profile b/etc/profile-m-z/scallion.profile
index eb8468c3b..26550b5e0 100644
--- a/etc/profile-m-z/scallion.profile
+++ b/etc/profile-m-z/scallion.profile
@@ -6,10 +6,10 @@ include scallion.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PATH}/llvm*
-noblacklist ${PATH}/openssl
-noblacklist ${PATH}/openssl-1.0
-noblacklist ${DOCUMENTS}
+nodeny  ${PATH}/llvm*
+nodeny  ${PATH}/openssl
+nodeny  ${PATH}/openssl-1.0
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
index aac3e721f..921efb49e 100644
--- a/etc/profile-m-z/scorched3d.profile
+++ b/etc/profile-m-z/scorched3d.profile
@@ -6,7 +6,7 @@ include scorched3d.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.scorched3d
+nodeny  ${HOME}/.scorched3d
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.scorched3d
-whitelist ${HOME}/.scorched3d
-whitelist /usr/share/scorched3d
+allow  ${HOME}/.scorched3d
+allow  /usr/share/scorched3d
+allow  /usr/share/games/scorched3d
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
index 2cb1df6b5..54a6c3a01 100644
--- a/etc/profile-m-z/scorchwentbonkers.profile
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -6,7 +6,7 @@ include scorchwentbonkers.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.swb.ini
+nodeny  ${HOME}/.swb.ini
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.swb.ini
-whitelist ${HOME}/.swb.ini
-whitelist /usr/share/scorchwentbonkers
+allow  ${HOME}/.swb.ini
+allow  /usr/share/scorchwentbonkers
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile
index 1fdeaa145..6519f8e87 100644
--- a/etc/profile-m-z/scribus.profile
+++ b/etc/profile-m-z/scribus.profile
@@ -7,24 +7,24 @@ include scribus.local
 include globals.local
 
 # Support for PDF readers comes with Scribus 1.5 and higher
-noblacklist ${HOME}/.cache/okular
-noblacklist ${HOME}/.config/GIMP
-noblacklist ${HOME}/.config/okularpartrc
-noblacklist ${HOME}/.config/okularrc
-noblacklist ${HOME}/.config/scribus
-noblacklist ${HOME}/.config/scribusrc
-noblacklist ${HOME}/.gimp*
-noblacklist ${HOME}/.kde/share/apps/okular
-noblacklist ${HOME}/.kde/share/config/okularpartrc
-noblacklist ${HOME}/.kde/share/config/okularrc
-noblacklist ${HOME}/.kde4/share/apps/okular
-noblacklist ${HOME}/.kde4/share/config/okularpartrc
-noblacklist ${HOME}/.kde4/share/config/okularrc
-noblacklist ${HOME}/.local/share/okular
-noblacklist ${HOME}/.local/share/scribus
-noblacklist ${HOME}/.scribus
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.cache/okular
+nodeny  ${HOME}/.config/GIMP
+nodeny  ${HOME}/.config/okularpartrc
+nodeny  ${HOME}/.config/okularrc
+nodeny  ${HOME}/.config/scribus
+nodeny  ${HOME}/.config/scribusrc
+nodeny  ${HOME}/.gimp*
+nodeny  ${HOME}/.kde/share/apps/okular
+nodeny  ${HOME}/.kde/share/config/okularpartrc
+nodeny  ${HOME}/.kde/share/config/okularrc
+nodeny  ${HOME}/.kde4/share/apps/okular
+nodeny  ${HOME}/.kde4/share/config/okularpartrc
+nodeny  ${HOME}/.kde4/share/config/okularrc
+nodeny  ${HOME}/.local/share/okular
+nodeny  ${HOME}/.local/share/scribus
+nodeny  ${HOME}/.scribus
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index 131dcbb68..95cedac3f 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -6,6 +6,9 @@ include seahorse-adventures.local
 # Persistent global definitions
 include globals.local
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
@@ -19,7 +22,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/seahorse-adventures
+allow  /usr/share/seahorse-adventures
+allow  /usr/share/games/seahorse-adventures
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -42,7 +46,7 @@ tracelog
 
 disable-mnt
 private
-private-bin python*,seahorse-adventures
+private-bin bash,dash,python*,seahorse-adventures,sh
 private-cache
 private-dev
 private-etc machine-id
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index d3d8e453f..66605173b 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -6,9 +6,9 @@ include seahorse.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
+deny  /tmp/.X11-unix
 
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.gnupg
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
@@ -27,13 +27,13 @@ include disable-xdg.inc
 #mkdir ${HOME}/.ssh
 #whitelist ${HOME}/.gnupg
 #whitelist ${HOME}/.ssh
-whitelist /tmp/ssh-*
-whitelist /usr/share/gnupg
-whitelist /usr/share/gnupg2
-whitelist /usr/share/seahorse
-whitelist /usr/share/seahorse-nautilus
-whitelist ${RUNUSER}/gnupg
-whitelist ${RUNUSER}/keyring
+allow  /tmp/ssh-*
+allow  /usr/share/gnupg
+allow  /usr/share/gnupg2
+allow  /usr/share/seahorse
+allow  /usr/share/seahorse-nautilus
+allow  ${RUNUSER}/gnupg
+allow  ${RUNUSER}/keyring
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
index 807effbeb..c9867719a 100644
--- a/etc/profile-m-z/seamonkey.profile
+++ b/etc/profile-m-z/seamonkey.profile
@@ -6,10 +6,10 @@ include seamonkey.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/mozilla
-noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.pki
-noblacklist ${HOME}/.local/share/pki
+nodeny  ${HOME}/.cache/mozilla
+nodeny  ${HOME}/.mozilla
+nodeny  ${HOME}/.pki
+nodeny  ${HOME}/.local/share/pki
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,25 +20,25 @@ mkdir ${HOME}/.cache/mozilla
 mkdir ${HOME}/.mozilla
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/gnome-mplayer/plugin
-whitelist ${HOME}/.cache/mozilla
-whitelist ${HOME}/.config/gnome-mplayer
-whitelist ${HOME}/.config/pipelight-silverlight5.1
-whitelist ${HOME}/.config/pipelight-widevine
-whitelist ${HOME}/.keysnail.js
-whitelist ${HOME}/.lastpass
-whitelist ${HOME}/.mozilla
-whitelist ${HOME}/.pentadactyl
-whitelist ${HOME}/.pentadactylrc
-whitelist ${HOME}/.pki
-whitelist ${HOME}/.local/share/pki
-whitelist ${HOME}/.vimperator
-whitelist ${HOME}/.vimperatorrc
-whitelist ${HOME}/.wine-pipelight
-whitelist ${HOME}/.wine-pipelight64
-whitelist ${HOME}/.zotero
-whitelist ${HOME}/dwhelper
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/gnome-mplayer/plugin
+allow  ${HOME}/.cache/mozilla
+allow  ${HOME}/.config/gnome-mplayer
+allow  ${HOME}/.config/pipelight-silverlight5.1
+allow  ${HOME}/.config/pipelight-widevine
+allow  ${HOME}/.keysnail.js
+allow  ${HOME}/.lastpass
+allow  ${HOME}/.mozilla
+allow  ${HOME}/.pentadactyl
+allow  ${HOME}/.pentadactylrc
+allow  ${HOME}/.pki
+allow  ${HOME}/.local/share/pki
+allow  ${HOME}/.vimperator
+allow  ${HOME}/.vimperatorrc
+allow  ${HOME}/.wine-pipelight
+allow  ${HOME}/.wine-pipelight64
+allow  ${HOME}/.zotero
+allow  ${HOME}/dwhelper
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 7d56684db..23f464637 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -32,12 +32,12 @@ include globals.local
 # it allows /sbin and /usr/sbin directories - this is where servers are installed
 # depending on your usage, you can enable some of the commands below:
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 # noblacklist /var/opt
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index b7f398f45..0cb9de45a 100644
--- a/etc/profile-m-z/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -7,9 +7,9 @@ include shellcheck.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,7 +19,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/shellcheck
+allow  /usr/share/shellcheck
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile
index d629240ec..a8e5f6b18 100644
--- a/etc/profile-m-z/shortwave.profile
+++ b/etc/profile-m-z/shortwave.profile
@@ -6,8 +6,8 @@ include shortwave.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Shortwave
-noblacklist ${HOME}/.local/share/Shortwave
+nodeny  ${HOME}/.cache/Shortwave
+nodeny  ${HOME}/.local/share/Shortwave
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/Shortwave
 mkdir ${HOME}/.local/share/Shortwave
-whitelist ${HOME}/.cache/Shortwave
-whitelist ${HOME}/.local/share/Shortwave
-whitelist /usr/share/shortwave
+allow  ${HOME}/.cache/Shortwave
+allow  ${HOME}/.local/share/Shortwave
+allow  /usr/share/shortwave
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/shotcut.profile b/etc/profile-m-z/shotcut.profile
index 63af4d367..1f3c39c46 100644
--- a/etc/profile-m-z/shotcut.profile
+++ b/etc/profile-m-z/shotcut.profile
@@ -8,7 +8,7 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.config/Meltytech
+nodeny  ${HOME}/.config/Meltytech
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
index ddc8a7743..b653930c3 100644
--- a/etc/profile-m-z/shotwell.profile
+++ b/etc/profile-m-z/shotwell.profile
@@ -6,10 +6,10 @@ include shotwell.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/shotwell
-noblacklist ${HOME}/.local/share/shotwell
+nodeny  ${HOME}/.cache/shotwell
+nodeny  ${HOME}/.local/share/shotwell
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -21,9 +21,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/shotwell
 mkdir ${HOME}/.local/share/shotwell
-whitelist ${HOME}/.cache/shotwell
-whitelist ${HOME}/.local/share/shotwell
-whitelist ${PICTURES}
+allow  ${HOME}/.cache/shotwell
+allow  ${HOME}/.local/share/shotwell
+allow  ${PICTURES}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile
index 478377344..8a46899f1 100644
--- a/etc/profile-m-z/signal-cli.profile
+++ b/etc/profile-m-z/signal-cli.profile
@@ -6,10 +6,10 @@ include signal-cli.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${HOME}/.local/share/signal-cli
+nodeny  ${HOME}/.local/share/signal-cli
 
 include allow-java.inc
 
@@ -22,7 +22,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/signal-cli
-whitelist ${HOME}/.local/share/signal-cli
+allow  ${HOME}/.local/share/signal-cli
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 77a7f5b38..a12080748 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -9,15 +9,15 @@ ignore novideo
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/Signal
+nodeny  ${HOME}/.config/Signal
 
 # These lines are needed to allow Firefox to open links
-noblacklist ${HOME}/.mozilla
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
+nodeny  ${HOME}/.mozilla
+allow  ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 mkdir ${HOME}/.config/Signal
-whitelist ${HOME}/.config/Signal
+allow  ${HOME}/.config/Signal
 
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
index 17920677b..589a44ffc 100644
--- a/etc/profile-m-z/simple-scan.profile
+++ b/etc/profile-m-z/simple-scan.profile
@@ -6,8 +6,8 @@ include simple-scan.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/simple-scan
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/simple-scan
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,8 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/hplip
-whitelist /usr/share/simple-scan
+allow  /usr/share/hplip
+allow  /usr/share/simple-scan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile
index d664f8bf5..83f833508 100644
--- a/etc/profile-m-z/simplescreenrecorder.profile
+++ b/etc/profile-m-z/simplescreenrecorder.profile
@@ -6,8 +6,8 @@ include simplescreenrecorder.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${VIDEOS}
-noblacklist ${HOME}/.ssr
+nodeny  ${VIDEOS}
+nodeny  ${HOME}/.ssr
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/simplescreenrecorder
+allow  /usr/share/simplescreenrecorder
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
index afaa0f6d8..1d7f41579 100644
--- a/etc/profile-m-z/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -6,7 +6,7 @@ include simutrans.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.simutrans
+nodeny  ${HOME}/.simutrans
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,7 +16,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.simutrans
-whitelist ${HOME}/.simutrans
+allow  ${HOME}/.simutrans
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile
index 093a61398..98ed624f9 100644
--- a/etc/profile-m-z/skanlite.profile
+++ b/etc/profile-m-z/skanlite.profile
@@ -6,7 +6,7 @@ include skanlite.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/skypeforlinux.profile b/etc/profile-m-z/skypeforlinux.profile
index ed04eda8e..e7f70eebe 100644
--- a/etc/profile-m-z/skypeforlinux.profile
+++ b/etc/profile-m-z/skypeforlinux.profile
@@ -21,7 +21,7 @@ ignore dbus-system none
 ignore apparmor
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/skypeforlinux
+nodeny  ${HOME}/.config/skypeforlinux
 
 # private-dev - needs /dev/disk
 
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 9ad772cd5..b8299add3 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -16,14 +16,16 @@ ignore private-tmp
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/Slack
+nodeny  ${HOME}/.config/Slack
+
+include allow-bin-sh.inc
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Slack
-whitelist ${HOME}/.config/Slack
+allow  ${HOME}/.config/Slack
 
-private-bin locale,slack
+private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
 
 # Redirect
diff --git a/etc/profile-m-z/slashem.profile b/etc/profile-m-z/slashem.profile
index c5a31c237..36a0044dc 100644
--- a/etc/profile-m-z/slashem.profile
+++ b/etc/profile-m-z/slashem.profile
@@ -6,7 +6,7 @@ include slashem.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/games/slashem
+nodeny  /var/games/slashem
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,7 +15,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /var/games/slashem
+allow  /var/games/slashem
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 01547e5c1..4e4334dc0 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -6,9 +6,9 @@ include smplayer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/smplayer
-noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.mplayer
+nodeny  ${HOME}/.config/smplayer
+nodeny  ${HOME}/.config/youtube-dl
+nodeny  ${HOME}/.mplayer
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -17,8 +17,8 @@ include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -29,9 +29,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/lua*
-whitelist /usr/share/smplayer
-whitelist /usr/share/vulkan
+allow  /usr/share/lua*
+allow  /usr/share/smplayer
+allow  /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile
index 196950eaf..99d02ffdf 100644
--- a/etc/profile-m-z/smtube.profile
+++ b/etc/profile-m-z/smtube.profile
@@ -6,14 +6,14 @@ include smtube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/smplayer
-noblacklist ${HOME}/.config/smtube
-noblacklist ${HOME}/.config/mpv
-noblacklist ${HOME}/.mplayer
-noblacklist ${HOME}/.config/vlc
-noblacklist ${HOME}/.local/share/vlc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/smplayer
+nodeny  ${HOME}/.config/smtube
+nodeny  ${HOME}/.config/mpv
+nodeny  ${HOME}/.mplayer
+nodeny  ${HOME}/.config/vlc
+nodeny  ${HOME}/.local/share/vlc
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,8 +23,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/smplayer
-whitelist /usr/share/smtube
+allow  /usr/share/smplayer
+allow  /usr/share/smtube
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
index c3a9bb858..3a79890cc 100644
--- a/etc/profile-m-z/smuxi-frontend-gnome.profile
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -6,9 +6,9 @@ include smuxi-frontend-gnome.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/smuxi
-noblacklist ${HOME}/.config/smuxi
-noblacklist ${HOME}/.local/share/smuxi
+nodeny  ${HOME}/.cache/smuxi
+nodeny  ${HOME}/.config/smuxi
+nodeny  ${HOME}/.local/share/smuxi
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,10 +21,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.cache/smuxi
 mkdir ${HOME}/.config/smuxi
 mkdir ${HOME}/.local/share/smuxi
-whitelist ${HOME}/.cache/smuxi
-whitelist ${HOME}/.config/smuxi
-whitelist ${HOME}/.local/share/smuxi
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/smuxi
+allow  ${HOME}/.config/smuxi
+allow  ${HOME}/.local/share/smuxi
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile
index 83493652c..1d315404e 100644
--- a/etc/profile-m-z/snox.profile
+++ b/etc/profile-m-z/snox.profile
@@ -10,15 +10,15 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/snox
-noblacklist ${HOME}/.config/snox
+nodeny  ${HOME}/.cache/snox
+nodeny  ${HOME}/.config/snox
 
 #mkdir ${HOME}/.cache/dnox
 #mkdir ${HOME}/.config/dnox
 mkdir ${HOME}/.cache/snox
 mkdir ${HOME}/.config/snox
-whitelist ${HOME}/.cache/snox
-whitelist ${HOME}/.config/snox
+allow  ${HOME}/.cache/snox
+allow  ${HOME}/.config/snox
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index 83315231f..bd4991e81 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -10,7 +10,7 @@ include softmaker-common.local
 # with an absolute Exec line. These files are NOT handelt by firecfg,
 # therefore you must manualy copy them in you home and remove '/usr/bin/'.
 
-noblacklist ${HOME}/SoftMaker
+nodeny  ${HOME}/SoftMaker
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /usr/share/office2018
-whitelist /usr/share/freeoffice2018
+allow  /usr/share/office2018
+allow  /usr/share/freeoffice2018
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
index ef00fdfff..16ee39e09 100644
--- a/etc/profile-m-z/sound-juicer.profile
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -6,8 +6,8 @@ include sound-juicer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/sound-juicer
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.config/sound-juicer
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/soundconverter.profile b/etc/profile-m-z/soundconverter.profile
index 4dbf34100..46da7a453 100644
--- a/etc/profile-m-z/soundconverter.profile
+++ b/etc/profile-m-z/soundconverter.profile
@@ -10,7 +10,7 @@ include globals.local
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${MUSIC}
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-whitelist /usr/share/soundconverter
+allow  ${DOWNLOADS}
+allow  ${MUSIC}
+allow  /usr/share/soundconverter
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index 4468f21e7..08adb5861 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -12,8 +12,8 @@ include globals.local
 #private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
 #protocol unix,inet,inet6
 
-noblacklist ${HOME}/.config/spectaclerc
-noblacklist ${PICTURES}
+nodeny  ${HOME}/.config/spectaclerc
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -24,10 +24,10 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkfile  ${HOME}/.config/spectaclerc
-whitelist ${HOME}/.config/spectaclerc
-whitelist ${PICTURES}
-whitelist /usr/share/kconf_update/spectacle_newConfig.upd
-whitelist /usr/share/kconf_update/spectacle_shortcuts.upd
+allow  ${HOME}/.config/spectaclerc
+allow  ${PICTURES}
+allow  /usr/share/kconf_update/spectacle_newConfig.upd
+allow  /usr/share/kconf_update/spectacle_shortcuts.upd
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index 283674517..4c1b2d3e1 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -6,8 +6,8 @@ include spectral.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/ENCOM/Spectral
-noblacklist ${HOME}/.config/ENCOM
+nodeny  ${HOME}/.cache/ENCOM/Spectral
+nodeny  ${HOME}/.config/ENCOM
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,9 +20,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/ENCOM/Spectral
 mkdir ${HOME}/.config/ENCOM
-whitelist ${HOME}/.cache/ENCOM/Spectral
-whitelist ${HOME}/.config/ENCOM
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.cache/ENCOM/Spectral
+allow  ${HOME}/.config/ENCOM
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/spectre-meltdown-checker.profile b/etc/profile-m-z/spectre-meltdown-checker.profile
index 984461f90..3a3fd838d 100644
--- a/etc/profile-m-z/spectre-meltdown-checker.profile
+++ b/etc/profile-m-z/spectre-meltdown-checker.profile
@@ -6,10 +6,10 @@ include spectre-meltdown-checker.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
-noblacklist ${PATH}/mount
-noblacklist ${PATH}/umount
+nodeny  ${PATH}/mount
+nodeny  ${PATH}/umount
 
 # Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index 01bc2bc05..e1c830268 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -5,11 +5,11 @@ include spotify.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/spotify
-noblacklist ${HOME}/.config/spotify
-noblacklist ${HOME}/.local/share/spotify
+nodeny  ${HOME}/.cache/spotify
+nodeny  ${HOME}/.config/spotify
+nodeny  ${HOME}/.local/share/spotify
 
-blacklist ${HOME}/.bashrc
+deny  ${HOME}/.bashrc
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,9 +21,9 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/spotify
 mkdir ${HOME}/.config/spotify
 mkdir ${HOME}/.local/share/spotify
-whitelist ${HOME}/.cache/spotify
-whitelist ${HOME}/.config/spotify
-whitelist ${HOME}/.local/share/spotify
+allow  ${HOME}/.cache/spotify
+allow  ${HOME}/.config/spotify
+allow  ${HOME}/.local/share/spotify
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index 4dd2c7262..aa577b63a 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -6,8 +6,8 @@ include sqlitebrowser.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/sqlitebrowser
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/sqlitebrowser
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 5802299a3..e456ebe07 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -9,8 +9,8 @@ include globals.local
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-passwdmgr.inc
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index a58642192..8a0d86150 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -8,8 +8,8 @@ include ssh.local
 include globals.local
 
 # nc can be used as ProxyCommand, e.g. when using tor
-noblacklist ${PATH}/nc
-noblacklist ${PATH}/ncat
+nodeny  ${PATH}/nc
+nodeny  ${PATH}/ncat
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
@@ -19,8 +19,8 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
-whitelist ${RUNUSER}/keyring/ssh
+allow  ${RUNUSER}/gnupg/S.gpg-agent.ssh
+allow  ${RUNUSER}/keyring/ssh
 include whitelist-usr-share-common.inc
 include whitelist-runuser-common.inc
 
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 48a532876..75de118ab 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -5,8 +5,8 @@ include standardnotes-desktop.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/Standard Notes Backups
-noblacklist ${HOME}/.config/Standard Notes
+nodeny  ${HOME}/Standard Notes Backups
+nodeny  ${HOME}/.config/Standard Notes
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/Standard Notes Backups
 mkdir ${HOME}/.config/Standard Notes
-whitelist ${HOME}/Standard Notes Backups
-whitelist ${HOME}/.config/Standard Notes
+allow  ${HOME}/Standard Notes Backups
+allow  ${HOME}/.config/Standard Notes
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/start-tor-browser.desktop.profile b/etc/profile-m-z/start-tor-browser.desktop.profile
index 2f73c9fee..8f75365e8 100644
--- a/etc/profile-m-z/start-tor-browser.desktop.profile
+++ b/etc/profile-m-z/start-tor-browser.desktop.profile
@@ -6,71 +6,71 @@ include start-tor-browser.desktop.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser*
+nodeny  ${HOME}/.tor-browser*
 
-whitelist ${HOME}/.tor-browser-ar
-whitelist ${HOME}/.tor-browser-ca
-whitelist ${HOME}/.tor-browser-cs
-whitelist ${HOME}/.tor-browser-da
-whitelist ${HOME}/.tor-browser-de
-whitelist ${HOME}/.tor-browser-el
-whitelist ${HOME}/.tor-browser-en
-whitelist ${HOME}/.tor-browser-en-us
-whitelist ${HOME}/.tor-browser-es
-whitelist ${HOME}/.tor-browser-es-es
-whitelist ${HOME}/.tor-browser-fa
-whitelist ${HOME}/.tor-browser-fr
-whitelist ${HOME}/.tor-browser-ga-ie
-whitelist ${HOME}/.tor-browser-he
-whitelist ${HOME}/.tor-browser-hu
-whitelist ${HOME}/.tor-browser-id
-whitelist ${HOME}/.tor-browser-is
-whitelist ${HOME}/.tor-browser-it
-whitelist ${HOME}/.tor-browser-ja
-whitelist ${HOME}/.tor-browser-ka
-whitelist ${HOME}/.tor-browser-ko
-whitelist ${HOME}/.tor-browser-nb
-whitelist ${HOME}/.tor-browser-nl
-whitelist ${HOME}/.tor-browser-pl
-whitelist ${HOME}/.tor-browser-pt-br
-whitelist ${HOME}/.tor-browser-ru
-whitelist ${HOME}/.tor-browser-sv-se
-whitelist ${HOME}/.tor-browser-tr
-whitelist ${HOME}/.tor-browser-vi
-whitelist ${HOME}/.tor-browser-zh-cn
-whitelist ${HOME}/.tor-browser-zh-tw
+allow  ${HOME}/.tor-browser-ar
+allow  ${HOME}/.tor-browser-ca
+allow  ${HOME}/.tor-browser-cs
+allow  ${HOME}/.tor-browser-da
+allow  ${HOME}/.tor-browser-de
+allow  ${HOME}/.tor-browser-el
+allow  ${HOME}/.tor-browser-en
+allow  ${HOME}/.tor-browser-en-us
+allow  ${HOME}/.tor-browser-es
+allow  ${HOME}/.tor-browser-es-es
+allow  ${HOME}/.tor-browser-fa
+allow  ${HOME}/.tor-browser-fr
+allow  ${HOME}/.tor-browser-ga-ie
+allow  ${HOME}/.tor-browser-he
+allow  ${HOME}/.tor-browser-hu
+allow  ${HOME}/.tor-browser-id
+allow  ${HOME}/.tor-browser-is
+allow  ${HOME}/.tor-browser-it
+allow  ${HOME}/.tor-browser-ja
+allow  ${HOME}/.tor-browser-ka
+allow  ${HOME}/.tor-browser-ko
+allow  ${HOME}/.tor-browser-nb
+allow  ${HOME}/.tor-browser-nl
+allow  ${HOME}/.tor-browser-pl
+allow  ${HOME}/.tor-browser-pt-br
+allow  ${HOME}/.tor-browser-ru
+allow  ${HOME}/.tor-browser-sv-se
+allow  ${HOME}/.tor-browser-tr
+allow  ${HOME}/.tor-browser-vi
+allow  ${HOME}/.tor-browser-zh-cn
+allow  ${HOME}/.tor-browser-zh-tw
 
-whitelist ${HOME}/.tor-browser_ar
-whitelist ${HOME}/.tor-browser_ca
-whitelist ${HOME}/.tor-browser_cs
-whitelist ${HOME}/.tor-browser_da
-whitelist ${HOME}/.tor-browser_de
-whitelist ${HOME}/.tor-browser_el
-whitelist ${HOME}/.tor-browser_en
-whitelist ${HOME}/.tor-browser_en_US
-whitelist ${HOME}/.tor-browser_es
-whitelist ${HOME}/.tor-browser_es-ES
-whitelist ${HOME}/.tor-browser_fa
-whitelist ${HOME}/.tor-browser_fr
-whitelist ${HOME}/.tor-browser_ga-IE
-whitelist ${HOME}/.tor-browser_he
-whitelist ${HOME}/.tor-browser_hu
-whitelist ${HOME}/.tor-browser_id
-whitelist ${HOME}/.tor-browser_is
-whitelist ${HOME}/.tor-browser_it
-whitelist ${HOME}/.tor-browser_ja
-whitelist ${HOME}/.tor-browser_ka
-whitelist ${HOME}/.tor-browser_ko
-whitelist ${HOME}/.tor-browser_nb
-whitelist ${HOME}/.tor-browser_nl
-whitelist ${HOME}/.tor-browser_pl
-whitelist ${HOME}/.tor-browser_pt-BR
-whitelist ${HOME}/.tor-browser_ru
-whitelist ${HOME}/.tor-browser_sv-SE
-whitelist ${HOME}/.tor-browser_tr
-whitelist ${HOME}/.tor-browser_vi
-whitelist ${HOME}/.tor-browser_zh-CN
-whitelist ${HOME}/.tor-browser_zh-TW
+allow  ${HOME}/.tor-browser_ar
+allow  ${HOME}/.tor-browser_ca
+allow  ${HOME}/.tor-browser_cs
+allow  ${HOME}/.tor-browser_da
+allow  ${HOME}/.tor-browser_de
+allow  ${HOME}/.tor-browser_el
+allow  ${HOME}/.tor-browser_en
+allow  ${HOME}/.tor-browser_en_US
+allow  ${HOME}/.tor-browser_es
+allow  ${HOME}/.tor-browser_es-ES
+allow  ${HOME}/.tor-browser_fa
+allow  ${HOME}/.tor-browser_fr
+allow  ${HOME}/.tor-browser_ga-IE
+allow  ${HOME}/.tor-browser_he
+allow  ${HOME}/.tor-browser_hu
+allow  ${HOME}/.tor-browser_id
+allow  ${HOME}/.tor-browser_is
+allow  ${HOME}/.tor-browser_it
+allow  ${HOME}/.tor-browser_ja
+allow  ${HOME}/.tor-browser_ka
+allow  ${HOME}/.tor-browser_ko
+allow  ${HOME}/.tor-browser_nb
+allow  ${HOME}/.tor-browser_nl
+allow  ${HOME}/.tor-browser_pl
+allow  ${HOME}/.tor-browser_pt-BR
+allow  ${HOME}/.tor-browser_ru
+allow  ${HOME}/.tor-browser_sv-SE
+allow  ${HOME}/.tor-browser_tr
+allow  ${HOME}/.tor-browser_vi
+allow  ${HOME}/.tor-browser_zh-CN
+allow  ${HOME}/.tor-browser_zh-TW
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 06d08f3a2..09e29373d 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -6,40 +6,40 @@ include steam.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Epic
-noblacklist ${HOME}/.config/Loop_Hero
-noblacklist ${HOME}/.config/ModTheSpire
-noblacklist ${HOME}/.config/RogueLegacy
-noblacklist ${HOME}/.config/RogueLegacyStorageContainer
-noblacklist ${HOME}/.killingfloor
-noblacklist ${HOME}/.klei
-noblacklist ${HOME}/.local/share/3909/PapersPlease
-noblacklist ${HOME}/.local/share/aspyr-media
-noblacklist ${HOME}/.local/share/bohemiainteractive
-noblacklist ${HOME}/.local/share/cdprojektred
-noblacklist ${HOME}/.local/share/Dredmor
-noblacklist ${HOME}/.local/share/FasterThanLight
-noblacklist ${HOME}/.local/share/feral-interactive
-noblacklist ${HOME}/.local/share/IntoTheBreach
-noblacklist ${HOME}/.local/share/Paradox Interactive
-noblacklist ${HOME}/.local/share/PillarsOfEternity
-noblacklist ${HOME}/.local/share/RogueLegacy
-noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer
-noblacklist ${HOME}/.local/share/Steam
-noblacklist ${HOME}/.local/share/SteamWorldDig
-noblacklist ${HOME}/.local/share/SteamWorld Dig 2
-noblacklist ${HOME}/.local/share/SuperHexagon
-noblacklist ${HOME}/.local/share/Terraria
-noblacklist ${HOME}/.local/share/vpltd
-noblacklist ${HOME}/.local/share/vulkan
-noblacklist ${HOME}/.mbwarband
-noblacklist ${HOME}/.paradoxinteractive
-noblacklist ${HOME}/.steam
-noblacklist ${HOME}/.steampath
-noblacklist ${HOME}/.steampid
+nodeny  ${HOME}/.config/Epic
+nodeny  ${HOME}/.config/Loop_Hero
+nodeny  ${HOME}/.config/ModTheSpire
+nodeny  ${HOME}/.config/RogueLegacy
+nodeny  ${HOME}/.config/RogueLegacyStorageContainer
+nodeny  ${HOME}/.killingfloor
+nodeny  ${HOME}/.klei
+nodeny  ${HOME}/.local/share/3909/PapersPlease
+nodeny  ${HOME}/.local/share/aspyr-media
+nodeny  ${HOME}/.local/share/bohemiainteractive
+nodeny  ${HOME}/.local/share/cdprojektred
+nodeny  ${HOME}/.local/share/Dredmor
+nodeny  ${HOME}/.local/share/FasterThanLight
+nodeny  ${HOME}/.local/share/feral-interactive
+nodeny  ${HOME}/.local/share/IntoTheBreach
+nodeny  ${HOME}/.local/share/Paradox Interactive
+nodeny  ${HOME}/.local/share/PillarsOfEternity
+nodeny  ${HOME}/.local/share/RogueLegacy
+nodeny  ${HOME}/.local/share/RogueLegacyStorageContainer
+nodeny  ${HOME}/.local/share/Steam
+nodeny  ${HOME}/.local/share/SteamWorldDig
+nodeny  ${HOME}/.local/share/SteamWorld Dig 2
+nodeny  ${HOME}/.local/share/SuperHexagon
+nodeny  ${HOME}/.local/share/Terraria
+nodeny  ${HOME}/.local/share/vpltd
+nodeny  ${HOME}/.local/share/vulkan
+nodeny  ${HOME}/.mbwarband
+nodeny  ${HOME}/.paradoxinteractive
+nodeny  ${HOME}/.steam
+nodeny  ${HOME}/.steampath
+nodeny  ${HOME}/.steampid
 # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -84,38 +84,38 @@ mkdir ${HOME}/.paradoxinteractive
 mkdir ${HOME}/.steam
 mkfile ${HOME}/.steampath
 mkfile ${HOME}/.steampid
-whitelist ${HOME}/.config/Epic
-whitelist ${HOME}/.config/Loop_Hero
-whitelist ${HOME}/.config/ModTheSpire
-whitelist ${HOME}/.config/RogueLegacy
-whitelist ${HOME}/.config/RogueLegacyStorageContainer
-whitelist ${HOME}/.config/unity3d
-whitelist ${HOME}/.killingfloor
-whitelist ${HOME}/.klei
-whitelist ${HOME}/.local/share/3909/PapersPlease
-whitelist ${HOME}/.local/share/aspyr-media
-whitelist ${HOME}/.local/share/bohemiainteractive
-whitelist ${HOME}/.local/share/cdprojektred
-whitelist ${HOME}/.local/share/Dredmor
-whitelist ${HOME}/.local/share/FasterThanLight
-whitelist ${HOME}/.local/share/feral-interactive
-whitelist ${HOME}/.local/share/IntoTheBreach
-whitelist ${HOME}/.local/share/Paradox Interactive
-whitelist ${HOME}/.local/share/PillarsOfEternity
-whitelist ${HOME}/.local/share/RogueLegacy
-whitelist ${HOME}/.local/share/RogueLegacyStorageContainer
-whitelist ${HOME}/.local/share/Steam
-whitelist ${HOME}/.local/share/SteamWorldDig
-whitelist ${HOME}/.local/share/SteamWorld Dig 2
-whitelist ${HOME}/.local/share/SuperHexagon
-whitelist ${HOME}/.local/share/Terraria
-whitelist ${HOME}/.local/share/vpltd
-whitelist ${HOME}/.local/share/vulkan
-whitelist ${HOME}/.mbwarband
-whitelist ${HOME}/.paradoxinteractive
-whitelist ${HOME}/.steam
-whitelist ${HOME}/.steampath
-whitelist ${HOME}/.steampid
+allow  ${HOME}/.config/Epic
+allow  ${HOME}/.config/Loop_Hero
+allow  ${HOME}/.config/ModTheSpire
+allow  ${HOME}/.config/RogueLegacy
+allow  ${HOME}/.config/RogueLegacyStorageContainer
+allow  ${HOME}/.config/unity3d
+allow  ${HOME}/.killingfloor
+allow  ${HOME}/.klei
+allow  ${HOME}/.local/share/3909/PapersPlease
+allow  ${HOME}/.local/share/aspyr-media
+allow  ${HOME}/.local/share/bohemiainteractive
+allow  ${HOME}/.local/share/cdprojektred
+allow  ${HOME}/.local/share/Dredmor
+allow  ${HOME}/.local/share/FasterThanLight
+allow  ${HOME}/.local/share/feral-interactive
+allow  ${HOME}/.local/share/IntoTheBreach
+allow  ${HOME}/.local/share/Paradox Interactive
+allow  ${HOME}/.local/share/PillarsOfEternity
+allow  ${HOME}/.local/share/RogueLegacy
+allow  ${HOME}/.local/share/RogueLegacyStorageContainer
+allow  ${HOME}/.local/share/Steam
+allow  ${HOME}/.local/share/SteamWorldDig
+allow  ${HOME}/.local/share/SteamWorld Dig 2
+allow  ${HOME}/.local/share/SuperHexagon
+allow  ${HOME}/.local/share/Terraria
+allow  ${HOME}/.local/share/vpltd
+allow  ${HOME}/.local/share/vulkan
+allow  ${HOME}/.mbwarband
+allow  ${HOME}/.paradoxinteractive
+allow  ${HOME}/.steam
+allow  ${HOME}/.steampath
+allow  ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/stellarium.profile b/etc/profile-m-z/stellarium.profile
index a752ab53c..003d3a079 100644
--- a/etc/profile-m-z/stellarium.profile
+++ b/etc/profile-m-z/stellarium.profile
@@ -6,8 +6,8 @@ include stellarium.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/stellarium
-noblacklist ${HOME}/.stellarium
+nodeny  ${HOME}/.config/stellarium
+nodeny  ${HOME}/.stellarium
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-shell.inc
 
 mkdir ${HOME}/.config/stellarium
 mkdir ${HOME}/.stellarium
-whitelist ${HOME}/.config/stellarium
-whitelist ${HOME}/.stellarium
+allow  ${HOME}/.config/stellarium
+allow  ${HOME}/.stellarium
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
index f8108c9d6..dd643bc20 100644
--- a/etc/profile-m-z/straw-viewer.profile
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -1,64 +1,21 @@
 # Firejail profile for straw-viewer
 # Description: Fork of youtube-viewer acts like an invidious frontend
-quiet
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include straw-viewer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/straw-viewer
-noblacklist ${HOME}/.config/straw-viewer
-
-# Allow lua (blacklisted by disable-interpreters.inc)
-include allow-lua.inc
-
-# Allow perl (blacklisted by disable-interpreters.inc)
-include allow-perl.inc
-
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
+nodeny  ${HOME}/.cache/straw-viewer
+nodeny  ${HOME}/.config/straw-viewer
 
 mkdir ${HOME}/.config/straw-viewer
 mkdir ${HOME}/.cache/straw-viewer
-whitelist ${HOME}/.cache/straw-viewer
-whitelist ${HOME}/.config/straw-viewer
-whitelist ${DOWNLOADS}
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-netfilter
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
+allow  ${HOME}/.cache/straw-viewer
+allow  ${HOME}/.config/straw-viewer
 
-disable-mnt
-private-bin bash,ffmpeg,ffprobe,gtk-straw-viewer,mpv,perl,python*,sh,smplayer,straw-viewer,stty,vlc,wget,which,youtube-dl
-private-cache
-private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
-private-tmp
+private-bin gtk-straw-viewer,straw-viewer
 
-dbus-user none
-dbus-system none
+# Redirect
+include youtube-viewers-common.profile
\ No newline at end of file
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index b87906f55..aed0b7910 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -6,10 +6,10 @@ include strawberry.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/strawberry
-noblacklist ${HOME}/.config/strawberry
-noblacklist ${HOME}/.local/share/strawberry
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.cache/strawberry
+nodeny  ${HOME}/.config/strawberry
+nodeny  ${HOME}/.local/share/strawberry
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile
index 1ebcded7f..5c820ef81 100644
--- a/etc/profile-m-z/strings.profile
+++ b/etc/profile-m-z/strings.profile
@@ -7,7 +7,7 @@ include strings.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}
+deny  ${RUNUSER}
 
 #include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index bbe92fd38..0d07b5ea7 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -6,8 +6,8 @@ include subdownloader.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/SubDownloader
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.config/SubDownloader
+nodeny  ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index dd456f085..8cc547805 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -6,7 +6,7 @@ include supertux2.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/supertux2
+nodeny  ${HOME}/.local/share/supertux2
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,9 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.local/share/supertux2
-whitelist ${HOME}/.local/share/supertux2
-whitelist /usr/share/supertux2
+allow  ${HOME}/.local/share/supertux2
+allow  /usr/share/supertux2
+allow  /usr/share/games/supertux2       # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 6a0ed46e0..44dc1524f 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -6,9 +6,11 @@ include supertuxkart.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/supertuxkart
-noblacklist ${HOME}/.cache/supertuxkart
-noblacklist ${HOME}/.local/share/supertuxkart
+nodeny  ${HOME}/.config/supertuxkart
+nodeny  ${HOME}/.cache/supertuxkart
+nodeny  ${HOME}/.local/share/supertuxkart
+
+deny  /usr/libexec
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +24,11 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/supertuxkart
 mkdir ${HOME}/.cache/supertuxkart
 mkdir ${HOME}/.local/share/supertuxkart
-whitelist ${HOME}/.config/supertuxkart
-whitelist ${HOME}/.cache/supertuxkart
-whitelist ${HOME}/.local/share/supertuxkart
-whitelist /usr/share/supertuxkart
+allow  ${HOME}/.config/supertuxkart
+allow  ${HOME}/.cache/supertuxkart
+allow  ${HOME}/.local/share/supertuxkart
+allow  /usr/share/supertuxkart
+allow  /usr/share/games/supertuxkart    # Debian version
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
index 8db7d2433..fd1e7f9e9 100644
--- a/etc/profile-m-z/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -6,7 +6,7 @@ include surf.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.surf
+nodeny  ${HOME}/.surf
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,8 +15,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.surf
-whitelist ${HOME}/.surf
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.surf
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/swell-foop.profile b/etc/profile-m-z/swell-foop.profile
index 9efae815d..55cd0965a 100644
--- a/etc/profile-m-z/swell-foop.profile
+++ b/etc/profile-m-z/swell-foop.profile
@@ -6,12 +6,12 @@ include swell-foop.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.local/share/swell-foop
+nodeny  ${HOME}/.local/share/swell-foop
 
 mkdir ${HOME}/.local/share/swell-foop
-whitelist ${HOME}/.local/share/swell-foop
+allow  ${HOME}/.local/share/swell-foop
 
-whitelist /usr/share/swell-foop
+allow  /usr/share/swell-foop
 
 private-bin swell-foop
 
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 328812b04..447cdc99e 100644
--- a/etc/profile-m-z/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
@@ -6,12 +6,12 @@ include sylpheed.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.sylpheed-2.0
+nodeny  ${HOME}/.sylpheed-2.0
 
 mkdir ${HOME}/.sylpheed-2.0
-whitelist ${HOME}/.sylpheed-2.0
+allow  ${HOME}/.sylpheed-2.0
 
-whitelist /usr/share/sylpheed
+allow  /usr/share/sylpheed
 
 # private-bin curl,gpg,gpg2,gpg-agent,gpgsm,pinentry,pinentry-gtk-2,sylpheed
 
diff --git a/etc/profile-m-z/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile
index c60186c42..7cbbafd54 100644
--- a/etc/profile-m-z/synfigstudio.profile
+++ b/etc/profile-m-z/synfigstudio.profile
@@ -6,8 +6,8 @@ include synfigstudio.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/synfig
-noblacklist ${HOME}/.synfig
+nodeny  ${HOME}/.config/synfig
+nodeny  ${HOME}/.synfig
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index b52b25b96..f20f88791 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -6,7 +6,7 @@ include sysprof.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -24,15 +24,15 @@ include disable-xdg.inc
 #nowhitelist /usr/share/yelp-tools
 #nowhitelist /usr/share/yelp-xsl
 
-noblacklist ${HOME}/.config/yelp
+nodeny  ${HOME}/.config/yelp
 mkdir ${HOME}/.config/yelp
-whitelist ${HOME}/.config/yelp
-whitelist /usr/share/help/C/sysprof
-whitelist /usr/share/yelp
-whitelist /usr/share/yelp-tools
-whitelist /usr/share/yelp-xsl
+allow  ${HOME}/.config/yelp
+allow  /usr/share/help/C/sysprof
+allow  /usr/share/yelp
+allow  /usr/share/yelp-tools
+allow  /usr/share/yelp-xsl
 
-whitelist ${DOCUMENTS}
+allow  ${DOCUMENTS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 0d3a900e9..74c8a0849 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -12,7 +12,7 @@ ignore include disable-shell.inc
 
 # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop
 # all capabilities this is automatically read-only.
-noblacklist /var/lib/pacman
+nodeny  /var/lib/pacman
 
 private-etc alternatives,group,localtime,login.defs,passwd
 #private-lib libfakeroot,liblzma.so.*,libreadline.so.*
diff --git a/etc/profile-m-z/tb-starter-wrapper.profile b/etc/profile-m-z/tb-starter-wrapper.profile
index ffe9605b6..691c33191 100644
--- a/etc/profile-m-z/tb-starter-wrapper.profile
+++ b/etc/profile-m-z/tb-starter-wrapper.profile
@@ -8,10 +8,10 @@ include tb-starter-wrapper.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tb
+nodeny  ${HOME}/.tb
 
 mkdir ${HOME}/.tb
-whitelist ${HOME}/.tb
+allow  ${HOME}/.tb
 
 private-bin tb-starter-wrapper
 
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
index e2ba5893c..b4c4873b3 100644
--- a/etc/profile-m-z/tcpdump.profile
+++ b/etc/profile-m-z/tcpdump.profile
@@ -6,9 +6,9 @@ include tcpdump.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /sbin
-noblacklist /usr/sbin
-noblacklist ${PATH}/tcpdump
+nodeny  /sbin
+nodeny  /usr/sbin
+nodeny  ${PATH}/tcpdump
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index eee083332..24cbb42da 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -14,10 +14,10 @@ ignore include whitelist-usr-share-common.inc
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/teams-for-linux
+nodeny  ${HOME}/.config/teams-for-linux
 
 mkdir ${HOME}/.config/teams-for-linux
-whitelist ${HOME}/.config/teams-for-linux
+allow  ${HOME}/.config/teams-for-linux
 
 private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
 private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/teams.profile b/etc/profile-m-z/teams.profile
index c8d98cbaa..8639edbc8 100644
--- a/etc/profile-m-z/teams.profile
+++ b/etc/profile-m-z/teams.profile
@@ -18,13 +18,13 @@ ignore apparmor
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/teams
-noblacklist ${HOME}/.config/Microsoft
+nodeny  ${HOME}/.config/teams
+nodeny  ${HOME}/.config/Microsoft
 
 mkdir ${HOME}/.config/teams
 mkdir ${HOME}/.config/Microsoft
-whitelist ${HOME}/.config/teams
-whitelist ${HOME}/.config/Microsoft
+allow  ${HOME}/.config/teams
+allow  ${HOME}/.config/Microsoft
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index 02a2c8ae4..781a5f4eb 100644
--- a/etc/profile-m-z/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
@@ -6,8 +6,8 @@ include teamspeak3.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.ts3client
-noblacklist ${PATH}/openssl
+nodeny  ${HOME}/.ts3client
+nodeny  ${PATH}/openssl
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.ts3client
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.ts3client
+allow  ${DOWNLOADS}
+allow  ${HOME}/.ts3client
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index be01aee12..c9c444ffc 100644
--- a/etc/profile-m-z/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -6,7 +6,7 @@ include teeworlds.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.teeworlds
+nodeny  ${HOME}/.teeworlds
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.teeworlds
-whitelist ${HOME}/.teeworlds
+allow  ${HOME}/.teeworlds
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/telegram-desktop.profile b/etc/profile-m-z/telegram-desktop.profile
index e0c5aee9e..7463b761f 100644
--- a/etc/profile-m-z/telegram-desktop.profile
+++ b/etc/profile-m-z/telegram-desktop.profile
@@ -2,7 +2,7 @@
 # Description: Official Telegram Desktop client
 # This file is overwritten after every install/update
 # Persistent local customizations
-include tekegram-desktop.local
+include telegram-desktop.local
 # Persistent global definitions
 # added by included profile
 #include globals.local
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 05c621fb2..92689a461 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -5,8 +5,8 @@ include telegram.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.TelegramDesktop
-noblacklist ${HOME}/.local/share/TelegramDesktop
+nodeny  ${HOME}/.TelegramDesktop
+nodeny  ${HOME}/.local/share/TelegramDesktop
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.TelegramDesktop
 mkdir ${HOME}/.local/share/TelegramDesktop
-whitelist ${HOME}/.TelegramDesktop
-whitelist ${HOME}/.local/share/TelegramDesktop
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.TelegramDesktop
+allow  ${HOME}/.local/share/TelegramDesktop
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -39,7 +39,6 @@ protocol unix,inet,inet6,netlink
 seccomp
 seccomp.block-secondary
 shell none
-tracelog
 
 disable-mnt
 #private-bin telegram,Telegram,telegram-desktop
diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile
index ce2ca1d17..b2f98fbac 100644
--- a/etc/profile-m-z/terasology.profile
+++ b/etc/profile-m-z/terasology.profile
@@ -7,7 +7,7 @@ include globals.local
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.local/share/terasology
+nodeny  ${HOME}/.local/share/terasology
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -21,8 +21,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.java
 mkdir ${HOME}/.local/share/terasology
-whitelist ${HOME}/.java
-whitelist ${HOME}/.local/share/terasology
+allow  ${HOME}/.java
+allow  ${HOME}/.local/share/terasology
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index b478fbe1e..a539cadf8 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -22,14 +22,14 @@ writable-run-user
 #writable-var
 
 # These lines are needed to allow Firefox to load your profile when clicking a link in an email
-noblacklist ${HOME}/.mozilla
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
+nodeny  ${HOME}/.mozilla
+allow  ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 
-noblacklist ${HOME}/.cache/thunderbird
-noblacklist ${HOME}/.gnupg
+nodeny  ${HOME}/.cache/thunderbird
+nodeny  ${HOME}/.gnupg
 # noblacklist ${HOME}/.icedove
-noblacklist ${HOME}/.thunderbird
+nodeny  ${HOME}/.thunderbird
 
 include disable-passwdmgr.inc
 include disable-xdg.inc
@@ -42,15 +42,15 @@ mkdir ${HOME}/.cache/thunderbird
 mkdir ${HOME}/.gnupg
 # mkdir ${HOME}/.icedove
 mkdir ${HOME}/.thunderbird
-whitelist ${HOME}/.cache/thunderbird
-whitelist ${HOME}/.gnupg
+allow  ${HOME}/.cache/thunderbird
+allow  ${HOME}/.gnupg
 # whitelist ${HOME}/.icedove
-whitelist ${HOME}/.thunderbird
+allow  ${HOME}/.thunderbird
 
-whitelist /usr/share/gnupg
-whitelist /usr/share/mozilla
-whitelist /usr/share/thunderbird
-whitelist /usr/share/webext
+allow  /usr/share/gnupg
+allow  /usr/share/mozilla
+allow  /usr/share/thunderbird
+allow  /usr/share/webext
 include whitelist-usr-share-common.inc
 
 # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile
index dd4a372c4..b0fa54f08 100644
--- a/etc/profile-m-z/tilp.profile
+++ b/etc/profile-m-z/tilp.profile
@@ -5,7 +5,7 @@ include tilp.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.tilp
+nodeny  ${HOME}/.tilp
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
new file mode 100644
index 000000000..3ee696b8b
--- /dev/null
+++ b/etc/profile-m-z/tin.profile
@@ -0,0 +1,69 @@
+# Firejail profile for tin
+# Description: ncurses-based Usenet newsreader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tin.local
+# Persistent global definitions
+include globals.local
+
+nodeny  ${HOME}/.newsrc
+nodeny  ${HOME}/.tin
+
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
+deny  /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.tin
+mkfile ${HOME}/.newsrc
+# Note: files/directories directly in ${HOME} can't be whitelisted, as
+#       tin saves .newsrc by renaming a temporary file, which is not possible for
+#       bind-mounted files.
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.tin
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin rtin,tin
+private-cache
+private-dev
+private-etc passwd,resolv.conf,terminfo,tin
+private-lib terminfo
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile
index 0139d7515..d2e90e356 100644
--- a/etc/profile-m-z/tmux.profile
+++ b/etc/profile-m-z/tmux.profile
@@ -7,10 +7,10 @@ include tmux.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
-noblacklist /tmp/tmux-*
+nodeny  /tmp/tmux-*
 
 # include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/profile-m-z/tor-browser-ar.profile b/etc/profile-m-z/tor-browser-ar.profile
index 59f1bc3b1..49158b93e 100644
--- a/etc/profile-m-z/tor-browser-ar.profile
+++ b/etc/profile-m-z/tor-browser-ar.profile
@@ -6,10 +6,10 @@ include tor-browser-ar.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ar
+nodeny  ${HOME}/.tor-browser-ar
 
 mkdir ${HOME}/.tor-browser-ar
-whitelist ${HOME}/.tor-browser-ar
+allow  ${HOME}/.tor-browser-ar
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ca.profile b/etc/profile-m-z/tor-browser-ca.profile
index 68577e352..612f8bd7c 100644
--- a/etc/profile-m-z/tor-browser-ca.profile
+++ b/etc/profile-m-z/tor-browser-ca.profile
@@ -6,10 +6,10 @@ include tor-browser-ca.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ca
+nodeny  ${HOME}/.tor-browser-ca
 
 mkdir ${HOME}/.tor-browser-ca
-whitelist ${HOME}/.tor-browser-ca
+allow  ${HOME}/.tor-browser-ca
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-cs.profile b/etc/profile-m-z/tor-browser-cs.profile
index 33e51fcd0..a400fde05 100644
--- a/etc/profile-m-z/tor-browser-cs.profile
+++ b/etc/profile-m-z/tor-browser-cs.profile
@@ -6,10 +6,10 @@ include tor-browser-cs.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-cs
+nodeny  ${HOME}/.tor-browser-cs
 
 mkdir ${HOME}/.tor-browser-cs
-whitelist ${HOME}/.tor-browser-cs
+allow  ${HOME}/.tor-browser-cs
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-da.profile b/etc/profile-m-z/tor-browser-da.profile
index 440bb7fc3..9010025e3 100644
--- a/etc/profile-m-z/tor-browser-da.profile
+++ b/etc/profile-m-z/tor-browser-da.profile
@@ -6,10 +6,10 @@ include tor-browser-da.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-da
+nodeny  ${HOME}/.tor-browser-da
 
 mkdir ${HOME}/.tor-browser-da
-whitelist ${HOME}/.tor-browser-da
+allow  ${HOME}/.tor-browser-da
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-de.profile b/etc/profile-m-z/tor-browser-de.profile
index b2b98cf82..cd556c32b 100644
--- a/etc/profile-m-z/tor-browser-de.profile
+++ b/etc/profile-m-z/tor-browser-de.profile
@@ -6,10 +6,10 @@ include tor-browser-de.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-de
+nodeny  ${HOME}/.tor-browser-de
 
 mkdir ${HOME}/.tor-browser-de
-whitelist ${HOME}/.tor-browser-de
+allow  ${HOME}/.tor-browser-de
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-el.profile b/etc/profile-m-z/tor-browser-el.profile
index 626757dd5..ee2b0fea7 100644
--- a/etc/profile-m-z/tor-browser-el.profile
+++ b/etc/profile-m-z/tor-browser-el.profile
@@ -6,10 +6,10 @@ include tor-browser-el.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-el
+nodeny  ${HOME}/.tor-browser-el
 
 mkdir ${HOME}/.tor-browser-el
-whitelist ${HOME}/.tor-browser-el
+allow  ${HOME}/.tor-browser-el
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-en-us.profile b/etc/profile-m-z/tor-browser-en-us.profile
index 15e690748..2be71a5aa 100644
--- a/etc/profile-m-z/tor-browser-en-us.profile
+++ b/etc/profile-m-z/tor-browser-en-us.profile
@@ -6,10 +6,10 @@ include tor-browser-en-us.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-en-us
+nodeny  ${HOME}/.tor-browser-en-us
 
 mkdir ${HOME}/.tor-browser-en-us
-whitelist ${HOME}/.tor-browser-en-us
+allow  ${HOME}/.tor-browser-en-us
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-en.profile b/etc/profile-m-z/tor-browser-en.profile
index ef8c1eb8b..633c2f4f9 100644
--- a/etc/profile-m-z/tor-browser-en.profile
+++ b/etc/profile-m-z/tor-browser-en.profile
@@ -6,10 +6,10 @@ include tor-browser-en.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-en
+nodeny  ${HOME}/.tor-browser-en
 
 mkdir ${HOME}/.tor-browser-en
-whitelist ${HOME}/.tor-browser-en
+allow  ${HOME}/.tor-browser-en
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-es-es.profile b/etc/profile-m-z/tor-browser-es-es.profile
index ad734662e..f7c2302a7 100644
--- a/etc/profile-m-z/tor-browser-es-es.profile
+++ b/etc/profile-m-z/tor-browser-es-es.profile
@@ -6,10 +6,10 @@ include tor-browser-es-es.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-es-es
+nodeny  ${HOME}/.tor-browser-es-es
 
 mkdir ${HOME}/.tor-browser-es-es
-whitelist ${HOME}/.tor-browser-es-es
+allow  ${HOME}/.tor-browser-es-es
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-es.profile b/etc/profile-m-z/tor-browser-es.profile
index 97d8d8577..d88dcdec1 100644
--- a/etc/profile-m-z/tor-browser-es.profile
+++ b/etc/profile-m-z/tor-browser-es.profile
@@ -6,10 +6,10 @@ include tor-browser-es.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-es
+nodeny  ${HOME}/.tor-browser-es
 
 mkdir ${HOME}/.tor-browser-es
-whitelist ${HOME}/.tor-browser-es
+allow  ${HOME}/.tor-browser-es
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-fa.profile b/etc/profile-m-z/tor-browser-fa.profile
index 095be69e4..3f7074fdb 100644
--- a/etc/profile-m-z/tor-browser-fa.profile
+++ b/etc/profile-m-z/tor-browser-fa.profile
@@ -6,10 +6,10 @@ include tor-browser-fa.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-fa
+nodeny  ${HOME}/.tor-browser-fa
 
 mkdir ${HOME}/.tor-browser-fa
-whitelist ${HOME}/.tor-browser-fa
+allow  ${HOME}/.tor-browser-fa
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-fr.profile b/etc/profile-m-z/tor-browser-fr.profile
index 37f61fc3a..ef14f44a2 100644
--- a/etc/profile-m-z/tor-browser-fr.profile
+++ b/etc/profile-m-z/tor-browser-fr.profile
@@ -6,10 +6,10 @@ include tor-browser-fr.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-fr
+nodeny  ${HOME}/.tor-browser-fr
 
 mkdir ${HOME}/.tor-browser-fr
-whitelist ${HOME}/.tor-browser-fr
+allow  ${HOME}/.tor-browser-fr
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ga-ie.profile b/etc/profile-m-z/tor-browser-ga-ie.profile
index ab7141fc4..06baaf34f 100644
--- a/etc/profile-m-z/tor-browser-ga-ie.profile
+++ b/etc/profile-m-z/tor-browser-ga-ie.profile
@@ -6,10 +6,10 @@ include tor-browser-ga-ie.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ga-ie
+nodeny  ${HOME}/.tor-browser-ga-ie
 
 mkdir ${HOME}/.tor-browser-ga-ie
-whitelist ${HOME}/.tor-browser-ga-ie
+allow  ${HOME}/.tor-browser-ga-ie
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-he.profile b/etc/profile-m-z/tor-browser-he.profile
index ae56f3b7f..57588ffc7 100644
--- a/etc/profile-m-z/tor-browser-he.profile
+++ b/etc/profile-m-z/tor-browser-he.profile
@@ -6,10 +6,10 @@ include tor-browser-he.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-he
+nodeny  ${HOME}/.tor-browser-he
 
 mkdir ${HOME}/.tor-browser-he
-whitelist ${HOME}/.tor-browser-he
+allow  ${HOME}/.tor-browser-he
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-hu.profile b/etc/profile-m-z/tor-browser-hu.profile
index 65cd18ac8..a10b66a24 100644
--- a/etc/profile-m-z/tor-browser-hu.profile
+++ b/etc/profile-m-z/tor-browser-hu.profile
@@ -6,10 +6,10 @@ include tor-browser-hu.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-hu
+nodeny  ${HOME}/.tor-browser-hu
 
 mkdir ${HOME}/.tor-browser-hu
-whitelist ${HOME}/.tor-browser-hu
+allow  ${HOME}/.tor-browser-hu
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-id.profile b/etc/profile-m-z/tor-browser-id.profile
index 57fe09f47..fcdb822cd 100644
--- a/etc/profile-m-z/tor-browser-id.profile
+++ b/etc/profile-m-z/tor-browser-id.profile
@@ -6,10 +6,10 @@ include tor-browser-id.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-id
+nodeny  ${HOME}/.tor-browser-id
 
 mkdir ${HOME}/.tor-browser-id
-whitelist ${HOME}/.tor-browser-id
+allow  ${HOME}/.tor-browser-id
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-is.profile b/etc/profile-m-z/tor-browser-is.profile
index 54f1df42d..45b47c108 100644
--- a/etc/profile-m-z/tor-browser-is.profile
+++ b/etc/profile-m-z/tor-browser-is.profile
@@ -6,10 +6,10 @@ include tor-browser-is.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-is
+nodeny  ${HOME}/.tor-browser-is
 
 mkdir ${HOME}/.tor-browser-is
-whitelist ${HOME}/.tor-browser-is
+allow  ${HOME}/.tor-browser-is
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-it.profile b/etc/profile-m-z/tor-browser-it.profile
index a7d46e875..b5a2f7c13 100644
--- a/etc/profile-m-z/tor-browser-it.profile
+++ b/etc/profile-m-z/tor-browser-it.profile
@@ -6,10 +6,10 @@ include tor-browser-it.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-it
+nodeny  ${HOME}/.tor-browser-it
 
 mkdir ${HOME}/.tor-browser-it
-whitelist ${HOME}/.tor-browser-it
+allow  ${HOME}/.tor-browser-it
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ja.profile b/etc/profile-m-z/tor-browser-ja.profile
index b89016141..e1f023bd4 100644
--- a/etc/profile-m-z/tor-browser-ja.profile
+++ b/etc/profile-m-z/tor-browser-ja.profile
@@ -6,10 +6,10 @@ include tor-browser-ja.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ja
+nodeny  ${HOME}/.tor-browser-ja
 
 mkdir ${HOME}/.tor-browser-ja
-whitelist ${HOME}/.tor-browser-ja
+allow  ${HOME}/.tor-browser-ja
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ka.profile b/etc/profile-m-z/tor-browser-ka.profile
index b57cf10de..17930b58e 100644
--- a/etc/profile-m-z/tor-browser-ka.profile
+++ b/etc/profile-m-z/tor-browser-ka.profile
@@ -6,10 +6,10 @@ include tor-browser-ka.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ka
+nodeny  ${HOME}/.tor-browser-ka
 
 mkdir ${HOME}/.tor-browser-ka
-whitelist ${HOME}/.tor-browser-ka
+allow  ${HOME}/.tor-browser-ka
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ko.profile b/etc/profile-m-z/tor-browser-ko.profile
index a9bedb6fd..b33d1edb4 100644
--- a/etc/profile-m-z/tor-browser-ko.profile
+++ b/etc/profile-m-z/tor-browser-ko.profile
@@ -6,10 +6,10 @@ include tor-browser-ko.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ko
+nodeny  ${HOME}/.tor-browser-ko
 
 mkdir ${HOME}/.tor-browser-ko
-whitelist ${HOME}/.tor-browser-ko
+allow  ${HOME}/.tor-browser-ko
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-nb.profile b/etc/profile-m-z/tor-browser-nb.profile
index fbe9f92bd..b462eb9ac 100644
--- a/etc/profile-m-z/tor-browser-nb.profile
+++ b/etc/profile-m-z/tor-browser-nb.profile
@@ -6,10 +6,10 @@ include tor-browser-nb.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-nb
+nodeny  ${HOME}/.tor-browser-nb
 
 mkdir ${HOME}/.tor-browser-nb
-whitelist ${HOME}/.tor-browser-nb
+allow  ${HOME}/.tor-browser-nb
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-nl.profile b/etc/profile-m-z/tor-browser-nl.profile
index 678ac1713..0225eb6fd 100644
--- a/etc/profile-m-z/tor-browser-nl.profile
+++ b/etc/profile-m-z/tor-browser-nl.profile
@@ -6,10 +6,10 @@ include tor-browser-nl.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-nl
+nodeny  ${HOME}/.tor-browser-nl
 
 mkdir ${HOME}/.tor-browser-nl
-whitelist ${HOME}/.tor-browser-nl
+allow  ${HOME}/.tor-browser-nl
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-pl.profile b/etc/profile-m-z/tor-browser-pl.profile
index 25d473b1a..75604b458 100644
--- a/etc/profile-m-z/tor-browser-pl.profile
+++ b/etc/profile-m-z/tor-browser-pl.profile
@@ -6,10 +6,10 @@ include tor-browser-pl.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-pl
+nodeny  ${HOME}/.tor-browser-pl
 
 mkdir ${HOME}/.tor-browser-pl
-whitelist ${HOME}/.tor-browser-pl
+allow  ${HOME}/.tor-browser-pl
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-pt-br.profile b/etc/profile-m-z/tor-browser-pt-br.profile
index 55adbd5ea..4d50d8034 100644
--- a/etc/profile-m-z/tor-browser-pt-br.profile
+++ b/etc/profile-m-z/tor-browser-pt-br.profile
@@ -6,10 +6,10 @@ include tor-browser-pt-br.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-pt-br
+nodeny  ${HOME}/.tor-browser-pt-br
 
 mkdir ${HOME}/.tor-browser-pt-br
-whitelist ${HOME}/.tor-browser-pt-br
+allow  ${HOME}/.tor-browser-pt-br
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-ru.profile b/etc/profile-m-z/tor-browser-ru.profile
index aea13be9d..4bca3c46f 100644
--- a/etc/profile-m-z/tor-browser-ru.profile
+++ b/etc/profile-m-z/tor-browser-ru.profile
@@ -6,10 +6,10 @@ include tor-browser-ru.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-ru
+nodeny  ${HOME}/.tor-browser-ru
 
 mkdir ${HOME}/.tor-browser-ru
-whitelist ${HOME}/.tor-browser-ru
+allow  ${HOME}/.tor-browser-ru
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-sv-se.profile b/etc/profile-m-z/tor-browser-sv-se.profile
index b7882bd04..1b319dc43 100644
--- a/etc/profile-m-z/tor-browser-sv-se.profile
+++ b/etc/profile-m-z/tor-browser-sv-se.profile
@@ -6,10 +6,10 @@ include tor-browser-sv-se.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-sv-se
+nodeny  ${HOME}/.tor-browser-sv-se
 
 mkdir ${HOME}/.tor-browser-sv-se
-whitelist ${HOME}/.tor-browser-sv-se
+allow  ${HOME}/.tor-browser-sv-se
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-tr.profile b/etc/profile-m-z/tor-browser-tr.profile
index c52e8c4c4..0775a0c08 100644
--- a/etc/profile-m-z/tor-browser-tr.profile
+++ b/etc/profile-m-z/tor-browser-tr.profile
@@ -6,10 +6,10 @@ include tor-browser-tr.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-tr
+nodeny  ${HOME}/.tor-browser-tr
 
 mkdir ${HOME}/.tor-browser-tr
-whitelist ${HOME}/.tor-browser-tr
+allow  ${HOME}/.tor-browser-tr
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-vi.profile b/etc/profile-m-z/tor-browser-vi.profile
index d5bf76655..c4d5a7a76 100644
--- a/etc/profile-m-z/tor-browser-vi.profile
+++ b/etc/profile-m-z/tor-browser-vi.profile
@@ -6,10 +6,10 @@ include tor-browser-vi.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-vi
+nodeny  ${HOME}/.tor-browser-vi
 
 mkdir ${HOME}/.tor-browser-vi
-whitelist ${HOME}/.tor-browser-vi
+allow  ${HOME}/.tor-browser-vi
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-zh-cn.profile b/etc/profile-m-z/tor-browser-zh-cn.profile
index 6c8925a4a..4cd287e5d 100644
--- a/etc/profile-m-z/tor-browser-zh-cn.profile
+++ b/etc/profile-m-z/tor-browser-zh-cn.profile
@@ -6,10 +6,10 @@ include tor-browser-zh-cn.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-zh-cn
+nodeny  ${HOME}/.tor-browser-zh-cn
 
 mkdir ${HOME}/.tor-browser-zh-cn
-whitelist ${HOME}/.tor-browser-zh-cn
+allow  ${HOME}/.tor-browser-zh-cn
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser-zh-tw.profile b/etc/profile-m-z/tor-browser-zh-tw.profile
index 141a6701e..c75baf522 100644
--- a/etc/profile-m-z/tor-browser-zh-tw.profile
+++ b/etc/profile-m-z/tor-browser-zh-tw.profile
@@ -6,10 +6,10 @@ include tor-browser-zh-tw.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser-zh-tw
+nodeny  ${HOME}/.tor-browser-zh-tw
 
 mkdir ${HOME}/.tor-browser-zh-tw
-whitelist ${HOME}/.tor-browser-zh-tw
+allow  ${HOME}/.tor-browser-zh-tw
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser.profile b/etc/profile-m-z/tor-browser.profile
index 76a0e1fa5..8a2dbda53 100644
--- a/etc/profile-m-z/tor-browser.profile
+++ b/etc/profile-m-z/tor-browser.profile
@@ -6,10 +6,10 @@ include tor-browser.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser
+nodeny  ${HOME}/.tor-browser
 
 mkdir ${HOME}/.tor-browser
-whitelist ${HOME}/.tor-browser
+allow  ${HOME}/.tor-browser
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ar.profile b/etc/profile-m-z/tor-browser_ar.profile
index d811b7549..90b5a0960 100644
--- a/etc/profile-m-z/tor-browser_ar.profile
+++ b/etc/profile-m-z/tor-browser_ar.profile
@@ -6,10 +6,10 @@ include tor-browser_ar.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ar
+nodeny  ${HOME}/.tor-browser_ar
 
 mkdir ${HOME}/.tor-browser_ar
-whitelist ${HOME}/.tor-browser_ar
+allow  ${HOME}/.tor-browser_ar
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ca.profile b/etc/profile-m-z/tor-browser_ca.profile
index 8bf1f7cd4..a04207ccd 100644
--- a/etc/profile-m-z/tor-browser_ca.profile
+++ b/etc/profile-m-z/tor-browser_ca.profile
@@ -6,10 +6,10 @@ include tor-browser_ca.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ca
+nodeny  ${HOME}/.tor-browser_ca
 
 mkdir ${HOME}/.tor-browser_ca
-whitelist ${HOME}/.tor-browser_ca
+allow  ${HOME}/.tor-browser_ca
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_cs.profile b/etc/profile-m-z/tor-browser_cs.profile
index b41107bf1..b99ad14a8 100644
--- a/etc/profile-m-z/tor-browser_cs.profile
+++ b/etc/profile-m-z/tor-browser_cs.profile
@@ -6,10 +6,10 @@ include tor-browser_cs.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_cs
+nodeny  ${HOME}/.tor-browser_cs
 
 mkdir ${HOME}/.tor-browser_cs
-whitelist ${HOME}/.tor-browser_cs
+allow  ${HOME}/.tor-browser_cs
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_da.profile b/etc/profile-m-z/tor-browser_da.profile
index cbec4ee2e..545e53b7e 100644
--- a/etc/profile-m-z/tor-browser_da.profile
+++ b/etc/profile-m-z/tor-browser_da.profile
@@ -6,10 +6,10 @@ include tor-browser_da.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_da
+nodeny  ${HOME}/.tor-browser_da
 
 mkdir ${HOME}/.tor-browser_da
-whitelist ${HOME}/.tor-browser_da
+allow  ${HOME}/.tor-browser_da
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_de.profile b/etc/profile-m-z/tor-browser_de.profile
index ea26765d3..545f82f72 100644
--- a/etc/profile-m-z/tor-browser_de.profile
+++ b/etc/profile-m-z/tor-browser_de.profile
@@ -6,10 +6,10 @@ include tor-browser_de.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_de
+nodeny  ${HOME}/.tor-browser_de
 
 mkdir ${HOME}/.tor-browser_de
-whitelist ${HOME}/.tor-browser_de
+allow  ${HOME}/.tor-browser_de
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_el.profile b/etc/profile-m-z/tor-browser_el.profile
index ff57a8722..3120b1701 100644
--- a/etc/profile-m-z/tor-browser_el.profile
+++ b/etc/profile-m-z/tor-browser_el.profile
@@ -6,10 +6,10 @@ include tor-browser_el.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_el
+nodeny  ${HOME}/.tor-browser_el
 
 mkdir ${HOME}/.tor-browser_el
-whitelist ${HOME}/.tor-browser_el
+allow  ${HOME}/.tor-browser_el
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_en-US.profile b/etc/profile-m-z/tor-browser_en-US.profile
index 18c92b638..6719ac057 100644
--- a/etc/profile-m-z/tor-browser_en-US.profile
+++ b/etc/profile-m-z/tor-browser_en-US.profile
@@ -6,10 +6,10 @@ include tor-browser_en-US.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_en-US
+nodeny  ${HOME}/.tor-browser_en-US
 
 mkdir ${HOME}/.tor-browser_en-US
-whitelist ${HOME}/.tor-browser_en-US
+allow  ${HOME}/.tor-browser_en-US
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_en.profile b/etc/profile-m-z/tor-browser_en.profile
index ebba83cc4..4cbd37109 100644
--- a/etc/profile-m-z/tor-browser_en.profile
+++ b/etc/profile-m-z/tor-browser_en.profile
@@ -6,10 +6,10 @@ include tor-browser_en.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_en
+nodeny  ${HOME}/.tor-browser_en
 
 mkdir ${HOME}/.tor-browser_en
-whitelist ${HOME}/.tor-browser_en
+allow  ${HOME}/.tor-browser_en
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_es-ES.profile b/etc/profile-m-z/tor-browser_es-ES.profile
index aecab38d5..6c8a5987c 100644
--- a/etc/profile-m-z/tor-browser_es-ES.profile
+++ b/etc/profile-m-z/tor-browser_es-ES.profile
@@ -6,10 +6,10 @@ include tor-browser_es-ES.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_es-ES
+nodeny  ${HOME}/.tor-browser_es-ES
 
 mkdir ${HOME}/.tor-browser_es-ES
-whitelist ${HOME}/.tor-browser_es-ES
+allow  ${HOME}/.tor-browser_es-ES
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_es.profile b/etc/profile-m-z/tor-browser_es.profile
index e19e9b5e6..7d358b7ca 100644
--- a/etc/profile-m-z/tor-browser_es.profile
+++ b/etc/profile-m-z/tor-browser_es.profile
@@ -6,10 +6,10 @@ include tor-browser_es.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_es
+nodeny  ${HOME}/.tor-browser_es
 
 mkdir ${HOME}/.tor-browser_es
-whitelist ${HOME}/.tor-browser_es
+allow  ${HOME}/.tor-browser_es
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_fa.profile b/etc/profile-m-z/tor-browser_fa.profile
index 68414c277..fc4285c5d 100644
--- a/etc/profile-m-z/tor-browser_fa.profile
+++ b/etc/profile-m-z/tor-browser_fa.profile
@@ -6,10 +6,10 @@ include tor-browser_fa.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_fa
+nodeny  ${HOME}/.tor-browser_fa
 
 mkdir ${HOME}/.tor-browser_fa
-whitelist ${HOME}/.tor-browser_fa
+allow  ${HOME}/.tor-browser_fa
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_fr.profile b/etc/profile-m-z/tor-browser_fr.profile
index 0a8bb30b7..2d0c0ff1f 100644
--- a/etc/profile-m-z/tor-browser_fr.profile
+++ b/etc/profile-m-z/tor-browser_fr.profile
@@ -6,10 +6,10 @@ include tor-browser_fr.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_fr
+nodeny  ${HOME}/.tor-browser_fr
 
 mkdir ${HOME}/.tor-browser_fr
-whitelist ${HOME}/.tor-browser_fr
+allow  ${HOME}/.tor-browser_fr
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ga-IE.profile b/etc/profile-m-z/tor-browser_ga-IE.profile
index 12354b900..2880e1e2a 100644
--- a/etc/profile-m-z/tor-browser_ga-IE.profile
+++ b/etc/profile-m-z/tor-browser_ga-IE.profile
@@ -6,10 +6,10 @@ include tor-browser_ga-IE.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ga-IE
+nodeny  ${HOME}/.tor-browser_ga-IE
 
 mkdir ${HOME}/.tor-browser_ga-IE
-whitelist ${HOME}/.tor-browser_ga-IE
+allow  ${HOME}/.tor-browser_ga-IE
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_he.profile b/etc/profile-m-z/tor-browser_he.profile
index 19cbb0809..ac6993019 100644
--- a/etc/profile-m-z/tor-browser_he.profile
+++ b/etc/profile-m-z/tor-browser_he.profile
@@ -6,10 +6,10 @@ include tor-browser_he.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_he
+nodeny  ${HOME}/.tor-browser_he
 
 mkdir ${HOME}/.tor-browser_he
-whitelist ${HOME}/.tor-browser_he
+allow  ${HOME}/.tor-browser_he
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_hu.profile b/etc/profile-m-z/tor-browser_hu.profile
index 62b55e170..6877a6be4 100644
--- a/etc/profile-m-z/tor-browser_hu.profile
+++ b/etc/profile-m-z/tor-browser_hu.profile
@@ -6,10 +6,10 @@ include tor-browser_hu.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_hu
+nodeny  ${HOME}/.tor-browser_hu
 
 mkdir ${HOME}/.tor-browser_hu
-whitelist ${HOME}/.tor-browser_hu
+allow  ${HOME}/.tor-browser_hu
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_id.profile b/etc/profile-m-z/tor-browser_id.profile
index 2970a7747..5f5601f74 100644
--- a/etc/profile-m-z/tor-browser_id.profile
+++ b/etc/profile-m-z/tor-browser_id.profile
@@ -6,10 +6,10 @@ include tor-browser_id.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_id
+nodeny  ${HOME}/.tor-browser_id
 
 mkdir ${HOME}/.tor-browser_id
-whitelist ${HOME}/.tor-browser_id
+allow  ${HOME}/.tor-browser_id
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_is.profile b/etc/profile-m-z/tor-browser_is.profile
index f922c7644..f0814d16e 100644
--- a/etc/profile-m-z/tor-browser_is.profile
+++ b/etc/profile-m-z/tor-browser_is.profile
@@ -6,10 +6,10 @@ include tor-browser_is.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_is
+nodeny  ${HOME}/.tor-browser_is
 
 mkdir ${HOME}/.tor-browser_is
-whitelist ${HOME}/.tor-browser_is
+allow  ${HOME}/.tor-browser_is
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_it.profile b/etc/profile-m-z/tor-browser_it.profile
index 406901759..fa01f6bca 100644
--- a/etc/profile-m-z/tor-browser_it.profile
+++ b/etc/profile-m-z/tor-browser_it.profile
@@ -6,10 +6,10 @@ include tor-browser_it.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_it
+nodeny  ${HOME}/.tor-browser_it
 
 mkdir ${HOME}/.tor-browser_it
-whitelist ${HOME}/.tor-browser_it
+allow  ${HOME}/.tor-browser_it
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ja.profile b/etc/profile-m-z/tor-browser_ja.profile
index 8f9d8d751..dde107dd3 100644
--- a/etc/profile-m-z/tor-browser_ja.profile
+++ b/etc/profile-m-z/tor-browser_ja.profile
@@ -6,10 +6,10 @@ include tor-browser_ja.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ja
+nodeny  ${HOME}/.tor-browser_ja
 
 mkdir ${HOME}/.tor-browser_ja
-whitelist ${HOME}/.tor-browser_ja
+allow  ${HOME}/.tor-browser_ja
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ka.profile b/etc/profile-m-z/tor-browser_ka.profile
index 4de4135e1..7de4dff65 100644
--- a/etc/profile-m-z/tor-browser_ka.profile
+++ b/etc/profile-m-z/tor-browser_ka.profile
@@ -6,10 +6,10 @@ include tor-browser_ka.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ka
+nodeny  ${HOME}/.tor-browser_ka
 
 mkdir ${HOME}/.tor-browser_ka
-whitelist ${HOME}/.tor-browser_ka
+allow  ${HOME}/.tor-browser_ka
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ko.profile b/etc/profile-m-z/tor-browser_ko.profile
index 125c733ce..7e3ceb4d9 100644
--- a/etc/profile-m-z/tor-browser_ko.profile
+++ b/etc/profile-m-z/tor-browser_ko.profile
@@ -6,10 +6,10 @@ include tor-browser_ko.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ko
+nodeny  ${HOME}/.tor-browser_ko
 
 mkdir ${HOME}/.tor-browser_ko
-whitelist ${HOME}/.tor-browser_ko
+allow  ${HOME}/.tor-browser_ko
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_nb.profile b/etc/profile-m-z/tor-browser_nb.profile
index dc6ac876b..c11001960 100644
--- a/etc/profile-m-z/tor-browser_nb.profile
+++ b/etc/profile-m-z/tor-browser_nb.profile
@@ -6,10 +6,10 @@ include tor-browser_nb.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_nb
+nodeny  ${HOME}/.tor-browser_nb
 
 mkdir ${HOME}/.tor-browser_nb
-whitelist ${HOME}/.tor-browser_nb
+allow  ${HOME}/.tor-browser_nb
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_nl.profile b/etc/profile-m-z/tor-browser_nl.profile
index 2a3a5b519..2d1044f9d 100644
--- a/etc/profile-m-z/tor-browser_nl.profile
+++ b/etc/profile-m-z/tor-browser_nl.profile
@@ -6,10 +6,10 @@ include tor-browser_nl.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_nl
+nodeny  ${HOME}/.tor-browser_nl
 
 mkdir ${HOME}/.tor-browser_nl
-whitelist ${HOME}/.tor-browser_nl
+allow  ${HOME}/.tor-browser_nl
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_pl.profile b/etc/profile-m-z/tor-browser_pl.profile
index b7dec32db..2818320a0 100644
--- a/etc/profile-m-z/tor-browser_pl.profile
+++ b/etc/profile-m-z/tor-browser_pl.profile
@@ -6,10 +6,10 @@ include tor-browser_pl.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_pl
+nodeny  ${HOME}/.tor-browser_pl
 
 mkdir ${HOME}/.tor-browser_pl
-whitelist ${HOME}/.tor-browser_pl
+allow  ${HOME}/.tor-browser_pl
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_pt-BR.profile b/etc/profile-m-z/tor-browser_pt-BR.profile
index 7a7d4726c..8c33e2545 100644
--- a/etc/profile-m-z/tor-browser_pt-BR.profile
+++ b/etc/profile-m-z/tor-browser_pt-BR.profile
@@ -6,10 +6,10 @@ include tor-browser_pt-BR.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_pt-BR
+nodeny  ${HOME}/.tor-browser_pt-BR
 
 mkdir ${HOME}/.tor-browser_pt-BR
-whitelist ${HOME}/.tor-browser_pt-BR
+allow  ${HOME}/.tor-browser_pt-BR
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_ru.profile b/etc/profile-m-z/tor-browser_ru.profile
index 7d2e6bc97..2553bb031 100644
--- a/etc/profile-m-z/tor-browser_ru.profile
+++ b/etc/profile-m-z/tor-browser_ru.profile
@@ -6,10 +6,10 @@ include tor-browser_ru.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_ru
+nodeny  ${HOME}/.tor-browser_ru
 
 mkdir ${HOME}/.tor-browser_ru
-whitelist ${HOME}/.tor-browser_ru
+allow  ${HOME}/.tor-browser_ru
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_sv-SE.profile b/etc/profile-m-z/tor-browser_sv-SE.profile
index 585925e81..3152cb658 100644
--- a/etc/profile-m-z/tor-browser_sv-SE.profile
+++ b/etc/profile-m-z/tor-browser_sv-SE.profile
@@ -6,10 +6,10 @@ include tor-browser_sv-SE.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_sv-SE
+nodeny  ${HOME}/.tor-browser_sv-SE
 
 mkdir ${HOME}/.tor-browser_sv-SE
-whitelist ${HOME}/.tor-browser_sv-SE
+allow  ${HOME}/.tor-browser_sv-SE
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_tr.profile b/etc/profile-m-z/tor-browser_tr.profile
index 4b0cc3821..9808d4725 100644
--- a/etc/profile-m-z/tor-browser_tr.profile
+++ b/etc/profile-m-z/tor-browser_tr.profile
@@ -6,10 +6,10 @@ include tor-browser_tr.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_tr
+nodeny  ${HOME}/.tor-browser_tr
 
 mkdir ${HOME}/.tor-browser_tr
-whitelist ${HOME}/.tor-browser_tr
+allow  ${HOME}/.tor-browser_tr
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_vi.profile b/etc/profile-m-z/tor-browser_vi.profile
index 4dcfbf56d..364fca40b 100644
--- a/etc/profile-m-z/tor-browser_vi.profile
+++ b/etc/profile-m-z/tor-browser_vi.profile
@@ -6,10 +6,10 @@ include tor-browser_vi.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_vi
+nodeny  ${HOME}/.tor-browser_vi
 
 mkdir ${HOME}/.tor-browser_vi
-whitelist ${HOME}/.tor-browser_vi
+allow  ${HOME}/.tor-browser_vi
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_zh-CN.profile b/etc/profile-m-z/tor-browser_zh-CN.profile
index 1e03b8d6b..193e8a399 100644
--- a/etc/profile-m-z/tor-browser_zh-CN.profile
+++ b/etc/profile-m-z/tor-browser_zh-CN.profile
@@ -6,10 +6,10 @@ include tor-browser_zh-CN.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_zh-CN
+nodeny  ${HOME}/.tor-browser_zh-CN
 
 mkdir ${HOME}/.tor-browser_zh-CN
-whitelist ${HOME}/.tor-browser_zh-CN
+allow  ${HOME}/.tor-browser_zh-CN
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/tor-browser_zh-TW.profile b/etc/profile-m-z/tor-browser_zh-TW.profile
index a2dcf5cf1..047be9b8e 100644
--- a/etc/profile-m-z/tor-browser_zh-TW.profile
+++ b/etc/profile-m-z/tor-browser_zh-TW.profile
@@ -6,10 +6,10 @@ include tor-browser_zh-TW.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.tor-browser_zh-TW
+nodeny  ${HOME}/.tor-browser_zh-TW
 
 mkdir ${HOME}/.tor-browser_zh-TW
-whitelist ${HOME}/.tor-browser_zh-TW
+allow  ${HOME}/.tor-browser_zh-TW
 
 # Redirect
 include torbrowser-launcher.profile
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 7659ed1e9..65a37db5f 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -8,15 +8,15 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.config/torbrowser
-noblacklist ${HOME}/.local/share/torbrowser
+nodeny  ${HOME}/.config/torbrowser
+nodeny  ${HOME}/.local/share/torbrowser
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
 
-blacklist /opt
-blacklist /srv
+deny  /opt
+deny  /srv
 
 include disable-common.inc
 include disable-devel.inc
@@ -28,10 +28,10 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/torbrowser
 mkdir ${HOME}/.local/share/torbrowser
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/torbrowser
-whitelist ${HOME}/.local/share/torbrowser
-whitelist /usr/share/torbrowser-launcher
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/torbrowser
+allow  ${HOME}/.local/share/torbrowser
+allow  /usr/share/torbrowser-launcher
 include whitelist-common.inc
 include whitelist-var-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
index 0f98a8f64..c5d89c3e3 100644
--- a/etc/profile-m-z/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -6,7 +6,7 @@ include torcs.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.torcs
+nodeny  ${HOME}/.torcs
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,9 +17,9 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.torcs
-whitelist ${HOME}/.torcs
-whitelist /usr/share/games/torcs
-whitelist /var/games/torcs
+allow  ${HOME}/.torcs
+allow  /usr/share/games/torcs
+allow  /var/games/torcs
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index 70d9e0aee..77d3c55f8 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -13,8 +13,8 @@ include allow-lua.inc
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
-noblacklist ${HOME}/.config/totem
-noblacklist ${HOME}/.local/share/totem
+nodeny  ${HOME}/.config/totem
+nodeny  ${HOME}/.local/share/totem
 
 include disable-common.inc
 include disable-devel.inc
@@ -27,9 +27,9 @@ include disable-shell.inc
 read-only ${DESKTOP}
 mkdir ${HOME}/.config/totem
 mkdir ${HOME}/.local/share/totem
-whitelist ${HOME}/.config/totem
-whitelist ${HOME}/.local/share/totem
-whitelist /usr/share/totem
+allow  ${HOME}/.config/totem
+allow  ${HOME}/.local/share/totem
+allow  /usr/share/totem
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile
index 87c5de076..26f4abd0b 100644
--- a/etc/profile-m-z/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -8,8 +8,8 @@ include globals.local
 
 # Tracker is started by systemd on most systems. Therefore it is not firejailed by default
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index ea118a9f0..d5920e2a2 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -6,7 +6,7 @@ include transgui.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/transgui
+nodeny  ${HOME}/.config/transgui
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/transgui
-whitelist ${HOME}/.config/transgui
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/transgui
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index 82671b709..5c2cf9d9a 100644
--- a/etc/profile-m-z/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -7,8 +7,8 @@ include transmission-common.local
 # added by caller profile
 #include globals.local
 
-noblacklist ${HOME}/.cache/transmission
-noblacklist ${HOME}/.config/transmission
+nodeny  ${HOME}/.cache/transmission
+nodeny  ${HOME}/.config/transmission
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-programs.inc
 
 mkdir ${HOME}/.cache/transmission
 mkdir ${HOME}/.config/transmission
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.cache/transmission
-whitelist ${HOME}/.config/transmission
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/transmission
+allow  ${HOME}/.config/transmission
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 348d3cb80..9f0c464fc 100644
--- a/etc/profile-m-z/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -10,8 +10,8 @@ include globals.local
 ignore caps.drop all
 
 mkdir ${HOME}/.config/transmission-daemon
-whitelist ${HOME}/.config/transmission-daemon
-whitelist /var/lib/transmission
+allow  ${HOME}/.config/transmission-daemon
+allow  /var/lib/transmission
 
 caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 protocol packet
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
index a6400e2c0..7c8eddcbc 100644
--- a/etc/profile-m-z/transmission-remote-gtk.profile
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
@@ -7,10 +7,10 @@ include transmission-remote-gtk.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/transmission-remote-gtk
+nodeny  ${HOME}/.config/transmission-remote-gtk
 
 mkdir ${HOME}/.config/transmission-remote-gtk
-whitelist ${HOME}/.config/transmission-remote-gtk
+allow  ${HOME}/.config/transmission-remote-gtk
 
 private-etc fonts,hostname,hosts,resolv.conf
 # Problems with private-lib (see issue #2889)
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index aba563fac..c2797ddaa 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -6,7 +6,7 @@ include tremulous.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.tremulous
+nodeny  ${HOME}/.tremulous
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.tremulous
-whitelist ${HOME}/.tremulous
-whitelist /usr/share/tremulous
+allow  ${HOME}/.tremulous
+allow  /usr/share/tremulous
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 2d95081f6..95f39b35d 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -6,10 +6,10 @@ include trojita.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.abook
-noblacklist ${HOME}/.mozilla
-noblacklist ${HOME}/.cache/flaska.net/trojita
-noblacklist ${HOME}/.config/flaska.net
+nodeny  ${HOME}/.abook
+nodeny  ${HOME}/.mozilla
+nodeny  ${HOME}/.cache/flaska.net/trojita
+nodeny  ${HOME}/.config/flaska.net
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,10 +23,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.abook
 mkdir ${HOME}/.cache/flaska.net/trojita
 mkdir ${HOME}/.config/flaska.net
-whitelist ${HOME}/.abook
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
-whitelist ${HOME}/.cache/flaska.net/trojita
-whitelist ${HOME}/.config/flaska.net
+allow  ${HOME}/.abook
+allow  ${HOME}/.mozilla/firefox/profiles.ini
+allow  ${HOME}/.cache/flaska.net/trojita
+allow  ${HOME}/.config/flaska.net
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/truecraft.profile b/etc/profile-m-z/truecraft.profile
index 749626475..76f289a27 100644
--- a/etc/profile-m-z/truecraft.profile
+++ b/etc/profile-m-z/truecraft.profile
@@ -5,8 +5,8 @@ include truecraft.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/mono
-noblacklist ${HOME}/.config/truecraft
+nodeny  ${HOME}/.config/mono
+nodeny  ${HOME}/.config/truecraft
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.config/mono
 mkdir ${HOME}/.config/truecraft
-whitelist ${HOME}/.config/mono
-whitelist ${HOME}/.config/truecraft
+allow  ${HOME}/.config/mono
+allow  ${HOME}/.config/truecraft
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/ts3client_runscript.sh.profile b/etc/profile-m-z/ts3client_runscript.sh.profile
index 8d4675454..cd6ae96df 100644
--- a/etc/profile-m-z/ts3client_runscript.sh.profile
+++ b/etc/profile-m-z/ts3client_runscript.sh.profile
@@ -9,11 +9,11 @@ include ts3client_runscript.sh.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/TeamSpeak3-Client-linux_x86
-noblacklist ${HOME}/TeamSpeak3-Client-linux_amd64
+nodeny  ${HOME}/TeamSpeak3-Client-linux_x86
+nodeny  ${HOME}/TeamSpeak3-Client-linux_amd64
 
-whitelist ${HOME}/TeamSpeak3-Client-linux_x86
-whitelist ${HOME}/TeamSpeak3-Client-linux_amd64
+allow  ${HOME}/TeamSpeak3-Client-linux_x86
+allow  ${HOME}/TeamSpeak3-Client-linux_amd64
 
 # Redirect
 include teamspeak3.profile
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile
index d2cb0cc8a..e59a86ce6 100644
--- a/etc/profile-m-z/tutanota-desktop.profile
+++ b/etc/profile-m-z/tutanota-desktop.profile
@@ -6,8 +6,8 @@ include tutanota-desktop.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/tuta_integration
-noblacklist ${HOME}/.config/tutanota-desktop
+nodeny  ${HOME}/.config/tuta_integration
+nodeny  ${HOME}/.config/tutanota-desktop
 
 ignore noexec /tmp
 
@@ -15,12 +15,12 @@ include disable-shell.inc
 
 mkdir ${HOME}/.config/tuta_integration
 mkdir ${HOME}/.config/tutanota-desktop
-whitelist ${HOME}/.config/tuta_integration
-whitelist ${HOME}/.config/tutanota-desktop
+allow  ${HOME}/.config/tuta_integration
+allow  ${HOME}/.config/tutanota-desktop
 
 # These lines are needed to allow Firefox to open links
-noblacklist ${HOME}/.mozilla
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
+nodeny  ${HOME}/.mozilla
+allow  ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 
 ?HAS_APPIMAGE: ignore private-dev
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile
index d0bcbe79f..5bb97e161 100644
--- a/etc/profile-m-z/tuxguitar.profile
+++ b/etc/profile-m-z/tuxguitar.profile
@@ -6,9 +6,12 @@ include tuxguitar.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.tuxguitar*
-noblacklist ${DOCUMENTS}
-noblacklist ${MUSIC}
+# tuxguitar fails to launch
+ignore noexec ${HOME}
+
+nodeny  ${HOME}/.tuxguitar*
+nodeny  ${DOCUMENTS}
+nodeny  ${MUSIC}
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -41,6 +44,3 @@ tracelog
 
 private-dev
 private-tmp
-
-# noexec ${HOME} - tuxguitar may fail to launch
-noexec /tmp
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
index dae7d86da..8febcd337 100644
--- a/etc/profile-m-z/tvbrowser.profile
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -6,8 +6,8 @@ include tvbrowser.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/tvbrowser
-noblacklist ${HOME}/.tvbrowser
+nodeny  ${HOME}/.config/tvbrowser
+nodeny  ${HOME}/.tvbrowser
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -22,9 +22,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/tvbrowser
 mkdir ${HOME}/.tvbrowser
-whitelist ${HOME}/.config/tvbrowser
-whitelist ${HOME}/.tvbrowser
-whitelist /usr/share/tvbrowser
+allow  ${HOME}/.config/tvbrowser
+allow  ${HOME}/.tvbrowser
+allow  /usr/share/tvbrowser
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index 2f573c872..abcc885e6 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -10,12 +10,12 @@ include globals.local
 ignore nou2f
 ignore novideo
 
-noblacklist ${HOME}/.config/Twitch
+nodeny  ${HOME}/.config/Twitch
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Twitch
-whitelist ${HOME}/.config/Twitch
+allow  ${HOME}/.config/Twitch
 
 private-bin twitch
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/uefitool.profile b/etc/profile-m-z/uefitool.profile
index 3e4fdbb03..8c705c95f 100644
--- a/etc/profile-m-z/uefitool.profile
+++ b/etc/profile-m-z/uefitool.profile
@@ -5,7 +5,7 @@ include uefitool.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/uget-gtk.profile b/etc/profile-m-z/uget-gtk.profile
index 4420099ff..eed2db541 100644
--- a/etc/profile-m-z/uget-gtk.profile
+++ b/etc/profile-m-z/uget-gtk.profile
@@ -5,7 +5,7 @@ include uget-gtk.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/uGet
+nodeny  ${HOME}/.config/uGet
 
 include disable-common.inc
 include disable-devel.inc
@@ -14,8 +14,8 @@ include disable-programs.inc
 include disable-shell.inc
 
 mkdir ${HOME}/.config/uGet
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/uGet
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/uGet
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile
index 0c077babf..7e7b3fbec 100644
--- a/etc/profile-m-z/unbound.profile
+++ b/etc/profile-m-z/unbound.profile
@@ -6,11 +6,11 @@ include unbound.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,8 +22,8 @@ include disable-xdg.inc
 
 include whitelist-usr-share-common.inc
 
-whitelist /var/lib/unbound
-whitelist /var/run
+allow  /var/lib/unbound
+allow  /var/run
 
 caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource
 ipc-namespace
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index 6db7ba362..846271971 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -7,7 +7,7 @@ include unf.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
index 956492f52..3e1c6264d 100644
--- a/etc/profile-m-z/unknown-horizons.profile
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -6,7 +6,7 @@ include unknown-horizons.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.unknown-horizons
+nodeny  ${HOME}/.unknown-horizons
 
 include disable-common.inc
 include disable-exec.inc
@@ -14,10 +14,10 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.unknown-horizons
-whitelist ${HOME}/.unknown-horizons
+allow  ${HOME}/.unknown-horizons
 include whitelist-common.inc
 include whitelist-runuser-common.inc
-whitelist /usr/share/unknown-horizons
+allow  /usr/share/unknown-horizons
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 0231e3dba..99d2415ca 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -8,7 +8,7 @@ include unzip.local
 include globals.local
 
 # GNOME Shell integration (chrome-gnome-shell)
-noblacklist ${HOME}/.local/share/gnome-shell
+nodeny  ${HOME}/.local/share/gnome-shell
 
 private-etc alternatives,group,localtime,passwd
 
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile
index dd881f091..3b0f7c646 100644
--- a/etc/profile-m-z/utox.profile
+++ b/etc/profile-m-z/utox.profile
@@ -6,8 +6,8 @@ include utox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/Tox
-noblacklist ${HOME}/.config/tox
+nodeny  ${HOME}/.cache/Tox
+nodeny  ${HOME}/.config/tox
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/tox
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/tox
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/tox
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
index 2adc044e5..3bda71666 100644
--- a/etc/profile-m-z/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -7,7 +7,7 @@ include uudeview.local
 # Persistent global definitions
 include globals.local
 
-blacklist ${RUNUSER}/wayland-*
+deny  ${RUNUSER}/wayland-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile
index 41487a8f2..6899f4bf7 100644
--- a/etc/profile-m-z/uzbl-browser.profile
+++ b/etc/profile-m-z/uzbl-browser.profile
@@ -5,9 +5,9 @@ include uzbl-browser.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/uzbl
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.local/share/uzbl
+nodeny  ${HOME}/.config/uzbl
+nodeny  ${HOME}/.gnupg
+nodeny  ${HOME}/.local/share/uzbl
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,11 +22,11 @@ mkdir ${HOME}/.config/uzbl
 mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.local/share/uzbl
 mkdir ${HOME}/.password-store
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/uzbl
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.local/share/uzbl
-whitelist ${HOME}/.password-store
+allow  ${DOWNLOADS}
+allow  ${HOME}/.config/uzbl
+allow  ${HOME}/.gnupg
+allow  ${HOME}/.local/share/uzbl
+allow  ${HOME}/.password-store
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index a9ba344dd..e0bf02706 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -6,11 +6,11 @@ include viewnior.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.config/viewnior
-noblacklist ${HOME}/.steam
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.config/viewnior
+nodeny  ${HOME}/.steam
 
-blacklist ${HOME}/.bashrc
+deny  ${HOME}/.bashrc
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/viking.profile b/etc/profile-m-z/viking.profile
index 8f8ef5939..b16f691d6 100644
--- a/etc/profile-m-z/viking.profile
+++ b/etc/profile-m-z/viking.profile
@@ -6,9 +6,9 @@ include viking.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.viking
-noblacklist ${HOME}/.viking-maps
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.viking
+nodeny  ${HOME}/.viking-maps
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/vim.profile b/etc/profile-m-z/vim.profile
index c3cfe5980..b535225dd 100644
--- a/etc/profile-m-z/vim.profile
+++ b/etc/profile-m-z/vim.profile
@@ -6,9 +6,9 @@ include vim.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.vim
-noblacklist ${HOME}/.viminfo
-noblacklist ${HOME}/.vimrc
+nodeny  ${HOME}/.vim
+nodeny  ${HOME}/.viminfo
+nodeny  ${HOME}/.vimrc
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index c22fb0ff9..f28828338 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -6,12 +6,12 @@ include virtualbox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.VirtualBox
-noblacklist ${HOME}/.config/VirtualBox
-noblacklist ${HOME}/VirtualBox VMs
+nodeny  ${HOME}/.VirtualBox
+nodeny  ${HOME}/.config/VirtualBox
+nodeny  ${HOME}/VirtualBox VMs
 # noblacklist /usr/bin/virtualbox
-noblacklist /usr/lib/virtualbox
-noblacklist /usr/lib64/virtualbox
+nodeny  /usr/lib/virtualbox
+nodeny  /usr/lib64/virtualbox
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,10 +23,10 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/VirtualBox
 mkdir ${HOME}/VirtualBox VMs
-whitelist ${HOME}/.config/VirtualBox
-whitelist ${HOME}/VirtualBox VMs
-whitelist ${DOWNLOADS}
-whitelist /usr/share/virtualbox
+allow  ${HOME}/.config/VirtualBox
+allow  ${HOME}/VirtualBox VMs
+allow  ${DOWNLOADS}
+allow  /usr/share/virtualbox
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile
index fdeb0307f..3858405db 100644
--- a/etc/profile-m-z/vivaldi.profile
+++ b/etc/profile-m-z/vivaldi.profile
@@ -8,26 +8,26 @@ include globals.local
 # Allow HTML5 Proprietary Media & DRM/EME (Widevine)
 ignore apparmor
 ignore noexec /var
-noblacklist /var/opt
-whitelist /var/opt/vivaldi
+nodeny  /var/opt
+allow  /var/opt/vivaldi
 writable-var
 
-noblacklist ${HOME}/.cache/vivaldi
-noblacklist ${HOME}/.cache/vivaldi-snapshot
-noblacklist ${HOME}/.config/vivaldi
-noblacklist ${HOME}/.config/vivaldi-snapshot
-noblacklist ${HOME}/.local/lib/vivaldi
+nodeny  ${HOME}/.cache/vivaldi
+nodeny  ${HOME}/.cache/vivaldi-snapshot
+nodeny  ${HOME}/.config/vivaldi
+nodeny  ${HOME}/.config/vivaldi-snapshot
+nodeny  ${HOME}/.local/lib/vivaldi
 
 mkdir ${HOME}/.cache/vivaldi
 mkdir ${HOME}/.cache/vivaldi-snapshot
 mkdir ${HOME}/.config/vivaldi
 mkdir ${HOME}/.config/vivaldi-snapshot
 mkdir ${HOME}/.local/lib/vivaldi
-whitelist ${HOME}/.cache/vivaldi
-whitelist ${HOME}/.cache/vivaldi-snapshot
-whitelist ${HOME}/.config/vivaldi
-whitelist ${HOME}/.config/vivaldi-snapshot
-whitelist ${HOME}/.local/lib/vivaldi
+allow  ${HOME}/.cache/vivaldi
+allow  ${HOME}/.cache/vivaldi-snapshot
+allow  ${HOME}/.config/vivaldi
+allow  ${HOME}/.config/vivaldi-snapshot
+allow  ${HOME}/.local/lib/vivaldi
 
 #private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot
 
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index cd7dccd8a..ede2d4525 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -6,10 +6,10 @@ include vlc.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/vlc
-noblacklist ${HOME}/.config/vlc
-noblacklist ${HOME}/.config/aacs
-noblacklist ${HOME}/.local/share/vlc
+nodeny  ${HOME}/.cache/vlc
+nodeny  ${HOME}/.config/vlc
+nodeny  ${HOME}/.config/aacs
+nodeny  ${HOME}/.local/share/vlc
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +22,10 @@ read-only ${DESKTOP}
 mkdir ${HOME}/.cache/vlc
 mkdir ${HOME}/.config/vlc
 mkdir ${HOME}/.local/share/vlc
-whitelist ${HOME}/.cache/vlc
-whitelist ${HOME}/.config/vlc
-whitelist ${HOME}/.config/aacs
-whitelist ${HOME}/.local/share/vlc
+allow  ${HOME}/.cache/vlc
+allow  ${HOME}/.config/vlc
+allow  ${HOME}/.config/aacs
+allow  ${HOME}/.local/share/vlc
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile
index f07c31b68..f23e90e84 100644
--- a/etc/profile-m-z/vmware-view.profile
+++ b/etc/profile-m-z/vmware-view.profile
@@ -6,10 +6,10 @@ include vmware-view.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.vmware
+nodeny  ${HOME}/.vmware
 
-noblacklist /sbin
-noblacklist /usr/sbin
+nodeny  /sbin
+nodeny  /usr/sbin
 
 include allow-bin-sh.inc
 
@@ -23,7 +23,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.vmware
-whitelist ${HOME}/.vmware
+allow  ${HOME}/.vmware
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 5241e27b3..3a535588f 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -6,8 +6,8 @@ include vmware.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/vmware
-noblacklist ${HOME}/.vmware
+nodeny  ${HOME}/.cache/vmware
+nodeny  ${HOME}/.vmware
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +19,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/vmware
 mkdir ${HOME}/.vmware
-whitelist ${HOME}/.cache/vmware
-whitelist ${HOME}/.vmware
+allow  ${HOME}/.cache/vmware
+allow  ${HOME}/.vmware
 # Add the next lines to your vmware.local if you need to use "shared VM".
 #whitelist /var/lib/vmware
 #writable-var
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
index a4a4fb7d8..7996113f5 100644
--- a/etc/profile-m-z/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
@@ -6,7 +6,7 @@ include vscodium.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.VSCodium
+nodeny  ${HOME}/.VSCodium
 
 # Redirect
 include code.profile
diff --git a/etc/profile-m-z/vulturesclaw.profile b/etc/profile-m-z/vulturesclaw.profile
index fa6ddf1fb..a6c38c1f1 100644
--- a/etc/profile-m-z/vulturesclaw.profile
+++ b/etc/profile-m-z/vulturesclaw.profile
@@ -6,8 +6,8 @@ include vulturesclaw.local
 # added by included profile
 #include globals.local
 
-noblacklist /var/games/vulturesclaw
-whitelist /var/games/vulturesclaw
+nodeny  /var/games/vulturesclaw
+allow  /var/games/vulturesclaw
 
 # Redirect
 include nethack-vultures.profile
diff --git a/etc/profile-m-z/vultureseye.profile b/etc/profile-m-z/vultureseye.profile
index 49d3fa94f..763c50bf6 100644
--- a/etc/profile-m-z/vultureseye.profile
+++ b/etc/profile-m-z/vultureseye.profile
@@ -6,8 +6,8 @@ include vultureseye.local
 # added by included profile
 #include globals.local
 
-noblacklist /var/games/vultureseye
-whitelist /var/games/vultureseye
+nodeny  /var/games/vultureseye
+allow  /var/games/vultureseye
 
 # Redirect
 include nethack-vultures.profile
diff --git a/etc/profile-m-z/vym.profile b/etc/profile-m-z/vym.profile
index 5421c4e4b..1f2462c32 100644
--- a/etc/profile-m-z/vym.profile
+++ b/etc/profile-m-z/vym.profile
@@ -6,7 +6,7 @@ include vym.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/InSilmaril
+nodeny  ${HOME}/.config/InSilmaril
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index 131213ed2..6b38bbf13 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -12,23 +12,37 @@ include globals.local
 #ignore private-dev
 #ignore private-etc
 
-noblacklist ${HOME}/.w3m
+nodeny  ${HOME}/.w3m
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}/wayland-*
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
 include allow-perl.inc
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.w3m
+allow  /usr/share/w3m
+allow  ${DOWNLOADS}
+allow  ${HOME}/.w3m
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 caps.drop all
+ipc-namespace
+machine-id
 netfilter
 no3d
 nodvd
@@ -45,8 +59,14 @@ seccomp
 shell none
 tracelog
 
-# private-bin w3m
+disable-mnt
+private-bin perl,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
index 1227a202c..6658ac5db 100644
--- a/etc/profile-m-z/warmux.profile
+++ b/etc/profile-m-z/warmux.profile
@@ -6,9 +6,9 @@ include warmux.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/wormux
-noblacklist ${HOME}/.local/share/wormux
-noblacklist ${HOME}/.wormux
+nodeny  ${HOME}/.config/wormux
+nodeny  ${HOME}/.local/share/wormux
+nodeny  ${HOME}/.wormux
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,10 +22,10 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/wormux
 mkdir ${HOME}/.local/share/wormux
 mkdir ${HOME}/.wormux
-whitelist ${HOME}/.config/wormux
-whitelist ${HOME}/.local/share/wormux
-whitelist ${HOME}/.wormux
-whitelist /usr/share/warmux
+allow  ${HOME}/.config/wormux
+allow  ${HOME}/.local/share/wormux
+allow  ${HOME}/.wormux
+allow  /usr/share/warmux
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index e0cd3daad..fac4d0555 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -8,8 +8,8 @@ include globals.local
 
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/warsow-2.1
-noblacklist ${HOME}/.local/share/warsow-2.1
+nodeny  ${HOME}/.cache/warsow-2.1
+nodeny  ${HOME}/.local/share/warsow-2.1
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,9 +22,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.cache/warsow-2.1
 mkdir ${HOME}/.local/share/warsow-2.1
-whitelist ${HOME}/.cache/warsow-2.1
-whitelist ${HOME}/.local/share/warsow-2.1
-whitelist /usr/share/warsow
+allow  ${HOME}/.cache/warsow-2.1
+allow  ${HOME}/.local/share/warsow-2.1
+allow  /usr/share/warsow
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 420e8927e..081ae349b 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -6,7 +6,7 @@ include warzone2100.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.warzone2100-3.*
+nodeny  ${HOME}/.warzone2100-3.*
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,9 +18,9 @@ include disable-shell.inc
 
 mkdir ${HOME}/.warzone2100-3.1
 mkdir ${HOME}/.warzone2100-3.2
-whitelist ${HOME}/.warzone2100-3.1
-whitelist ${HOME}/.warzone2100-3.2
-whitelist /usr/share/games
+allow  ${HOME}/.warzone2100-3.1
+allow  ${HOME}/.warzone2100-3.2
+allow  /usr/share/games
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile
index 18f1ca79a..4081b29b9 100644
--- a/etc/profile-m-z/waterfox.profile
+++ b/etc/profile-m-z/waterfox.profile
@@ -5,13 +5,13 @@ include waterfox.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/waterfox
-noblacklist ${HOME}/.waterfox
+nodeny  ${HOME}/.cache/waterfox
+nodeny  ${HOME}/.waterfox
 
 mkdir ${HOME}/.cache/waterfox
 mkdir ${HOME}/.waterfox
-whitelist ${HOME}/.cache/waterfox
-whitelist ${HOME}/.waterfox
+allow  ${HOME}/.cache/waterfox
+allow  ${HOME}/.waterfox
 
 # Add the next lines to your watefox.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
index 69e96d0cd..1f42dae2c 100644
--- a/etc/profile-m-z/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
@@ -5,12 +5,12 @@ include webstorm.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.WebStorm*
-noblacklist ${HOME}/.android
-noblacklist ${HOME}/.local/share/JetBrains
-noblacklist ${HOME}/.tooling
+nodeny  ${HOME}/.WebStorm*
+nodeny  ${HOME}/.android
+nodeny  ${HOME}/.local/share/JetBrains
+nodeny  ${HOME}/.tooling
 # Allow KDE file manager to open with log directories (blacklisted by disable-programs.inc)
-noblacklist ${HOME}/.config/dolphinrc
+nodeny  ${HOME}/.config/dolphinrc
 
 # Allows files commonly used by IDEs
 include allow-common-devel.inc
@@ -18,8 +18,8 @@ include allow-common-devel.inc
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
-noblacklist ${PATH}/node
-noblacklist ${HOME}/.nvm
+nodeny  ${PATH}/node
+nodeny  ${HOME}/.nvm
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile
index d5a998f35..d1bbcfb67 100644
--- a/etc/profile-m-z/webui-aria2.profile
+++ b/etc/profile-m-z/webui-aria2.profile
@@ -6,7 +6,7 @@ include webui-aria2.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PATH}/node
+nodeny  ${PATH}/node
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile
index 3a93d2ec7..99941a590 100644
--- a/etc/profile-m-z/weechat.profile
+++ b/etc/profile-m-z/weechat.profile
@@ -6,11 +6,12 @@ include weechat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.weechat
+nodeny  ${HOME}/.weechat
 
 include disable-common.inc
 include disable-programs.inc
 
+allow  /usr/share/weechat
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile
index 199b3c6f0..47b923e6a 100644
--- a/etc/profile-m-z/wesnoth.profile
+++ b/etc/profile-m-z/wesnoth.profile
@@ -6,9 +6,9 @@ include wesnoth.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/wesnoth
-noblacklist ${HOME}/.config/wesnoth
-noblacklist ${HOME}/.local/share/wesnoth
+nodeny  ${HOME}/.cache/wesnoth
+nodeny  ${HOME}/.config/wesnoth
+nodeny  ${HOME}/.local/share/wesnoth
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,9 +19,9 @@ include disable-programs.inc
 mkdir ${HOME}/.cache/wesnoth
 mkdir ${HOME}/.config/wesnoth
 mkdir ${HOME}/.local/share/wesnoth
-whitelist ${HOME}/.cache/wesnoth
-whitelist ${HOME}/.config/wesnoth
-whitelist ${HOME}/.local/share/wesnoth
+allow  ${HOME}/.cache/wesnoth
+allow  ${HOME}/.config/wesnoth
+allow  ${HOME}/.local/share/wesnoth
 include whitelist-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index 53c4711bd..3c4a4eb63 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -7,12 +7,12 @@ include wget.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.netrc
-noblacklist ${HOME}/.wget-hsts
-noblacklist ${HOME}/.wgetrc
+nodeny  ${HOME}/.netrc
+nodeny  ${HOME}/.wget-hsts
+nodeny  ${HOME}/.wgetrc
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 22a84274d..fdbd406c2 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -13,10 +13,10 @@ ignore include whitelist-usr-share-common.inc
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/Whalebird
+nodeny  ${HOME}/.config/Whalebird
 
 mkdir ${HOME}/.config/Whalebird
-whitelist ${HOME}/.config/Whalebird
+allow  ${HOME}/.config/Whalebird
 
 no3d
 
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 93871a5a4..35d7fe9cb 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -7,8 +7,8 @@ include whois.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/widelands.profile b/etc/profile-m-z/widelands.profile
index 0dc26b11d..8f5adb0fc 100644
--- a/etc/profile-m-z/widelands.profile
+++ b/etc/profile-m-z/widelands.profile
@@ -6,7 +6,7 @@ include widelands.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.widelands
+nodeny  ${HOME}/.widelands
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,7 +18,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.widelands
-whitelist ${HOME}/.widelands
+allow  ${HOME}/.widelands
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 0ea24aafd..6bc68c829 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -6,13 +6,13 @@ include wine.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/winetricks
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.local/share/Steam
-noblacklist ${HOME}/.local/share/steam
-noblacklist ${HOME}/.steam
-noblacklist ${HOME}/.wine
-noblacklist /tmp/.wine-*
+nodeny  ${HOME}/.cache/winetricks
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.local/share/Steam
+nodeny  ${HOME}/.local/share/steam
+nodeny  ${HOME}/.steam
+nodeny  ${HOME}/.wine
+nodeny  /tmp/.wine-*
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index 151cd2adb..5f40bbd48 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -20,10 +20,10 @@ ignore private-cache
 ignore dbus-user none
 ignore dbus-system none
 
-noblacklist ${HOME}/.config/Wire
+nodeny  ${HOME}/.config/Wire
 
 mkdir ${HOME}/.config/Wire
-whitelist ${HOME}/.config/Wire
+allow  ${HOME}/.config/Wire
 
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index 1824026a8..f3f347283 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -6,9 +6,9 @@ include wireshark.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/wireshark
-noblacklist ${HOME}/.wireshark
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/wireshark
+nodeny  ${HOME}/.wireshark
+nodeny  ${DOCUMENTS}
 
 # Allow lua (blacklisted by disable-interpreters.inc)
 include allow-lua.inc
@@ -21,7 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist /usr/share/wireshark
+allow  /usr/share/wireshark
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index 9c724a5d2..1f1541a20 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -6,7 +6,7 @@ include wordwarvi.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.wordwarvi
+nodeny  ${HOME}/.wordwarvi
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,8 +18,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.wordwarvi
-whitelist ${HOME}/.wordwarvi
-whitelist /usr/share/wordwarvi
+allow  ${HOME}/.wordwarvi
+allow  /usr/share/wordwarvi
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile
index a44b6490e..6d16dfb04 100644
--- a/etc/profile-m-z/wps.profile
+++ b/etc/profile-m-z/wps.profile
@@ -6,9 +6,9 @@ include wps.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.kingsoft
-noblacklist ${HOME}/.config/Kingsoft
-noblacklist ${HOME}/.local/share/Kingsoft
+nodeny  ${HOME}/.kingsoft
+nodeny  ${HOME}/.config/Kingsoft
+nodeny  ${HOME}/.local/share/Kingsoft
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile
index 557f07cd9..311746cd9 100644
--- a/etc/profile-m-z/x2goclient.profile
+++ b/etc/profile-m-z/x2goclient.profile
@@ -6,8 +6,8 @@ include x2goclient.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.x2go
-noblacklist ${HOME}/.x2goclient
+nodeny  ${HOME}/.x2go
+nodeny  ${HOME}/.x2goclient
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index 384f76acc..e545aa3a0 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -15,8 +15,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/xbill
-whitelist /var/games/xbill/scores
+allow  /usr/share/xbill
+allow  /var/games/xbill/scores
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xchat.profile b/etc/profile-m-z/xchat.profile
index a94444aab..7d0adbcc2 100644
--- a/etc/profile-m-z/xchat.profile
+++ b/etc/profile-m-z/xchat.profile
@@ -6,7 +6,7 @@ include xchat.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xchat
+nodeny  ${HOME}/.config/xchat
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile
index 4a3022e83..5db709bd1 100644
--- a/etc/profile-m-z/xed.profile
+++ b/etc/profile-m-z/xed.profile
@@ -5,10 +5,10 @@ include xed.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xed
-noblacklist ${HOME}/.python-history
-noblacklist ${HOME}/.python_history
-noblacklist ${HOME}/.pythonhist
+nodeny  ${HOME}/.config/xed
+nodeny  ${HOME}/.python-history
+nodeny  ${HOME}/.python_history
+nodeny  ${HOME}/.pythonhist
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile
index cd9561e74..297ff6164 100644
--- a/etc/profile-m-z/xfburn.profile
+++ b/etc/profile-m-z/xfburn.profile
@@ -6,7 +6,7 @@ include xfburn.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xfburn
+nodeny  ${HOME}/.config/xfburn
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile
index ecd321c7e..8ecd84116 100644
--- a/etc/profile-m-z/xfce4-dict.profile
+++ b/etc/profile-m-z/xfce4-dict.profile
@@ -6,7 +6,7 @@ include xfce4-dict.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xfce4-dict
+nodeny  ${HOME}/.config/xfce4-dict
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index bb38dbebd..8a6f9e921 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -6,7 +6,7 @@ include xfce4-mixer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+nodeny  ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,10 +18,10 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
-whitelist /usr/share/gstreamer-*
-whitelist /usr/share/xfce4
-whitelist /usr/share/xfce4-mixer
+allow  ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
+allow  /usr/share/gstreamer-*
+allow  /usr/share/xfce4
+allow  /usr/share/xfce4-mixer
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile
index ebfb4333c..fe88f9b27 100644
--- a/etc/profile-m-z/xfce4-notes.profile
+++ b/etc/profile-m-z/xfce4-notes.profile
@@ -6,9 +6,9 @@ include xfce4-notes.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc
-noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc
-noblacklist ${HOME}/.local/share/notes
+nodeny  ${HOME}/.config/xfce4/xfce4-notes.gtkrc
+nodeny  ${HOME}/.config/xfce4/xfce4-notes.rc
+nodeny  ${HOME}/.local/share/notes
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index b1e5bafbf..baf222354 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -6,7 +6,7 @@ include xfce4-screenshooter.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${PICTURES}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,7 +17,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/xfce4
+allow  /usr/share/xfce4
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
index 81d98db7a..5c11cbd66 100644
--- a/etc/profile-m-z/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -6,10 +6,10 @@ include xiphos.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.sword
-noblacklist ${HOME}/.xiphos
+nodeny  ${HOME}/.sword
+nodeny  ${HOME}/.xiphos
 
-blacklist ${HOME}/.bashrc
+deny  ${HOME}/.bashrc
 
 include disable-common.inc
 include disable-devel.inc
@@ -21,8 +21,8 @@ include disable-shell.inc
 
 mkdir ${HOME}/.sword
 mkdir ${HOME}/.xiphos
-whitelist ${HOME}/.sword
-whitelist ${HOME}/.xiphos
+allow  ${HOME}/.sword
+allow  ${HOME}/.xiphos
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
index 7987af280..da4801101 100644
--- a/etc/profile-m-z/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
@@ -7,8 +7,7 @@ include xlinks.local
 # added by included profile
 #include globals.local
 
-noblacklist /tmp/.X11-unix
-noblacklist ${HOME}/.links
+nodeny  /tmp/.X11-unix
 
 include whitelist-common.inc
 
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2
new file mode 100644
index 000000000..a7612cb2a
--- /dev/null
+++ b/etc/profile-m-z/xlinks2
@@ -0,0 +1,20 @@
+# Firejail profile for xlinks2
+# Description: Text WWW browser (X11)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xlinks2.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+nodeny  /tmp/.X11-unix
+
+include whitelist-common.inc
+
+# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
+# to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
+private-bin xlinks2
+private-etc fonts
+
+# Redirect
+include links2.profile
diff --git a/etc/profile-m-z/xmms.profile b/etc/profile-m-z/xmms.profile
index 25261d925..1ed35f29a 100644
--- a/etc/profile-m-z/xmms.profile
+++ b/etc/profile-m-z/xmms.profile
@@ -5,8 +5,8 @@ include xmms.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.xmms
-noblacklist ${MUSIC}
+nodeny  ${HOME}/.xmms
+nodeny  ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index e7020f36b..c97c12f56 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -5,7 +5,7 @@ include xmr-stak.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.xmr-stak
+nodeny  ${HOME}/.xmr-stak
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 53c9a0a08..94a09198c 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -6,7 +6,7 @@ include xonotic.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.xonotic
+nodeny  ${HOME}/.xonotic
 
 include allow-bin-sh.inc
 include allow-opengl-game.inc
@@ -21,8 +21,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.xonotic
-whitelist ${HOME}/.xonotic
-whitelist /usr/share/xonotic
+allow  ${HOME}/.xonotic
+allow  /usr/share/xonotic
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index c4f092d50..34a188a4e 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -6,7 +6,7 @@ include xournal.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,8 +17,8 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-whitelist /usr/share/xournal
-whitelist /usr/share/poppler
+allow  /usr/share/xournal
+allow  /usr/share/poppler
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile
index 988b878b9..f82d2a5d3 100644
--- a/etc/profile-m-z/xournalpp.profile
+++ b/etc/profile-m-z/xournalpp.profile
@@ -7,13 +7,13 @@ include xournalpp.local
 # added by included profile
 #include globals.local
 
-noblacklist ${HOME}/.xournalpp
+nodeny  ${HOME}/.xournalpp
 
 include allow-lua.inc
 
-whitelist /usr/share/texlive
-whitelist /usr/share/xournalpp
-whitelist /var/lib/texmf
+allow  /usr/share/texlive
+allow  /usr/share/xournalpp
+allow  /var/lib/texmf
 include whitelist-runuser-common.inc
 
 #mkdir ${HOME}/.xournalpp
diff --git a/etc/profile-m-z/xpdf.profile b/etc/profile-m-z/xpdf.profile
index 1447ec9a7..9da63b52a 100644
--- a/etc/profile-m-z/xpdf.profile
+++ b/etc/profile-m-z/xpdf.profile
@@ -6,8 +6,8 @@ include xpdf.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.xpdfrc
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.xpdfrc
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index c3bb3292c..4af4586e3 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -5,8 +5,8 @@ include xplayer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/xplayer
-noblacklist ${HOME}/.local/share/xplayer
+nodeny  ${HOME}/.config/xplayer
+nodeny  ${HOME}/.local/share/xplayer
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -22,8 +22,8 @@ include disable-programs.inc
 read-only ${DESKTOP}
 mkdir ${HOME}/.config/xplayer
 mkdir ${HOME}/.local/share/xplayer
-whitelist ${HOME}/.config/xplayer
-whitelist ${HOME}/.local/share/xplayer
+allow  ${HOME}/.config/xplayer
+allow  ${HOME}/.local/share/xplayer
 include whitelist-common.inc
 include whitelist-player-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile
index 6e409e1aa..28fbc94dd 100644
--- a/etc/profile-m-z/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
@@ -25,7 +25,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-whitelist /var/lib/xkb
+allow  /var/lib/xkb
 # whitelisting home directory, or including whitelist-common.inc
 # will crash xpra on some platforms
 
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index 3ab35edfc..440f26af2 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -6,9 +6,9 @@ include xreader.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/xreader
-noblacklist ${HOME}/.config/xreader
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.cache/xreader
+nodeny  ${HOME}/.config/xreader
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile
index 4d454f81c..671e0cf5b 100644
--- a/etc/profile-m-z/xviewer.profile
+++ b/etc/profile-m-z/xviewer.profile
@@ -5,10 +5,10 @@ include xviewer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.Steam
-noblacklist ${HOME}/.config/xviewer
-noblacklist ${HOME}/.local/share/Trash
-noblacklist ${HOME}/.steam
+nodeny  ${HOME}/.Steam
+nodeny  ${HOME}/.config/xviewer
+nodeny  ${HOME}/.local/share/Trash
+nodeny  ${HOME}/.steam
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile
index 81cd021f7..27d0eb411 100644
--- a/etc/profile-m-z/yandex-browser.profile
+++ b/etc/profile-m-z/yandex-browser.profile
@@ -10,19 +10,19 @@ ignore whitelist /usr/share/chromium
 ignore include whitelist-runuser-common.inc
 ignore include whitelist-usr-share-common.inc
 
-noblacklist ${HOME}/.cache/yandex-browser
-noblacklist ${HOME}/.cache/yandex-browser-beta
-noblacklist ${HOME}/.config/yandex-browser
-noblacklist ${HOME}/.config/yandex-browser-beta
+nodeny  ${HOME}/.cache/yandex-browser
+nodeny  ${HOME}/.cache/yandex-browser-beta
+nodeny  ${HOME}/.config/yandex-browser
+nodeny  ${HOME}/.config/yandex-browser-beta
 
 mkdir ${HOME}/.cache/yandex-browser
 mkdir ${HOME}/.cache/yandex-browser-beta
 mkdir ${HOME}/.config/yandex-browser
 mkdir ${HOME}/.config/yandex-browser-beta
-whitelist ${HOME}/.cache/yandex-browser
-whitelist ${HOME}/.cache/yandex-browser-beta
-whitelist ${HOME}/.config/yandex-browser
-whitelist ${HOME}/.config/yandex-browser-beta
+allow  ${HOME}/.cache/yandex-browser
+allow  ${HOME}/.cache/yandex-browser-beta
+allow  ${HOME}/.config/yandex-browser
+allow  ${HOME}/.config/yandex-browser-beta
 
 # Redirect
 include chromium-common.profile
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index 93054bfed..b288993f2 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -6,7 +6,7 @@ include yelp.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/yelp
+nodeny  ${HOME}/.config/yelp
 
 include disable-common.inc
 include disable-devel.inc
@@ -18,14 +18,15 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/yelp
-whitelist ${HOME}/.config/yelp
-whitelist /usr/share/doc
-whitelist /usr/share/groff
-whitelist /usr/share/help
-whitelist /usr/share/man
-whitelist /usr/share/yelp
-whitelist /usr/share/yelp-tools
-whitelist /usr/share/yelp-xsl
+allow  ${HOME}/.config/yelp
+allow  /usr/libexec/webkit2gtk-4.0
+allow  /usr/share/doc
+allow  /usr/share/groff
+allow  /usr/share/help
+allow  /usr/share/man
+allow  /usr/share/yelp
+allow  /usr/share/yelp-tools
+allow  /usr/share/yelp-xsl
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
index b52271a2c..26ea3acaa 100644
--- a/etc/profile-m-z/youtube-dl-gui.profile
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -8,7 +8,7 @@ include globals.local
 include allow-python2.inc
 include allow-python3.inc
 
-noblacklist ${HOME}/.config/youtube-dlg
+nodeny  ${HOME}/.config/youtube-dlg
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,8 +20,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/youtube-dlg
-whitelist ${HOME}/.config/youtube-dlg
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/youtube-dlg
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 24c4d6db3..37f87d0b5 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -10,18 +10,18 @@ include globals.local
 # breaks when installed under ${HOME} via `pip install --user` (see #2833)
 ignore noexec ${HOME}
 
-noblacklist ${HOME}/.cache/youtube-dl
-noblacklist ${HOME}/.config/youtube-dl
-noblacklist ${HOME}/.netrc
-noblacklist ${MUSIC}
-noblacklist ${VIDEOS}
+nodeny  ${HOME}/.cache/youtube-dl
+nodeny  ${HOME}/.config/youtube-dl
+nodeny  ${HOME}/.netrc
+nodeny  ${MUSIC}
+nodeny  ${VIDEOS}
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+deny  /tmp/.X11-unix
+deny  ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index 7d6e9b0eb..84b8bbc6a 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -7,54 +7,15 @@ include youtube-viewer.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.cache/youtube-viewer
-noblacklist ${HOME}/.config/youtube-viewer
-
-# Allow perl (blacklisted by disable-interpreters.inc)
-include allow-perl.inc
-
-# Allow python (blacklisted by disable-interpreters.inc)
-include allow-python2.inc
-include allow-python3.inc
-
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
+nodeny  ${HOME}/.cache/youtube-viewer
+nodeny  ${HOME}/.config/youtube-viewer
 
 mkdir ${HOME}/.cache/youtube-viewer
 mkdir ${HOME}/.config/youtube-viewer
-whitelist ${HOME}/.cache/youtube-viewer
-whitelist ${HOME}/.config/youtube-viewer
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-caps.drop all
-netfilter
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-tracelog
+allow  ${HOME}/.cache/youtube-viewer
+allow  ${HOME}/.config/youtube-viewer
 
-disable-mnt
-private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,sh,smplayer,stty,vlc,which,youtube-dl,youtube-viewer
-private-cache
-private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
-private-tmp
+private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer
 
-dbus-user none
-dbus-system none
+# Redirect
+include youtube-viewers-common.profile
\ No newline at end of file
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
new file mode 100644
index 000000000..f531f815e
--- /dev/null
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -0,0 +1,61 @@
+# Firejail profile for youtube-viewer clones
+# Description: common profile for Trizen's Youtube viewers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include youtube-viewers-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+nodeny  ${HOME}/.cache/youtube-dl
+
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+allow  ${DOWNLOADS}
+allow  ${HOME}/.cache/youtube-dl/youtube-sigfuncs
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index ad7ceaee4..b015fb013 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -9,12 +9,12 @@ include globals.local
 # Disabled until someone reported positive feedback
 ignore nou2f
 
-noblacklist ${HOME}/.config/Youtube
+nodeny  ${HOME}/.config/Youtube
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/Youtube
-whitelist ${HOME}/.config/Youtube
+allow  ${HOME}/.config/Youtube
 
 private-bin youtube
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index 74b0e38b9..d594a3d0f 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -6,12 +6,12 @@ include youtube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/youtubemusic-nativefier-040164
+nodeny  ${HOME}/.config/youtubemusic-nativefier-040164
 
 include disable-shell.inc
 
 mkdir ${HOME}/.config/youtubemusic-nativefier-040164
-whitelist ${HOME}/.config/youtubemusic-nativefier-040164
+allow  ${HOME}/.config/youtubemusic-nativefier-040164
 
 private-bin youtubemusic-nativefier
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index ab46fccc2..9987c953e 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -8,10 +8,10 @@ include globals.local
 
 ignore dbus-user none
 
-noblacklist ${HOME}/.config/youtube-music-desktop-app
+nodeny  ${HOME}/.config/youtube-music-desktop-app
 
 mkdir ${HOME}/.config/youtube-music-desktop-app
-whitelist ${HOME}/.config/youtube-music-desktop-app
+allow  ${HOME}/.config/youtube-music-desktop-app
 
 # private-bin env,ytmdesktop
 private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
diff --git a/etc/profile-m-z/zaproxy.profile b/etc/profile-m-z/zaproxy.profile
index 5a168feb6..2f18a8c45 100644
--- a/etc/profile-m-z/zaproxy.profile
+++ b/etc/profile-m-z/zaproxy.profile
@@ -6,7 +6,7 @@ include zaproxy.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.ZAP
+nodeny  ${HOME}/.ZAP
 
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -20,8 +20,8 @@ include disable-programs.inc
 
 mkdir ${HOME}/.java
 mkdir ${HOME}/.ZAP
-whitelist ${HOME}/.java
-whitelist ${HOME}/.ZAP
+allow  ${HOME}/.java
+allow  ${HOME}/.ZAP
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/zart.profile b/etc/profile-m-z/zart.profile
index 10f83aa30..32ff4f8ed 100644
--- a/etc/profile-m-z/zart.profile
+++ b/etc/profile-m-z/zart.profile
@@ -6,8 +6,8 @@ include zart.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${DOCUMENTS}
-noblacklist ${PICTURES}
+nodeny  ${DOCUMENTS}
+nodeny  ${PICTURES}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
index a39729685..4bc841f63 100644
--- a/etc/profile-m-z/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -6,9 +6,9 @@ include zathura.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/zathura
-noblacklist ${HOME}/.local/share/zathura
-noblacklist ${DOCUMENTS}
+nodeny  ${HOME}/.config/zathura
+nodeny  ${HOME}/.local/share/zathura
+nodeny  ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -17,12 +17,14 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-write-mnt.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/zathura
 mkdir ${HOME}/.local/share/zathura
-whitelist /usr/share/doc
-whitelist /usr/share/zathura
+allow  /usr/share/doc
+allow  /usr/share/zathura
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -41,6 +43,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/zcat.profile b/etc/profile-m-z/zcat.profile
index 5de13ab90..904ea9f05 100644
--- a/etc/profile-m-z/zcat.profile
+++ b/etc/profile-m-z/zcat.profile
@@ -9,7 +9,7 @@ include zcat.local
 
 # Allow running kernel config check
 ignore include disable-shell.inc
-noblacklist /proc/config.gz
+nodeny  /proc/config.gz
 
 # Redirect
 include gzip.profile
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index 2c6f6910f..458df2a46 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -6,9 +6,9 @@ include zeal.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/Zeal
-noblacklist ${HOME}/.cache/Zeal
-noblacklist ${HOME}/.local/share/Zeal
+nodeny  ${HOME}/.config/Zeal
+nodeny  ${HOME}/.cache/Zeal
+nodeny  ${HOME}/.local/share/Zeal
 
 include disable-common.inc
 include disable-devel.inc
@@ -23,9 +23,9 @@ mkdir ${HOME}/.cache/Zeal
 mkdir ${HOME}/.config/qt5ct
 mkdir ${HOME}/.config/Zeal
 mkdir ${HOME}/.local/share/Zeal
-whitelist ${HOME}/.cache/Zeal
-whitelist ${HOME}/.config/Zeal
-whitelist ${HOME}/.local/share/Zeal
+allow  ${HOME}/.cache/Zeal
+allow  ${HOME}/.config/Zeal
+allow  ${HOME}/.local/share/Zeal
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/zgrep.profile b/etc/profile-m-z/zgrep.profile
index f63dc871f..e2dfbd105 100644
--- a/etc/profile-m-z/zgrep.profile
+++ b/etc/profile-m-z/zgrep.profile
@@ -9,7 +9,7 @@ include zgrep.local
 
 # Allow running kernel config check
 ignore include disable-shell.inc
-noblacklist /proc/config.gz
+nodeny  /proc/config.gz
 
 # Redirect
 include gzip.profile
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
index ac615d861..6b0417b56 100644
--- a/etc/profile-m-z/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -16,17 +16,17 @@ ignore dbus-system none
 # If you use such a system, add 'ignore nogroups' to your zoom.local.
 #ignore nogroups
 
-noblacklist ${HOME}/.config/zoomus.conf
-noblacklist ${HOME}/.zoom
+nodeny  ${HOME}/.config/zoomus.conf
+nodeny  ${HOME}/.zoom
 
-nowhitelist ${DOWNLOADS}
+noallow  ${DOWNLOADS}
 
 mkdir ${HOME}/.cache/zoom
 mkfile ${HOME}/.config/zoomus.conf
 mkdir ${HOME}/.zoom
-whitelist ${HOME}/.cache/zoom
-whitelist ${HOME}/.config/zoomus.conf
-whitelist ${HOME}/.zoom
+allow  ${HOME}/.cache/zoom
+allow  ${HOME}/.config/zoomus.conf
+allow  ${HOME}/.zoom
 
 # Disable for now, see https://github.com/netblue30/firejail/issues/3726
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
index 093da5212..cdbbdccf1 100644
--- a/etc/profile-m-z/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -8,7 +8,7 @@ include globals.local
 
 ignore noexec /tmp
 
-noblacklist ${HOME}/.config/Zulip
+nodeny  ${HOME}/.config/Zulip
 
 include disable-common.inc
 include disable-devel.inc
@@ -20,8 +20,8 @@ include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.config/Zulip
-whitelist ${HOME}/.config/Zulip
-whitelist ${DOWNLOADS}
+allow  ${HOME}/.config/Zulip
+allow  ${DOWNLOADS}
 include whitelist-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index fcc7fe949..18e4e8bce 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -59,14 +59,6 @@ include globals.local
 ##ignore noexec ${HOME}
 ##ignore noexec /tmp
 
-##blacklist PATH
-# Disable X11 (CLI only), see also 'x11 none' below
-#blacklist /tmp/.X11-unix
-# Disable Wayland
-#blacklist ${RUNUSER}/wayland-*
-# Disable RUNUSER (cli only; supersedes Disable Wayland)
-#blacklist ${RUNUSER}
-
 # It is common practice to add files/dirs containing program-specific configuration
 # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
 # (keep list sorted) and then disable blacklisting below.
@@ -109,6 +101,17 @@ include globals.local
 # Allow ssh (blacklisted by disable-common.inc)
 #include allow-ssh.inc
 
+##blacklist PATH
+# Disable X11 (CLI only), see also 'x11 none' below
+#blacklist /tmp/.X11-unix
+# Disable Wayland
+#blacklist ${RUNUSER}/wayland-*
+# Disable RUNUSER (cli only; supersedes Disable Wayland)
+#blacklist ${RUNUSER}
+# Remove the next blacklist if you system has no /usr/libexec dir,
+# otherwise try to add it.
+#blacklist /usr/libexec
+
 # disable-*.inc includes
 # remove disable-write-mnt.inc if you set disable-mnt
 #include disable-common.inc
@@ -189,7 +192,7 @@ include globals.local
 #  GUI: fonts,pango,X11
 #  GTK: dconf,gconf,gtk-2.0,gtk-3.0
 #  KDE: kde4rc,kde5rc
-#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,services,rpc,ssl
+#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 #    Extra: gai.conf,proxychains.conf
 #  Qt: Trolltech.conf
 ##private-lib LIBS
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 0775f60ff..3992c984a 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -33,7 +33,7 @@ Definition of groups
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
-@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
+@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
 @default-nodebuggers=@default,ptrace,personality,process_vm_readv
 @default-keep=execveat,execve,prctl
 @file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
diff --git a/platform/rpm/firejail.spec b/platform/rpm/firejail.spec
index acdc8d561..86cd6006e 100644
--- a/platform/rpm/firejail.spec
+++ b/platform/rpm/firejail.spec
@@ -45,8 +45,8 @@ rm -rf %{buildroot}
 %{_mandir}/man1/__NAME__.1.gz
 %{_mandir}/man1/firecfg.1.gz
 %{_mandir}/man1/firemon.1.gz
+%{_mandir}/man1/jailcheck.1.gz
 %{_mandir}/man5/__NAME__-login.5.gz
 %{_mandir}/man5/__NAME__-profile.5.gz
 %{_mandir}/man5/__NAME__-users.5.gz
-%{_mandir}/man5/jailcheck.5.gz
 %config(noreplace) %{_sysconfdir}/__NAME__
diff --git a/src/common.mk.in b/src/common.mk.in
index f88da55ac..5ae8bf204 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -15,7 +15,6 @@ HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
-HAVE_WHITELIST=@HAVE_WHITELIST@
 HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
 HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
@@ -42,7 +41,7 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
+MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS)
 CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
 LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 8700e0ba1..019c3ac5a 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -182,12 +182,12 @@ static void var_callback(char *ptr) {
 void build_var(const char *fname, FILE *fp) {
         assert(fname);
 
-        var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/");
+        var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "allow /var/");
         process_files(fname, "/var", var_callback);
 
         // always whitelist /var
         if (var_out)
-                filedb_print(var_out, "whitelist /var/", fp);
+                filedb_print(var_out, "allow /var/", fp);
         fprintf(fp, "include whitelist-var-common.inc\n");
 }
 
@@ -222,12 +222,12 @@ static void share_callback(char *ptr) {
 void build_share(const char *fname, FILE *fp) {
         assert(fname);
 
-        share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/");
+        share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "allow /usr/share/");
         process_files(fname, "/usr/share", share_callback);
 
         // always whitelist /usr/share
         if (share_out)
-                filedb_print(share_out, "whitelist /usr/share/", fp);
+                filedb_print(share_out, "allow /usr/share/", fp);
         fprintf(fp, "include whitelist-usr-share-common.inc\n");
 }
 
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index b3ec6cffd..f283a0cce 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -138,7 +138,7 @@ void build_home(const char *fname, FILE *fp) {
         assert(fname);
 
         // load whitelist common
-        db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/");
+        db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "allow ${HOME}/");
 
         // find user home directory
         struct passwd *pw = getpwuid(getuid());
@@ -166,7 +166,7 @@ void build_home(const char *fname, FILE *fp) {
 
         // print the out list if any
         if (db_out) {
-                filedb_print(db_out, "whitelist ${HOME}/", fp);
+                filedb_print(db_out, "allow ${HOME}/", fp);
                 fprintf(fp, "include whitelist-common.inc\n");
         }
         else
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 1726b4dbb..5df19f511 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -24,21 +24,6 @@
 #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX"
 #define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX"
 
-/* static char *cmdlist[] = { */
-/*      "/usr/bin/firejail", */
-/*      "--quiet", */
-/*      "--output=" TRACE_OUTPUT, */
-/*      "--noprofile", */
-/*      "--caps.drop=all", */
-/*      "--nonewprivs", */
-/*      "--trace", */
-/*      "--shell=none", */
-/*      "/usr/bin/strace", // also used as a marker in build_profile() */
-/*      "-c", */
-/*      "-f", */
-/*      "-o" STRACE_OUTPUT, */
-/* }; */
-
 void build_profile(int argc, char **argv, int index, FILE *fp) {
         // next index is the application name
         if (index >= argc) {
@@ -158,14 +143,14 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                 fprintf(fp, "### Enable as many of them as you can! A very important one is\n");
                 fprintf(fp, "### \"disable-exec.inc\". This will make among other things your home\n");
                 fprintf(fp, "### and /tmp directories non-executable.\n");
-                fprintf(fp, "include disable-common.inc\n");
-                fprintf(fp, "#include disable-devel.inc\n");
-                fprintf(fp, "#include disable-exec.inc\n");
-                fprintf(fp, "#include disable-interpreters.inc\n");
-                fprintf(fp, "include disable-passwdmgr.inc\n");
-                fprintf(fp, "include disable-programs.inc\n");
-                fprintf(fp, "#include disable-shell.inc\n");
-                fprintf(fp, "#include disable-xdg.inc\n");
+                fprintf(fp, "include disable-common.inc\t# dangerous directories like ~/.ssh and ~/.gnupg\n");
+                fprintf(fp, "#include disable-devel.inc\t# development tools such as gcc and gdb\n");
+                fprintf(fp, "#include disable-exec.inc\t# non-executable directories such as /var, /tmp, and /home\n");
+                fprintf(fp, "#include disable-interpreters.inc\t# perl, python, lua etc.\n");
+                fprintf(fp, "include disable-passwdmgr.inc\t# password managers\n");
+                fprintf(fp, "include disable-programs.inc\t# user configuration for programs such as firefox, vlc etc.\n");
+                fprintf(fp, "#include disable-shell.inc\t# sh, bash, zsh etc.\n");
+                fprintf(fp, "#include disable-xdg.inc\t# standard user directories: Documents, Pictures, Videos, Music\n");
                 fprintf(fp, "\n");
 
                 fprintf(fp, "### Home Directory Whitelisting ###\n");
@@ -180,18 +165,19 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                 build_var(trace_output, fp);
                 fprintf(fp, "\n");
 
-                fprintf(fp, "#apparmor\n");
+                fprintf(fp, "#apparmor\t# if you have AppArmor running, try this one!\n");
                 fprintf(fp, "caps.drop all\n");
                 fprintf(fp, "ipc-namespace\n");
                 fprintf(fp, "netfilter\n");
-                fprintf(fp, "#nodvd\n");
-                fprintf(fp, "#nogroups\n");
-                fprintf(fp, "#noinput\n");
+                fprintf(fp, "#no3d\t# disable 3D acceleration\n");
+                fprintf(fp, "#nodvd\t# disable DVD and CD devices\n");
+                fprintf(fp, "#nogroups\t# disable supplementary user groups\n");
+                fprintf(fp, "#noinput\t# disable input devices\n");
                 fprintf(fp, "nonewprivs\n");
                 fprintf(fp, "noroot\n");
-                fprintf(fp, "#notv\n");
-                fprintf(fp, "#nou2f\n");
-                fprintf(fp, "#novideo\n");
+                fprintf(fp, "#notv\t# disable DVB TV devices\n");
+                fprintf(fp, "#nou2f\t# disable U2F devices\n");
+                fprintf(fp, "#novideo\t# disable video capture devices\n");
                 build_protocol(trace_output, fp);
                 fprintf(fp, "seccomp\n");
                 if (!have_strace) {
@@ -203,19 +189,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                 else
                         build_seccomp(strace_output, fp);
                 fprintf(fp, "shell none\n");
-                fprintf(fp, "#tracelog\n");
+                fprintf(fp, "tracelog\n");
                 fprintf(fp, "\n");
 
-                fprintf(fp, "#disable-mnt\n");
+                fprintf(fp, "#disable-mnt\t# no access to /mnt, /media, /run/mount and /run/media\n");
                 build_bin(trace_output, fp);
-                fprintf(fp, "#private-lib\n");
+                fprintf(fp, "#private-cache\t# run with an empty ~/.cache directory\n");
                 build_dev(trace_output, fp);
                 build_etc(trace_output, fp);
+                fprintf(fp, "#private-lib\n");
                 build_tmp(trace_output, fp);
                 fprintf(fp, "\n");
 
                 fprintf(fp, "#dbus-user none\n");
                 fprintf(fp, "#dbus-system none\n");
+                fprintf(fp, "\n");
                 fprintf(fp, "#memory-deny-write-execute\n");
 
                 if (!arg_debug) {
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c
index dc3cce456..b3187227e 100644
--- a/src/fbuilder/build_seccomp.c
+++ b/src/fbuilder/build_seccomp.c
@@ -82,11 +82,12 @@ void build_seccomp(const char *fname, FILE *fp) {
 //***************************************
 // protocol
 //***************************************
-int unix_s = 0;
-int inet = 0;
-int inet6 = 0;
-int netlink = 0;
-int packet = 0;
+static int unix_s = 0;
+static int inet = 0;
+static int inet6 = 0;
+static int netlink = 0;
+static int packet = 0;
+static int bluetooth = 0;
 static void process_protocol(const char *fname) {
         assert(fname);
 
@@ -135,6 +136,8 @@ static void process_protocol(const char *fname) {
                         netlink = 1;
                 else if (strncmp(ptr, "AF_PACKET ", 10) == 0)
                         packet = 1;
+                else if (strncmp(ptr, "AF_BLUETOOTH ", 13) == 0)
+                        bluetooth = 1;
         }
 
         fclose(fp);
@@ -161,22 +164,22 @@ void build_protocol(const char *fname, FILE *fp) {
         }
 
         int net = 0;
-        if (unix_s || inet || inet6 || netlink || packet) {
+        if (unix_s || inet || inet6 || netlink || packet || bluetooth) {
                 fprintf(fp, "protocol ");
                 if (unix_s)
                         fprintf(fp, "unix,");
-                if (inet) {
-                        fprintf(fp, "inet,");
-                        net = 1;
-                }
-                if (inet6) {
-                        fprintf(fp, "inet6,");
+                if (inet || inet6) {
+                        fprintf(fp, "inet,inet6,");
                         net = 1;
                 }
                 if (netlink)
                         fprintf(fp, "netlink,");
                 if (packet) {
-                        fprintf(fp, "packet");
+                        fprintf(fp, "packet,");
+                        net = 1;
+                }
+                if (bluetooth) {
+                        fprintf(fp, "bluetooth");
                         net = 1;
                 }
                 fprintf(fp, "\n");
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c
index 35ec49519..6c9fc507c 100644
--- a/src/fbuilder/main.c
+++ b/src/fbuilder/main.c
@@ -39,7 +39,7 @@ printf("\n");
         int i;
         int prog_index = 0;
         FILE *fp = stdout;
-        int prof_file = 0;
+        char *prof_file = NULL;
 
         // parse arguments and extract program index
         for (i = 1; i < argc; i++) {
@@ -70,8 +70,7 @@ printf("\n");
                                 fprintf(stderr, "Error: cannot open profile file.\n");
                                 exit(1);
                         }
-                        prof_file = 1;
-                        // do nothing, this is passed down from firejail
+                        prof_file = argv[i] + 8;
                 }
                 else {
                         if (*argv[i] == '-') {
@@ -87,8 +86,11 @@ printf("\n");
         if (prog_index == 0) {
                 fprintf(stderr, "Error : program and arguments required\n");
                 usage();
-                if (prof_file)
+                if (prof_file) {
                         fclose(fp);
+                        int rv = unlink(prof_file);
+                        (void) rv;
+                }
                 exit(1);
         }
 
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 572e9f601..31810de9a 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -19,11 +19,15 @@
  */
 
 #include "../include/common.h"
-#include <fcntl.h>
 #include <ftw.h>
 #include <errno.h>
 #include <pwd.h>
 
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
 #if HAVE_SELINUX
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -55,7 +59,7 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
         assert(path);
         assert(inside_path);
 #if HAVE_SELINUX
-        char procfs_path[64];
+        char procfs_path[64];
         char *fcon = NULL;
         int fd;
         struct stat st;
@@ -69,20 +73,23 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
         if (!label_hnd)
                 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
 
+        if (!label_hnd)
+                errExit("selabel_open");
+
         /* Open the file as O_PATH, to pin it while we determine and adjust the label */
-        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
         if (fd < 0)
                 return;
         if (fstat(fd, &st) < 0)
                 goto close;
 
-        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
+        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
                 sprintf(procfs_path, "/proc/self/fd/%i", fd);
                 if (arg_debug)
                         printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
 
                 setfilecon_raw(procfs_path, fcon);
-        }
+        }
         freecon(fcon);
  close:
         close(fd);
@@ -340,7 +347,7 @@ static char *check(const char *src) {
 
 errexit:
         free(rsrc);
-        fprintf(stderr, "Error fcopy: invalid file %s\n", src);
+        fprintf(stderr, "Error fcopy: invalid ownership for file %s\n", src);
         exit(1);
 }
 
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 474904ebf..7052f7509 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -38,6 +38,8 @@ abrowser
 akonadi_control
 akregator
 alacarte
+alpine
+alpinef
 amarok
 amule
 amuled
@@ -140,6 +142,7 @@ claws-mail
 clawsker
 clementine
 clion
+clion-eap
 clipit
 clipgrab
 cliqz
@@ -167,6 +170,7 @@ cvlc
 cyberfox
 darktable
 dconf-editor
+ddgr
 ddgtk
 deadbeef
 deluge
@@ -186,7 +190,6 @@ display-im6.q16
 dnox
 dnscrypt-proxy
 dnsmasq
-dolphin
 dolphin-emu
 dooble
 dooble-qt4
@@ -271,6 +274,7 @@ freetube
 freshclam
 frogatto
 frozen-bubble
+funnyboat
 gajim
 gajim-history-manager
 galculator
@@ -350,6 +354,7 @@ google-chrome-unstable
 google-earth
 google-earth-pro
 google-play-music-desktop-player
+googler
 gpa
 gpicview
 gpredict
@@ -357,6 +362,7 @@ gradio
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
+gtk-pipe-viewer
 gtk-straw-viewer
 gtk-youtube-viewer
 gtk2-youtube-viewer
@@ -443,6 +449,7 @@ kube
 kwrite
 leafpad
 # less - breaks man
+librecad
 libreoffice
 librewolf
 librewolf-nightly
@@ -450,6 +457,7 @@ liferea
 lightsoff
 lincity-ng
 links
+links2
 linphone
 lmms
 lobase
@@ -489,6 +497,7 @@ mathematica
 matrix-mirage
 mattermost-desktop
 mcabber
+mcomix
 mediainfo
 mediathekview
 megaglest
@@ -626,6 +635,7 @@ pinball
 pingus
 pinta
 pioneer
+pipe-viewer
 pithos
 pitivi
 pix
@@ -648,6 +658,7 @@ pybitmessage
 # pycharm-professional
 # pzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095)
 qbittorrent
+qcomicbook
 qemu-launcher
 qgis
 qlipper
@@ -868,6 +879,7 @@ xfce4-notes
 xfce4-screenshooter
 xiphos
 xlinks
+xlinks2
 xmms
 xmr-stak
 xonotic
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 6b9fed765..2266fa499 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -21,6 +21,7 @@
 // sudo mount -o loop krita-3.0-x86_64.appimage mnt
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
@@ -30,6 +31,7 @@
 
 static char *devloop = NULL;    // device file
 static long unsigned size = 0;  // offset into appimage file
+#define MAXBUF 4096
 
 #ifdef LOOP_CTL_GET_FREE        // test for older kernels; this definition is found in /usr/include/linux/loop.h
 static void err_loop(void) {
@@ -38,6 +40,36 @@ static void err_loop(void) {
 }
 #endif
 
+// return 1 if found
+int appimage_find_profile(const char *archive) {
+        assert(archive);
+        assert(strlen(archive));
+
+        // try to match the name of the archive with the list of programs in /usr/lib/firejail/firecfg.config
+        FILE *fp = fopen(LIBDIR "/firejail/firecfg.config", "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot find %s, firejail is not correctly installed\n", LIBDIR "/firejail/firecfg.config");
+                exit(1);
+        }
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (*buf == '#')
+                        continue;
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                if (strcasestr(archive, buf)) {
+                        fclose(fp);
+                        return profile_find_firejail(buf, 1);
+                }
+        }
+
+        fclose(fp);
+        return 0;
+
+}
+
+
 void appimage_set(const char *appimage) {
         assert(appimage);
         assert(devloop == NULL);        // don't call this twice!
@@ -109,9 +141,8 @@ void appimage_set(const char *appimage) {
 
         if (cfg.cwd)
                 env_store_name_val("OWD", cfg.cwd, SETENV);
-#ifdef HAVE_GCOV
+
         __gcov_flush();
-#endif
 #else
         fprintf(stderr, "Error: /dev/loop-control interface is not supported by your kernel\n");
         exit(1);
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index 1e9641097..bbab9a6d9 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -277,7 +277,7 @@ static uint32_t arp_random(const char *dev, Bridge *br) {
         int i = 0;
         for (i = 0; i < 10; i++) {
                 dest = start + ((uint32_t) rand()) % range;
-                if (dest == ifip)       // do not allow the interface address
+                if (dest == ifip || dest == cfg.defaultgw)      // do not allow the interface address or the default gateway
                         continue;               // try again
 
                 // if we've made it up to here, we have a valid address
@@ -325,7 +325,7 @@ static uint32_t arp_sequential(const char *dev, Bridge *br) {
 
         // loop through addresses and stop as soon as you find an unused one
         while (dest <= last) {
-                if (dest == ifip) {
+                if (dest == ifip || dest == cfg.defaultgw) {
                         dest++;
                         continue;
                 }
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 614b144e5..06e6f0ccb 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -35,6 +35,7 @@ char *xvfb_extra_params = "";
 char *netfilter_default = NULL;
 unsigned long join_timeout = 5000000; // microseconds
 char *config_seccomp_error_action_str = "EPERM";
+char *config_seccomp_filter_add = NULL;
 char **whitelist_reject_topdirs = NULL;
 
 int checkcfg(int val) {
@@ -103,18 +104,20 @@ int checkcfg(int val) {
                         PARSE_YESNO(CFG_USERNS, "userns")
                         PARSE_YESNO(CFG_CHROOT, "chroot")
                         PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt")
-                        PARSE_YESNO(CFG_FOLLOW_SYMLINK_AS_USER, "follow-symlink-as-user")
                         PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs")
                         PARSE_YESNO(CFG_SECCOMP, "seccomp")
-                        PARSE_YESNO(CFG_WHITELIST, "whitelist")
                         PARSE_YESNO(CFG_NETWORK, "network")
                         PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
                         PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
                         PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
-                        PARSE_YESNO(CFG_PRIVATE_HOME, "private-home")
+                        PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
+                        PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
                         PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache")
+                        PARSE_YESNO(CFG_PRIVATE_ETC, "private-etc")
+                        PARSE_YESNO(CFG_PRIVATE_HOME, "private-home")
                         PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib")
-                        PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
+                        PARSE_YESNO(CFG_PRIVATE_OPT, "private-opt")
+                        PARSE_YESNO(CFG_PRIVATE_SRV, "private-srv")
                         PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt")
                         PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
                         PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
@@ -131,8 +134,7 @@ int checkcfg(int val) {
                                         *end = '\0';
 
                                 // is the file present?
-                                struct stat s;
-                                if (stat(fname, &s) == -1) {
+                                if (access(fname, F_OK) == -1) {
                                         fprintf(stderr, "Error: netfilter-default file %s not available\n", fname);
                                         exit(1);
                                 }
@@ -223,6 +225,10 @@ int checkcfg(int val) {
                         else if (strncmp(ptr, "join-timeout ", 13) == 0)
                                 join_timeout = strtoul(ptr + 13, NULL, 10) * 1000000; // seconds to microseconds
 
+                        // add rules to default seccomp filter
+                        else if (strncmp(ptr, "seccomp-filter-add ", 19) == 0)
+                                config_seccomp_filter_add = seccomp_check_list(ptr + 19);
+
                         // seccomp error action
                         else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
                                 if (strcmp(ptr + 21, "kill") == 0)
@@ -295,7 +301,7 @@ errout:
 
 void print_compiletime_support(void) {
         printf("Compile time support:\n");
-        printf("\t- Always force nonewprivs support is %s\n",
+        printf("\t- always force nonewprivs support is %s\n",
 #ifdef HAVE_FORCE_NONEWPRIVS
                 "enabled"
 #else
@@ -335,14 +341,6 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-        printf("\t- file and directory whitelisting support is %s\n",
-#ifdef HAVE_WHITELIST
-                "enabled"
-#else
-                "disabled"
-#endif
-                );
-
         printf("\t- file transfer support is %s\n",
 #ifdef HAVE_FILE_TRANSFER
                 "enabled"
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index 757ffb1f7..37ec22117 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -20,6 +20,7 @@
 
 #ifdef HAVE_CHROOT
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/mount.h>
 #include <sys/sendfile.h>
 #include <errno.h>
@@ -29,7 +30,6 @@
 #define O_PATH 010000000
 #endif
 
-
 // exit if error
 void fs_check_chroot_dir(void) {
         EUID_ASSERT();
@@ -163,12 +163,8 @@ void fs_chroot(const char *rootdir) {
         int fd = openat(parentfd, "dev", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 errExit("open");
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount("/dev", proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_path_to_fd("/dev", fd))
                 errExit("mounting /dev");
-        free(proc);
         close(fd);
 
 #ifdef HAVE_X11
@@ -192,11 +188,8 @@ void fs_chroot(const char *rootdir) {
                 fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
                 if (fd == -1)
                         errExit("open");
-                if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                        errExit("asprintf");
-                if (mount("/tmp/.X11-unix", proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+                if (bind_mount_path_to_fd("/tmp/.X11-unix", fd))
                         errExit("mounting /tmp/.X11-unix");
-                free(proc);
                 close(fd);
         }
 #endif // HAVE_X11
@@ -225,19 +218,11 @@ void fs_chroot(const char *rootdir) {
                         fprintf(stderr, "Error: cannot open %s\n", pulse);
                         exit(1);
                 }
-                free(pulse);
-
-                char *proc_src, *proc_dst;
-                if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
-                        errExit("asprintf");
-                if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
-                        errExit("asprintf");
-                if (mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-                free(proc_src);
-                free(proc_dst);
+                if (bind_mount_by_fd(src, dst))
+                        errExit("mounting pulseaudio");
                 close(src);
                 close(dst);
+                free(pulse);
 
                 // update /etc/machine-id in chroot
                 update_file(parentfd, "etc/machine-id");
@@ -256,11 +241,8 @@ void fs_chroot(const char *rootdir) {
         fd = openat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 errExit("open");
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(RUN_FIREJAIL_LIB_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_path_to_fd(RUN_FIREJAIL_LIB_DIR, fd))
                 errExit("mount bind");
-        free(proc);
         close(fd);
 
         // create /run/firejail/mnt directory in chroot
@@ -271,29 +253,22 @@ void fs_chroot(const char *rootdir) {
         fd = openat(parentfd, &RUN_MNT_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 errExit("open");
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(RUN_MNT_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_path_to_fd(RUN_MNT_DIR, fd))
                 errExit("mount bind");
-        free(proc);
         close(fd);
 
         // update chroot resolv.conf
         update_file(parentfd, "etc/resolv.conf");
 
-#ifdef HAVE_GCOV
         __gcov_flush();
-#endif
+
         // create /run/firejail/mnt/oroot
         char *oroot = RUN_OVERLAY_ROOT;
         if (mkdir(oroot, 0755) == -1)
                 errExit("mkdir");
         // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay
-        if (asprintf(&proc, "/proc/self/fd/%d", parentfd) == -1)
-                errExit("asprintf");
-        if (mount(proc, oroot, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_fd_to_path(parentfd, oroot))
                 errExit("mounting rootdir oroot");
-        free(proc);
         close(parentfd);
         // chroot into the new directory
         if (arg_debug)
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index f902c4e1c..2fa68a55d 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -26,7 +26,7 @@
 #include <assert.h>
 #include <errno.h>
 
-static int cmdline_length(int argc, char **argv, int index) {
+static int cmdline_length(int argc, char **argv, int index, bool want_extra_quotes) {
         assert(index != -1);
 
         unsigned i,j;
@@ -46,10 +46,11 @@ static int cmdline_length(int argc, char **argv, int index) {
                                         len += 3;
                                 in_quotes = false;
                         } else {
-                                if (!in_quotes)
+                                if (!in_quotes && want_extra_quotes)
                                         len++;
                                 len++;
-                                in_quotes = true;
+                                if (want_extra_quotes)
+                                        in_quotes = true;
                         }
                 }
                 if (in_quotes) {
@@ -64,7 +65,7 @@ static int cmdline_length(int argc, char **argv, int index) {
         return len;
 }
 
-static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index) {
+static void quote_cmdline(char *command_line, char *window_title, int len, int argc, char **argv, int index, bool want_extra_quotes) {
         assert(index != -1);
 
         unsigned i,j;
@@ -103,14 +104,15 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a
                         // anything other
                         else
                         {
-                                if (!in_quotes) {
+                                if (!in_quotes && want_extra_quotes) {
                                         // open quotes
                                         ptr1[0] = '\'';
                                         ptr1++;
                                 }
                                 ptr1[0] = argv[i + index][j];
                                 ptr1++;
-                                in_quotes = true;
+                                if (want_extra_quotes)
+                                        in_quotes = true;
                         }
                 }
                 // close quotes
@@ -134,12 +136,12 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a
         assert((unsigned) len == strlen(command_line));
 }
 
-void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) {
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) {
         // index == -1 could happen if we have --shell=none and no program was specified
         // the program should exit with an error before entering this function
         assert(index != -1);
 
-        int len = cmdline_length(argc, argv, index);
+        int len = cmdline_length(argc, argv, index, want_extra_quotes);
         if (len > ARG_MAX) {
                 errno = E2BIG;
                 errExit("cmdline_length");
@@ -152,7 +154,7 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
         if (!*window_title)
                         errExit("malloc");
 
-        quote_cmdline(*command_line, *window_title, len, argc, argv, index);
+        quote_cmdline(*command_line, *window_title, len, argc, argv, index, want_extra_quotes);
 
         if (arg_debug)
                 printf("Building quoted command line: %s\n", *command_line);
@@ -161,17 +163,17 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
         assert(*window_title);
 }
 
-void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index) {
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes) {
         // index == -1 could happen if we have --shell=none and no program was specified
         // the program should exit with an error before entering this function
         assert(index != -1);
 
         char *apprun_path = RUN_FIREJAIL_APPIMAGE_DIR "/AppRun";
 
-        int len1 = cmdline_length(argc, argv, index);  // length of argv w/o changes
-        int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage
-        int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/AppRun
-        int len4 = (len1 - len2 + len3) + 1;           // apptest.AppImage is replaced by /path/to/AppRun
+        int len1 = cmdline_length(argc, argv, index, want_extra_quotes);  // length of argv w/o changes
+        int len2 = cmdline_length(1, &argv[index], 0, want_extra_quotes); // apptest.AppImage
+        int len3 = cmdline_length(1, &apprun_path, 0, want_extra_quotes); // /run/firejail/appimage/AppRun
+        int len4 = (len1 - len2 + len3) + 1;                              // apptest.AppImage is replaced by /path/to/AppRun
 
         if (len4 > ARG_MAX) {
                 errno = E2BIG;
@@ -187,7 +189,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
                         errExit("malloc");
 
         // run default quote_cmdline
-        quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index);
+        quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index, want_extra_quotes);
 
         assert(command_line_tmp);
         assert(*window_title);
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index b8aa2c974..9a4cb2e6b 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -258,12 +258,8 @@ static char *find_user_socket_by_format(char *format) {
         if (asprintf(&dbus_user_socket, format, (int) getuid()) == -1)
                 errExit("asprintf");
         struct stat s;
-        if (stat(dbus_user_socket, &s) == -1) {
-                if (errno == ENOENT)
-                        goto fail;
-                return NULL;
-                errExit("stat");
-        }
+        if (lstat(dbus_user_socket, &s) == -1)
+                goto fail;
         if (!S_ISSOCK(s.st_mode))
                 goto fail;
         return dbus_user_socket;
@@ -426,12 +422,8 @@ static void socket_overlay(char *socket_path, char *proxy_path) {
                 errno = ENOTSOCK;
                 errExit("mounting DBus proxy socket");
         }
-        char *proxy_fd_path;
-        if (asprintf(&proxy_fd_path, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proxy_path, socket_path, NULL, MS_BIND | MS_REC, NULL) == -1)
+        if (bind_mount_fd_to_path(fd, socket_path))
                 errExit("mount bind");
-        free(proxy_fd_path);
         close(fd);
 }
 
@@ -478,7 +470,7 @@ void dbus_apply_policy(void) {
         create_empty_dir_as_root(RUN_DBUS_DIR, 0755);
 
         if (arg_dbus_user != DBUS_POLICY_ALLOW) {
-                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0700);
+                create_empty_file_as_root(RUN_DBUS_USER_SOCKET, 0600);
 
                 if (arg_dbus_user == DBUS_POLICY_FILTER) {
                         assert(dbus_user_proxy_socket != NULL);
@@ -517,7 +509,7 @@ void dbus_apply_policy(void) {
         }
 
         if (arg_dbus_system != DBUS_POLICY_ALLOW) {
-                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0700);
+                create_empty_file_as_root(RUN_DBUS_SYSTEM_SOCKET, 0600);
 
                 if (arg_dbus_system == DBUS_POLICY_FILTER) {
                         assert(dbus_system_proxy_socket != NULL);
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c
index 5bcdcad37..ec482e2ea 100644
--- a/src/firejail/dhcp.c
+++ b/src/firejail/dhcp.c
@@ -153,19 +153,13 @@ void dhcp_start(void) {
         if (!any_dhcp())
                 return;
 
-        char *dhclient_path = RUN_MNT_DIR "/dhclient";;
+        char *dhclient_path = RUN_MNT_DIR "/dhclient";
         struct stat s;
         if (stat(dhclient_path, &s) == -1) {
-                dhclient_path = "/usr/sbin/dhclient";
-                if (stat(dhclient_path, &s) == -1) {
-                        fprintf(stderr, "Error: dhclient was not found.\n");
-                        exit(1);
-                }
+                fprintf(stderr, "Error: %s was not found.\n", dhclient_path);
+                exit(1);
         }
 
-        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR);
-        dhclient_path = RUN_MNT_DIR "/dhclient";
-
         EUID_ROOT();
         if (mkdir(RUN_DHCLIENT_DIR, 0700))
                 errExit("mkdir");
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 1c1ad4e97..545573c08 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -45,6 +45,15 @@
                 assert(s.st_gid == gid);\
                 assert((s.st_mode & 07777) == (mode));\
         } while (0)
+#define ASSERT_PERMS_AS_USER(file, uid, gid, mode) \
+        do { \
+                assert(file);\
+                struct stat s;\
+                if (stat_as_user(file, &s) == -1) errExit("stat");\
+                assert(s.st_uid == uid);\
+                assert(s.st_gid == gid);\
+                assert((s.st_mode & 07777) == (mode));\
+        } while (0)
 #define ASSERT_PERMS_FD(fd, uid, gid, mode) \
         do { \
                 struct stat s;\
@@ -147,6 +156,8 @@ typedef struct config_t {
 
         // filesystem
         ProfileEntry *profile;
+        ProfileEntry *profile_rebuild_etc;      // blacklist files in /etc directory used by fs_rebuild_etc()
+
 #define MAX_PROFILE_IGNORE 32
         char *profile_ignore[MAX_PROFILE_IGNORE];
         char *chrootdir;        // chroot directory
@@ -489,6 +500,7 @@ int macro_id(const char *name);
 void errLogExit(char* fmt, ...) __attribute__((noreturn));
 void fwarning(char* fmt, ...);
 void fmessage(char* fmt, ...);
+long long unsigned parse_arg_size(char *str);
 void drop_privs(int nogroups);
 int mkpath_as_root(const char* path);
 void extract_command_name(int index, char **argv);
@@ -498,11 +510,14 @@ void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
 void set_nice(int inc);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode);
 void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void touch_file_as_user(const char *fname, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
+char *realpath_as_user(const char *fname);
+int stat_as_user(const char *fname, struct stat *s);
+int lstat_as_user(const char *fname, struct stat *s);
 void trim_trailing_slash_or_dot(char *path);
 char *line_remove_spaces(const char *buf);
 char *split_comma(char *str);
@@ -526,11 +541,15 @@ unsigned extract_timeout(const char *str);
 void disable_file_or_dir(const char *fname);
 void disable_file_path(const char *path, const char *file);
 int safer_openat(int dirfd, const char *path, int flags);
+int remount_by_fd(int dst, unsigned long mountflags);
+int bind_mount_by_fd(int src, int dst);
+int bind_mount_path_to_fd(const char *srcname, int dst);
+int bind_mount_fd_to_path(int src, const char *destname);
 int has_handler(pid_t pid, int signal);
 void enter_network_namespace(pid_t pid);
 int read_pid(const char *name, pid_t *pid);
 pid_t require_pid(const char *name);
-void check_homedir(void);
+void check_homedir(const char *dir);
 
 // Get info regarding the last kernel mount operation from /proc/self/mountinfo
 // The return value points to a static area, and will be overwritten by subsequent calls.
@@ -608,7 +627,6 @@ void fs_trace(void);
 
 // fs_hostname.c
 void fs_hostname(const char *hostname);
-void fs_resolvconf(void);
 char *fs_check_hosts_file(const char *fname);
 void fs_store_hosts_file(void);
 void fs_mount_hosts_file(void);
@@ -651,6 +669,7 @@ void fs_machineid(void);
 void fs_private_dir_copy(const char *private_dir, const char *private_run_dir, const char *private_list);
 void fs_private_dir_mount(const char *private_dir, const char *private_run_dir);
 void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list);
+void fs_rebuild_etc(void);
 
 // no_sandbox.c
 int check_namespace_virt(void);
@@ -759,23 +778,25 @@ enum {
         CFG_NETWORK,
         CFG_RESTRICTED_NETWORK,
         CFG_FORCE_NONEWPRIVS,
-        CFG_WHITELIST,
         CFG_XEPHYR_WINDOW_TITLE,
         CFG_OVERLAYFS,
-        CFG_PRIVATE_HOME,
+        CFG_PRIVATE_BIN,
         CFG_PRIVATE_BIN_NO_LOCAL,
+        CFG_PRIVATE_CACHE,
+        CFG_PRIVATE_ETC,
+        CFG_PRIVATE_HOME,
+        CFG_PRIVATE_LIB,
+        CFG_PRIVATE_OPT,
+        CFG_PRIVATE_SRV,
         CFG_FIREJAIL_PROMPT,
-        CFG_FOLLOW_SYMLINK_AS_USER,
         CFG_DISABLE_MNT,
         CFG_JOIN,
         CFG_ARP_PROBES,
         CFG_XPRA_ATTACH,
         CFG_BROWSER_DISABLE_U2F,
         CFG_BROWSER_ALLOW_DRM,
-        CFG_PRIVATE_LIB,
         CFG_APPARMOR,
         CFG_DBUS,
-        CFG_PRIVATE_CACHE,
         CFG_CGROUP,
         CFG_NAME_CHANGE,
         CFG_SECCOMP_ERROR_ACTION,
@@ -790,12 +811,14 @@ extern char *xvfb_extra_params;
 extern char *netfilter_default;
 extern unsigned long join_timeout;
 extern char *config_seccomp_error_action_str;
+extern char *config_seccomp_filter_add;
 extern char **whitelist_reject_topdirs;
 
 int checkcfg(int val);
 void print_compiletime_support(void);
 
 // appimage.c
+int appimage_find_profile(const char *archive);
 void appimage_set(const char *appimage_path);
 void appimage_mount(void);
 void appimage_clear(void);
@@ -804,8 +827,8 @@ void appimage_clear(void);
 long unsigned int appimage2_size(int fd);
 
 // cmdline.c
-void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
-void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index);
+void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes);
+void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, bool want_extra_quotes);
 
 // sbox.c
 // programs
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 09de11de9..5ac2da164 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/statvfs.h>
@@ -54,16 +55,10 @@ static char *opstr[] = {
         [MOUNT_RDWR_NOCHECK] = "read-write",
 };
 
-typedef enum {
-        UNSUCCESSFUL,
-        SUCCESSFUL
-} LAST_DISABLE_OPERATION;
-LAST_DISABLE_OPERATION last_disable = UNSUCCESSFUL;
-
 static void disable_file(OPERATION op, const char *filename) {
         assert(filename);
         assert(op <OPERATION_MAX);
-        last_disable = UNSUCCESSFUL;
+        EUID_ASSERT();
 
         // Resolve all symlinks
         char* fname = realpath(filename, NULL);
@@ -71,20 +66,24 @@ static void disable_file(OPERATION op, const char *filename) {
                 return;
         }
         if (fname == NULL && errno == EACCES) {
-                if (arg_debug)
-                        printf("Debug: no access to file %s, forcing mount\n", filename);
                 // realpath and stat functions will fail on FUSE filesystems
                 // they don't seem to like a uid of 0
                 // force mounting
-                int rv = mount(RUN_RO_DIR, filename, "none", MS_BIND, "mode=400,gid=0");
-                if (rv == 0)
-                        last_disable = SUCCESSFUL;
-                else {
-                        rv = mount(RUN_RO_FILE, filename, "none", MS_BIND, "mode=400,gid=0");
-                        if (rv == 0)
-                                last_disable = SUCCESSFUL;
+                int fd = open(filename, O_PATH|O_CLOEXEC);
+                if (fd < 0) {
+                        if (arg_debug)
+                                printf("Warning (blacklisting): cannot open %s: %s\n", filename, strerror(errno));
+                        return;
                 }
-                if (last_disable == SUCCESSFUL) {
+
+                EUID_ROOT();
+                int err = bind_mount_path_to_fd(RUN_RO_DIR, fd);
+                if (err != 0)
+                        err = bind_mount_path_to_fd(RUN_RO_FILE, fd);
+                EUID_USER();
+                close(fd);
+
+                if (err == 0) {
                         if (arg_debug)
                                 printf("Disable %s\n", filename);
                         if (op == BLACKLIST_FILE)
@@ -92,21 +91,18 @@ static void disable_file(OPERATION op, const char *filename) {
                         else
                                 fs_logger2("blacklist-nolog", filename);
                 }
-                else {
-                        if (arg_debug)
-                                printf("Warning (blacklisting): %s is an invalid file, skipping...\n", filename);
-                }
+                else if (arg_debug)
+                        printf("Warning (blacklisting): cannot mount on %s\n", filename);
 
                 return;
         }
 
         // if the file is not present, do nothing
+        assert(fname);
         struct stat s;
-        if (fname == NULL)
-                return;
-        if (stat(fname, &s) == -1) {
+        if (stat(fname, &s) < 0) {
                 if (arg_debug)
-                        fwarning("%s does not exist, skipping...\n", fname);
+                        printf("Warning (blacklisting): cannot access %s: %s\n", fname, strerror(errno));
                 free(fname);
                 return;
         }
@@ -115,8 +111,10 @@ static void disable_file(OPERATION op, const char *filename) {
         // we migth have a file found in ${PATH} pointing to /usr/bin/firejail
         // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
         //     and expects Firefox to open in the same sandbox
-        if (strcmp(BINDIR "/firejail", fname) == 0)
+        if (strcmp(BINDIR "/firejail", fname) == 0) {
+                free(fname);
                 return;
+        }
 
         // modify the file
         if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) {
@@ -141,40 +139,70 @@ static void disable_file(OPERATION op, const char *filename) {
                                         printf(" - no logging\n");
                         }
 
+                        int fd = open(fname, O_PATH|O_CLOEXEC);
+                        if (fd < 0) {
+                                if (arg_debug)
+                                        printf("Warning (blacklisting): cannot open %s: %s\n", fname, strerror(errno));
+                                free(fname);
+                                return;
+                        }
+                        EUID_ROOT();
                         if (S_ISDIR(s.st_mode)) {
-                                if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0)
                                         errExit("disable file");
                         }
                         else {
-                                if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                if (bind_mount_path_to_fd(RUN_RO_FILE, fd) < 0)
                                         errExit("disable file");
                         }
-                        last_disable = SUCCESSFUL;
+                        EUID_USER();
+                        close(fd);
+
                         if (op == BLACKLIST_FILE)
                                 fs_logger2("blacklist", fname);
                         else
                                 fs_logger2("blacklist-nolog", fname);
+
+                        // files in /etc will be reprocessed during /etc rebuild
+                        if (strncmp(fname, "/etc/", 5) == 0) {
+                                ProfileEntry *prf = malloc(sizeof(ProfileEntry));
+                                if (!prf)
+                                        errExit("malloc");
+                                memset(prf, 0, sizeof(ProfileEntry));
+                                prf->data = strdup(fname);
+                                if (!prf->data)
+                                        errExit("strdup");
+                                prf->next = cfg.profile_rebuild_etc;
+                                cfg.profile_rebuild_etc = prf;
+                        }
                 }
         }
         else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) {
                 fs_remount_rec(fname, op);
-                // todo: last_disable = SUCCESSFUL;
         }
         else if (op == MOUNT_TMPFS) {
-                if (S_ISDIR(s.st_mode)) {
-                        if (getuid()) {
-                                if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
-                                    fname[strlen(cfg.homedir)] != '/') {
-                                        fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
-                                        exit(1);
-                                }
+                if (!S_ISDIR(s.st_mode)) {
+                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+                        free(fname);
+                        return;
+                }
+
+                uid_t uid = getuid();
+                if (uid != 0) {
+                        // only user owned directories in user home
+                        if (s.st_uid != uid ||
+                            strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+                            fname[strlen(cfg.homedir)] != '/') {
+                                fwarning("you are not allowed to mount a tmpfs on %s\n", fname);
+                                free(fname);
+                                return;
                         }
-                        fs_tmpfs(fname, getuid());
-                        selinux_relabel_path(fname, fname);
-                        last_disable = SUCCESSFUL;
                 }
-                else
-                        fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
+
+                fs_tmpfs(fname, uid);
+                EUID_USER(); // fs_tmpfs returns with EUID 0
+
+                selinux_relabel_path(fname, fname);
         }
         else
                 assert(0);
@@ -191,6 +219,7 @@ static int *nbcheck = NULL;
 // Treat pattern as a shell glob pattern and blacklist matching files
 static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) {
         assert(pattern);
+        EUID_ASSERT();
 
 #ifdef TEST_NO_BLACKLIST_MATCHING
         if (nbcheck_start == 0) {
@@ -264,6 +293,7 @@ void fs_blacklist(void) {
         if (noblacklist == NULL)
                 errExit("failed allocating memory for noblacklist entries");
 
+        EUID_USER();
         while (entry) {
                 OPERATION op = OPERATION_MAX;
                 char *ptr;
@@ -294,11 +324,13 @@ void fs_blacklist(void) {
                         if (arg_debug)
                                 printf("Mount-bind %s on top of %s\n", dname1, dname2);
                         // preserve dname2 mode and ownership
+                        // EUID_ROOT(); - option not accessible to non-root users
                         if (mount(dname1, dname2, NULL, MS_BIND|MS_REC, NULL) < 0)
                                 errExit("mount bind");
                         /* coverity[toctou] */
                         if (set_perms(dname2,  s.st_uid, s.st_gid,s.st_mode))
                                 errExit("set_perms");
+                        // EUID_USER();
 
                         entry = entry->next;
                         continue;
@@ -376,16 +408,12 @@ void fs_blacklist(void) {
                         op = MOUNT_TMPFS;
                 }
                 else if (strncmp(entry->data, "mkdir ", 6) == 0) {
-                        EUID_USER();
                         fs_mkdir(entry->data + 6);
-                        EUID_ROOT();
                         entry = entry->next;
                         continue;
                 }
                 else if (strncmp(entry->data, "mkfile ", 7) == 0) {
-                        EUID_USER();
                         fs_mkfile(entry->data + 7);
-                        EUID_ROOT();
                         entry = entry->next;
                         continue;
                 }
@@ -441,6 +469,8 @@ void fs_blacklist(void) {
         for (i = 0; i < noblacklist_c; i++)
                 free(noblacklist[i]);
         free(noblacklist);
+
+        EUID_ROOT();
 }
 
 //***********************************************
@@ -449,6 +479,7 @@ void fs_blacklist(void) {
 
 // mount a writable tmpfs on directory; requires a resolved path
 void fs_tmpfs(const char *dir, unsigned check_owner) {
+        EUID_USER();
         assert(dir);
         if (arg_debug)
                 printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
@@ -471,8 +502,9 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
         struct statvfs buf;
         if (fstatvfs(fd, &buf) == -1)
                 errExit("fstatvfs");
-        unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND);
+        unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT);
         // mount via the symbolic link in /proc/self/fd
+        EUID_ROOT();
         char *proc;
         if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
                 errExit("asprintf");
@@ -490,38 +522,42 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
 
 // remount path, preserving other mount flags; requires a resolved path
 static void fs_remount_simple(const char *path, OPERATION op) {
+        EUID_ASSERT();
         assert(path);
 
         // open path without following symbolic links
-        int fd1 = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd1 == -1)
+        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (fd < 0)
                 goto out;
-        struct stat s1;
-        if (fstat(fd1, &s1) == -1) {
+
+        struct stat s;
+        if (fstat(fd, &s) < 0) {
                 // fstat can fail with EACCES if path is a FUSE mount,
                 // mounted without 'allow_root' or 'allow_other'
                 if (errno != EACCES)
                         errExit("fstat");
-                close(fd1);
+                close(fd);
                 goto out;
         }
         // get mount flags
         struct statvfs buf;
-        if (fstatvfs(fd1, &buf) == -1)
-                errExit("fstatvfs");
+        if (fstatvfs(fd, &buf) < 0) {
+                close(fd);
+                goto out;
+        }
         unsigned long flags = buf.f_flag;
 
         // read-write option
         if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) {
                 // nothing to do if there is no read-only flag
                 if ((flags & MS_RDONLY) == 0) {
-                        close(fd1);
+                        close(fd);
                         return;
                 }
                 // allow only user owned directories, except the user is root
-                if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s1.st_uid != getuid()) {
+                if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s.st_uid != getuid()) {
                         fwarning("you are not allowed to change %s to read-write\n", path);
-                        close(fd1);
+                        close(fd);
                         return;
                 }
                 flags &= ~MS_RDONLY;
@@ -530,7 +566,7 @@ static void fs_remount_simple(const char *path, OPERATION op) {
         else if (op == MOUNT_NOEXEC) {
                 // nothing to do if path is mounted noexec already
                 if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) {
-                        close(fd1);
+                        close(fd);
                         return;
                 }
                 flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID;
@@ -539,7 +575,7 @@ static void fs_remount_simple(const char *path, OPERATION op) {
         else if (op == MOUNT_READONLY) {
                 // nothing to do if path is mounted read-only already
                 if ((flags & MS_RDONLY) == MS_RDONLY) {
-                        close(fd1);
+                        close(fd);
                         return;
                 }
                 flags |= MS_RDONLY;
@@ -549,29 +585,37 @@ static void fs_remount_simple(const char *path, OPERATION op) {
 
         if (arg_debug)
                 printf("Mounting %s %s\n", opstr[op], path);
+
+        // make path a mount point:
         // mount --bind path path
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd1) == -1)
-                errExit("asprintf");
-        if (mount(proc, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount");
-        free(proc);
+        EUID_ROOT();
+        int err = bind_mount_by_fd(fd, fd);
+        EUID_USER();
+        if (err) {
+                close(fd);
+                goto out;
+        }
 
-        // mount --bind -o remount,ro path
-        // need to open path again without following symbolic links
+        // remount the mount point
+        // need to open path again
         int fd2 = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd2 == -1)
-                errExit("open");
+        close(fd); // earliest timepoint to close fd
+        if (fd2 < 0)
+                goto out;
+
+        // device and inode number should be the same
         struct stat s2;
-        if (fstat(fd2, &s2) == -1)
+        if (fstat(fd2, &s2) < 0)
                 errExit("fstat");
-        // device and inode number should be the same
-        if (s1.st_dev != s2.st_dev || s1.st_ino != s2.st_ino)
+        if (s.st_dev != s2.st_dev || s.st_ino != s2.st_ino)
                 errLogExit("invalid %s mount", opstr[op]);
-        if (asprintf(&proc, "/proc/self/fd/%d", fd2) == -1)
-                errExit("asprintf");
-        if (mount(NULL, proc, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0)
-                errExit("mount");
+
+        EUID_ROOT();
+        err = remount_by_fd(fd2, flags);
+        EUID_USER();
+        close(fd2);
+        if (err)
+                goto out;
 
         // run a sanity check on /proc/self/mountinfo and confirm that target of the last
         // mount operation was path; if there are other mount points contained inside path,
@@ -582,10 +626,8 @@ static void fs_remount_simple(const char *path, OPERATION op) {
            (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
            && strcmp(path, "/") != 0) // support read-only=/
                 errLogExit("invalid %s mount", opstr[op]);
+
         fs_logger2(opstr[op], path);
-        free(proc);
-        close(fd1);
-        close(fd2);
         return;
 
 out:
@@ -594,7 +636,9 @@ out:
 
 // remount recursively; requires a resolved path
 static void fs_remount_rec(const char *dir, OPERATION op) {
+        EUID_ASSERT();
         assert(dir);
+
         struct stat s;
         if (stat(dir, &s) != 0)
                 return;
@@ -632,6 +676,14 @@ static void fs_remount_rec(const char *dir, OPERATION op) {
 // resolve a path and remount it
 void fs_remount(const char *path, OPERATION op, int rec) {
         assert(path);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
         char *rpath = realpath(path, NULL);
         if (rpath) {
                 if (rec)
@@ -640,10 +692,14 @@ void fs_remount(const char *path, OPERATION op, int rec) {
                         fs_remount_simple(rpath, op);
                 free(rpath);
         }
+
+        if (called_as_root)
+                EUID_ROOT();
 }
 
 // Disable /mnt, /media, /run/mount and /run/media access
 void fs_mnt(const int enforce) {
+        EUID_USER();
         if (enforce) {
                 // disable-mnt set in firejail.config
                 // overriding with noblacklist is not possible in this case
@@ -653,13 +709,12 @@ void fs_mnt(const int enforce) {
                 disable_file(BLACKLIST_FILE, "/run/media");
         }
         else {
-                EUID_USER();
                 profile_add("blacklist /mnt");
                 profile_add("blacklist /media");
                 profile_add("blacklist /run/mount");
                 profile_add("blacklist /run/media");
-                EUID_ROOT();
         }
+        EUID_ROOT();
 }
 
 
@@ -674,7 +729,6 @@ void fs_proc_sys_dev_boot(void) {
                 errExit("mounting /proc/sys");
         fs_logger("read-only /proc/sys");
 
-
         /* Mount a version of /sys that describes the network namespace */
         if (arg_debug)
                 printf("Remounting /sys directory\n");
@@ -689,13 +743,13 @@ void fs_proc_sys_dev_boot(void) {
         else
                 fs_logger("remount /sys");
 
+        EUID_USER();
+
         disable_file(BLACKLIST_FILE, "/sys/firmware");
         disable_file(BLACKLIST_FILE, "/sys/hypervisor");
         { // allow user access to some directories in /sys/ by specifying 'noblacklist' option
-                EUID_USER();
                 profile_add("blacklist /sys/fs");
                 profile_add("blacklist /sys/module");
-                EUID_ROOT();
         }
         disable_file(BLACKLIST_FILE, "/sys/power");
         disable_file(BLACKLIST_FILE, "/sys/kernel/debug");
@@ -739,12 +793,8 @@ void fs_proc_sys_dev_boot(void) {
         // disable /dev/port
         disable_file(BLACKLIST_FILE, "/dev/port");
 
-
-
         // disable various ipc sockets in /run/user
         if (!arg_writable_run_user) {
-                struct stat s;
-
                 char *fname;
                 if (asprintf(&fname, "/run/user/%d", getuid()) == -1)
                         errExit("asprintf");
@@ -755,8 +805,7 @@ void fs_proc_sys_dev_boot(void) {
                                 errExit("asprintf");
                         if (create_empty_dir_as_user(fnamegpg, 0700))
                                 fs_logger2("create", fnamegpg);
-                        if (stat(fnamegpg, &s) == 0)
-                                disable_file(BLACKLIST_FILE, fnamegpg);
+                        disable_file(BLACKLIST_FILE, fnamegpg);
                         free(fnamegpg);
 
                         // disable /run/user/{uid}/systemd
@@ -765,8 +814,7 @@ void fs_proc_sys_dev_boot(void) {
                                 errExit("asprintf");
                         if (create_empty_dir_as_user(fnamesysd, 0755))
                                 fs_logger2("create", fnamesysd);
-                        if (stat(fnamesysd, &s) == 0)
-                                disable_file(BLACKLIST_FILE, fnamesysd);
+                        disable_file(BLACKLIST_FILE, fnamesysd);
                         free(fnamesysd);
                 }
                 free(fname);
@@ -777,35 +825,30 @@ void fs_proc_sys_dev_boot(void) {
                 disable_file(BLACKLIST_FILE, "/dev/kmsg");
                 disable_file(BLACKLIST_FILE, "/proc/kmsg");
         }
+
+        EUID_ROOT();
 }
 
 // disable firejail configuration in ~/.config/firejail
 void disable_config(void) {
-        struct stat s;
-
+        EUID_USER();
         char *fname;
         if (asprintf(&fname, "%s/.config/firejail", cfg.homedir) == -1)
                 errExit("asprintf");
-        if (stat(fname, &s) == 0)
-                disable_file(BLACKLIST_FILE, fname);
+        disable_file(BLACKLIST_FILE, fname);
         free(fname);
 
         // disable run time information
-        if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
-        if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
-        if (stat(RUN_FIREJAIL_NAME_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
-        if (stat(RUN_FIREJAIL_PROFILE_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR);
-        if (stat(RUN_FIREJAIL_X11_DIR, &s) == 0)
-                disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_BANDWIDTH_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NAME_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_PROFILE_DIR);
+        disable_file(BLACKLIST_FILE, RUN_FIREJAIL_X11_DIR);
+        EUID_ROOT();
 }
 
 
 // build a basic read-only filesystem
-// top level directories could be links, run no after-mount checks
 void fs_basic_fs(void) {
         uid_t uid = getuid();
 
@@ -815,6 +858,7 @@ void fs_basic_fs(void) {
         if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                 errExit("mounting /proc");
 
+        EUID_USER();
         if (arg_debug)
                 printf("Basic read-only filesystem:\n");
         if (!arg_writable_etc) {
@@ -834,6 +878,7 @@ void fs_basic_fs(void) {
         fs_remount("/lib64", MOUNT_READONLY, 1);
         fs_remount("/lib32", MOUNT_READONLY, 1);
         fs_remount("/libx32", MOUNT_READONLY, 1);
+        EUID_ROOT();
 
         // update /var directory in order to support multiple sandboxes running on the same root directory
         fs_var_lock();
@@ -862,6 +907,7 @@ void fs_basic_fs(void) {
 #ifdef HAVE_OVERLAYFS
 char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
         assert(subdirname);
+        EUID_ASSERT();
         struct stat s;
         char *dirname;
 
@@ -1177,9 +1223,8 @@ void fs_overlayfs(void) {
         fs_logger("whitelist /tmp");
 
         // chroot in the new filesystem
-#ifdef HAVE_GCOV
         __gcov_flush();
-#endif
+
         if (chroot(oroot) == -1)
                 errExit("chroot");
 
@@ -1221,6 +1266,7 @@ void fs_overlayfs(void) {
 
 // this function is called from sandbox.c before blacklist/whitelist functions
 void fs_private_tmp(void) {
+        EUID_ASSERT();
         if (arg_debug)
                 printf("Generate private-tmp whitelist commands\n");
 
@@ -1241,8 +1287,11 @@ void fs_private_tmp(void) {
 
         // whitelist x11 directory
         profile_add("whitelist /tmp/.X11-unix");
-        // read-only x11 directory
-        profile_add("read-only /tmp/.X11-unix");
+        // read-only x11 directory
+        profile_add("read-only /tmp/.X11-unix");
+
+        // whitelist sndio directory
+        profile_add("whitelist /tmp/sndio");
 
         // whitelist any pulse* file in /tmp directory
         // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 8c2870a4d..8cc3ecc62 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -187,8 +187,10 @@ static void mount_dev_shm(void) {
 static void process_dev_shm(void) {
         // Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...)
         // looking for jack socket
+        EUID_USER();
         glob_t globbuf;
         int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
+        EUID_ROOT();
         if (globerr && !arg_keep_dev_shm) {
                 empty_dev_shm();
                 return;
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index b0e1e1bf1..76054b485 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -24,6 +24,7 @@
 #include <sys/types.h>
 #include <time.h>
 #include <unistd.h>
+#include <dirent.h>
 
 // spoof /etc/machine_id
 void fs_machineid(void) {
@@ -250,3 +251,128 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
         fs_private_dir_mount(private_dir, private_run_dir);
         fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end());
 }
+
+void fs_rebuild_etc(void) {
+        int have_dhcp = 1;
+        if (cfg.dns1 == NULL && !any_dhcp())
+                have_dhcp = 0;
+
+        if (arg_debug)
+                printf("rebuilding /etc directory\n");
+        if (mkdir(RUN_DNS_ETC, 0755))
+                errExit("mkdir");
+        selinux_relabel_path(RUN_DNS_ETC, "/etc");
+        fs_logger("tmpfs /etc");
+
+        DIR *dir = opendir("/etc");
+        if (!dir)
+                errExit("opendir");
+
+        struct stat s;
+        struct dirent *entry;
+        while ((entry = readdir(dir))) {
+                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                        continue;
+
+                // skip files in cfg.profile_rebuild_etc list
+                // these files are already blacklisted
+                {
+                        ProfileEntry *prf = cfg.profile_rebuild_etc;
+                        int found = 0;
+                        while (prf) {
+                                if (strcmp(entry->d_name, prf->data + 5) == 0) { // 5 is strlen("/etc/")
+                                        found = 1;
+                                        break;
+                                }
+                                prf = prf->next;
+                        }
+                        if (found)
+                                continue;
+                }
+
+                // for resolv.conf we might have to  create a brand new file later
+                if (have_dhcp &&
+                    (strcmp(entry->d_name, "resolv.conf") == 0 ||
+                     strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0))
+                        continue;
+//              printf("linking %s\n", entry->d_name);
+
+                char *src;
+                if (asprintf(&src, "/etc/%s", entry->d_name) == -1)
+                        errExit("asprintf");
+                if (stat(src, &s) != 0) {
+                        free(src);
+                        continue;
+                }
+
+                char *dest;
+                if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1)
+                        errExit("asprintf");
+
+                int symlink_done = 0;
+                if (is_link(src)) {
+                        char *rp =realpath(src, NULL);
+                        if (rp == NULL) {
+                                free(src);
+                                free(dest);
+                                continue;
+                        }
+                        if (symlink(rp, dest))
+                                errExit("symlink");
+                        else
+                                symlink_done = 1;
+                }
+                else if (S_ISDIR(s.st_mode))
+                        create_empty_dir_as_root(dest, s.st_mode);
+                else
+                        create_empty_file_as_root(dest, s.st_mode);
+
+                // bind-mount src on top of dest
+                if (!symlink_done) {
+                        if (mount(src, dest, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind mirroring /etc");
+                }
+                fs_logger2("clone", src);
+
+                free(src);
+                free(dest);
+        }
+        closedir(dir);
+
+        // mount bind our private etc directory on top of /etc
+        if (arg_debug)
+                printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC);
+        if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind mirroring /etc");
+        fs_logger("mount /etc");
+
+        if (have_dhcp == 0)
+                return;
+
+        if (arg_debug)
+                printf("Creating a new /etc/resolv.conf file\n");
+        FILE *fp = fopen("/etc/resolv.conf", "wxe");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n");
+                exit(1);
+        }
+
+        if (cfg.dns1) {
+                if (any_dhcp())
+                        fwarning("network setup uses DHCP, nameservers will likely be overwritten\n");
+                fprintf(fp, "nameserver %s\n", cfg.dns1);
+        }
+        if (cfg.dns2)
+                fprintf(fp, "nameserver %s\n", cfg.dns2);
+        if (cfg.dns3)
+                fprintf(fp, "nameserver %s\n", cfg.dns3);
+        if (cfg.dns4)
+                fprintf(fp, "nameserver %s\n", cfg.dns4);
+
+        // mode and owner
+        SET_PERMS_STREAM(fp, 0, 0, 0644);
+
+        fclose(fp);
+
+        fs_logger("create /etc/resolv.conf");
+}
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 4bcefa443..0ed476063 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -34,24 +34,24 @@
 #define O_PATH 010000000
 #endif
 
-static void skel(const char *homedir, uid_t u, gid_t g) {
-        char *fname;
+static void skel(const char *homedir) {
+        EUID_ASSERT();
 
         // zsh
         if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) {
                 // copy skel files
+                char *fname;
                 if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                         errExit("asprintf");
-                struct stat s;
                 // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (stat("/etc/skel/.zshrc", &s) == 0) {
-                        copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user
+                if (access("/etc/skel/.zshrc", R_OK) == 0) {
+                        copy_file_as_user("/etc/skel/.zshrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.zshrc");
                         fs_logger2("clone", fname);
                 }
@@ -65,19 +65,18 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
         // csh
         else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) {
                 // copy skel files
+                char *fname;
                 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                         errExit("asprintf");
-                struct stat s;
-
                 // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (stat("/etc/skel/.cshrc", &s) == 0) {
-                        copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user
+                if (access("/etc/skel/.cshrc", R_OK) == 0) {
+                        copy_file_as_user("/etc/skel/.cshrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.cshrc");
                         fs_logger2("clone", fname);
                 }
@@ -91,18 +90,18 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
         // bash etc.
         else {
                 // copy skel files
+                char *fname;
                 if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
                         errExit("asprintf");
-                struct stat s;
                 // don't copy it if we already have the file
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         return;
-                if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
+                if (is_link(fname)) { // access(3) on dangling symlinks fails, try again using lstat
                         fprintf(stderr, "Error: invalid %s file\n", fname);
                         exit(1);
                 }
-                if (stat("/etc/skel/.bashrc", &s) == 0) {
-                        copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user
+                if (access("/etc/skel/.bashrc", R_OK) == 0) {
+                        copy_file_as_user("/etc/skel/.bashrc", fname, 0644); // regular user
                         fs_logger("clone /etc/skel/.bashrc");
                         fs_logger2("clone", fname);
                 }
@@ -112,6 +111,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
 }
 
 static int store_xauthority(void) {
+        EUID_ASSERT();
         if (arg_x11_block)
                 return 0;
 
@@ -122,14 +122,15 @@ static int store_xauthority(void) {
                 errExit("asprintf");
 
         struct stat s;
-        if (stat(src, &s) == 0) {
-                if (is_link(src)) {
+        if (lstat(src, &s) == 0) {
+                if (S_ISLNK(s.st_mode)) {
                         fwarning("invalid .Xauthority file\n");
                         free(src);
                         return 0;
                 }
 
                 // create an empty file as root, and change ownership to user
+                EUID_ROOT();
                 FILE *fp = fopen(dest, "we");
                 if (fp) {
                         fprintf(fp, "\n");
@@ -138,10 +139,11 @@ static int store_xauthority(void) {
                 }
                 else
                         errExit("fopen");
+                EUID_USER();
 
-                copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
-                fs_logger2("clone", dest);
+                copy_file_as_user(src, dest, 0600); // regular user
                 selinux_relabel_path(dest, src);
+                fs_logger2("clone", dest);
                 free(src);
                 return 1; // file copied
         }
@@ -151,6 +153,7 @@ static int store_xauthority(void) {
 }
 
 static int store_asoundrc(void) {
+        EUID_ASSERT();
         if (arg_nosound)
                 return 0;
 
@@ -161,11 +164,11 @@ static int store_asoundrc(void) {
                 errExit("asprintf");
 
         struct stat s;
-        if (stat(src, &s) == 0) {
-                if (is_link(src)) {
+        if (lstat(src, &s) == 0) {
+                if (S_ISLNK(s.st_mode)) {
                         // make sure the real path of the file is inside the home directory
                         /* coverity[toctou] */
-                        char* rp = realpath(src, NULL);
+                        char *rp = realpath(src, NULL);
                         if (!rp) {
                                 fprintf(stderr, "Error: Cannot access %s\n", src);
                                 exit(1);
@@ -178,6 +181,7 @@ static int store_asoundrc(void) {
                 }
 
                 // create an empty file as root, and change ownership to user
+                EUID_ROOT();
                 FILE *fp = fopen(dest, "we");
                 if (fp) {
                         fprintf(fp, "\n");
@@ -186,10 +190,11 @@ static int store_asoundrc(void) {
                 }
                 else
                         errExit("fopen");
+                EUID_USER();
 
-                copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
-                selinux_relabel_path(dest, src);
+                copy_file_as_user(src, dest, 0644); // regular user
                 fs_logger2("clone", dest);
+                selinux_relabel_path(dest, src);
                 free(src);
                 return 1; // file copied
         }
@@ -199,6 +204,7 @@ static int store_asoundrc(void) {
 }
 
 static void copy_xauthority(void) {
+        EUID_ASSERT();
         // copy XAUTHORITY_FILE in the new home directory
         char *src = RUN_XAUTHORITY_FILE ;
         char *dest;
@@ -211,16 +217,18 @@ static void copy_xauthority(void) {
                 exit(1);
         }
 
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
-        selinux_relabel_path(dest, src);
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
         fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
         free(dest);
 
-        // delete the temporary file
-        unlink(src);
+        EUID_ROOT();
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 
 static void copy_asoundrc(void) {
+        EUID_ASSERT();
         // copy ASOUNDRC_FILE in the new home directory
         char *src = RUN_ASOUNDRC_FILE ;
         char *dest;
@@ -233,12 +241,14 @@ static void copy_asoundrc(void) {
                 exit(1);
         }
 
-        copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
         fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
         free(dest);
 
-        // delete the temporary file
-        unlink(src);
+        EUID_ROOT();
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 
 // private mode (--private=homedir):
@@ -251,13 +261,14 @@ void fs_private_homedir(void) {
         char *private_homedir = cfg.home_private;
         assert(homedir);
         assert(private_homedir);
+        EUID_ASSERT();
+
+        uid_t u = getuid();
+        // gid_t g = getgid();
 
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
-        uid_t u = getuid();
-        gid_t g = getgid();
-
         // mount bind private_homedir on top of homedir
         if (arg_debug)
                 printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
@@ -286,17 +297,11 @@ void fs_private_homedir(void) {
                 exit(1);
         }
         // mount via the links in /proc/self/fd
-        char *proc_src, *proc_dst;
-        if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
-                errExit("asprintf");
-        if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
-                errExit("asprintf");
-        if (mount(proc_src, proc_dst, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0)
+        EUID_ROOT();
+        if (bind_mount_by_fd(src, dst))
                 errExit("mount bind");
-        free(proc_src);
-        free(proc_dst);
-        close(src);
-        close(dst);
+        EUID_USER();
+
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
         size_t len = strlen(homedir);
@@ -304,6 +309,8 @@ void fs_private_homedir(void) {
            (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/'))
                 errLogExit("invalid private mount");
 
+        close(src);
+        close(dst);
         fs_logger3("mount-bind", private_homedir, homedir);
         fs_logger2("whitelist", homedir);
 // preserve mode and ownership
@@ -312,6 +319,7 @@ void fs_private_homedir(void) {
 //      if (chmod(homedir, s.st_mode) == -1)
 //              errExit("mount-bind chmod");
 
+        EUID_ROOT();
         if (u != 0) {
                 // mask /root
                 if (arg_debug)
@@ -330,8 +338,9 @@ void fs_private_homedir(void) {
                 selinux_relabel_path("/home", "/home");
                 fs_logger("tmpfs /home");
         }
+        EUID_USER();
 
-        skel(homedir, u, g);
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
@@ -346,12 +355,15 @@ void fs_private_homedir(void) {
 void fs_private(void) {
         char *homedir = cfg.homedir;
         assert(homedir);
+        EUID_ASSERT();
+
         uid_t u = getuid();
         gid_t g = getgid();
 
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
+        EUID_ROOT();
         // mask /root
         if (arg_debug)
                 printf("Mounting a new /root directory\n");
@@ -394,8 +406,9 @@ void fs_private(void) {
 
                 selinux_relabel_path(homedir, homedir);
         }
+        EUID_USER();
 
-        skel(homedir, u, g);
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
@@ -438,6 +451,7 @@ void fs_check_private_cwd(const char *dir) {
 // --private-home
 //***********************************************************************************
 static char *check_dir_or_file(const char *name) {
+        EUID_ASSERT();
         assert(name);
 
         // basic checks
@@ -498,6 +512,7 @@ errexit:
 }
 
 static void duplicate(char *name) {
+        EUID_ASSERT();
         char *fname = check_dir_or_file(name);
 
         if (arg_debug)
@@ -535,28 +550,31 @@ static void duplicate(char *name) {
 //      set skel files,
 //      restore .Xauthority
 void fs_private_home_list(void) {
-        timetrace_start();
-
         char *homedir = cfg.homedir;
         char *private_list = cfg.home_private_keep;
         assert(homedir);
         assert(private_list);
+        EUID_ASSERT();
 
-        int xflag = store_xauthority();
-        int aflag = store_asoundrc();
+        timetrace_start();
 
         uid_t uid = getuid();
         gid_t gid = getgid();
 
+        int xflag = store_xauthority();
+        int aflag = store_asoundrc();
+
         // create /run/firejail/mnt/home directory
+        EUID_ROOT();
         mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
         selinux_relabel_path(RUN_HOME_DIR, homedir);
+
         fs_logger_print();      // save the current log
+        EUID_USER();
 
+        // copy the list of files in the new home directory
         if (arg_debug)
                 printf("Copying files in the new home:\n");
-
-        // copy the list of files in the new home directory
         char *dlist = strdup(cfg.home_private_keep);
         if (!dlist)
                 errExit("strdup");
@@ -589,24 +607,19 @@ void fs_private_home_list(void) {
                 exit(1);
         }
         // mount using the file descriptor
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(RUN_HOME_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0)
+        EUID_ROOT();
+        if (bind_mount_path_to_fd(RUN_HOME_DIR, fd))
                 errExit("mount bind");
-        free(proc);
+        EUID_USER();
         close(fd);
+
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
         if (strcmp(mptr->dir, homedir) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
                 errLogExit("invalid private-home mount");
         fs_logger2("tmpfs", homedir);
 
-        // mask RUN_HOME_DIR, it is writable and not noexec
-        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                errExit("mounting tmpfs");
-        fs_logger2("tmpfs", RUN_HOME_DIR);
-
+        EUID_ROOT();
         if (uid != 0) {
                 // mask /root
                 if (arg_debug)
@@ -626,7 +639,12 @@ void fs_private_home_list(void) {
                 fs_logger("tmpfs /home");
         }
 
-        skel(homedir, uid, gid);
+        // mask RUN_HOME_DIR, it is writable and not noexec
+        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        EUID_USER();
+
+        skel(homedir);
         if (xflag)
                 copy_xauthority();
         if (aflag)
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 80046f7ae..1a9a78ceb 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -88,109 +88,6 @@ errexit:
         exit(1);
 }
 
-void fs_resolvconf(void) {
-        if (cfg.dns1 == NULL && !any_dhcp())
-                return;
-
-        if (arg_debug)
-                printf("mirroring /etc directory\n");
-        if (mkdir(RUN_DNS_ETC, 0755))
-                errExit("mkdir");
-        selinux_relabel_path(RUN_DNS_ETC, "/etc");
-        fs_logger("tmpfs /etc");
-
-        DIR *dir = opendir("/etc");
-        if (!dir)
-                errExit("opendir");
-
-        struct stat s;
-        struct dirent *entry;
-        while ((entry = readdir(dir))) {
-                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
-                        continue;
-                // for resolv.conf we create a brand new file
-                if (strcmp(entry->d_name, "resolv.conf") == 0 ||
-        strcmp(entry->d_name, "resolv.conf.dhclient-new") == 0)
-                        continue;
-//              printf("linking %s\n", entry->d_name);
-
-                char *src;
-                if (asprintf(&src, "/etc/%s", entry->d_name) == -1)
-                        errExit("asprintf");
-                if (stat(src, &s) != 0) {
-                        free(src);
-                        continue;
-                }
-
-                char *dest;
-                if (asprintf(&dest, "%s/%s", RUN_DNS_ETC, entry->d_name) == -1)
-                        errExit("asprintf");
-
-                int symlink_done = 0;
-                if (is_link(src)) {
-                        char *rp =realpath(src, NULL);
-                        if (rp == NULL) {
-                                free(src);
-                                free(dest);
-                                continue;
-                        }
-                        if (symlink(rp, dest))
-                                errExit("symlink");
-                        else
-                                symlink_done = 1;
-                }
-                else if (S_ISDIR(s.st_mode))
-                        create_empty_dir_as_root(dest, s.st_mode);
-                else
-                        create_empty_file_as_root(dest, s.st_mode);
-
-                // bind-mount src on top of dest
-                if (!symlink_done) {
-                        if (mount(src, dest, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mount bind mirroring /etc");
-                }
-                fs_logger2("clone", src);
-
-                free(src);
-                free(dest);
-        }
-        closedir(dir);
-
-        // mount bind our private etc directory on top of /etc
-        if (arg_debug)
-                printf("Mount-bind %s on top of /etc\n", RUN_DNS_ETC);
-        if (mount(RUN_DNS_ETC, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind mirroring /etc");
-        fs_logger("mount /etc");
-
-        if (arg_debug)
-                printf("Creating a new /etc/resolv.conf file\n");
-        FILE *fp = fopen("/etc/resolv.conf", "wxe");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot create /etc/resolv.conf file\n");
-                exit(1);
-        }
-
-        if (cfg.dns1) {
-                if (any_dhcp())
-                        fwarning("network setup uses DHCP, nameservers will likely be overwritten\n");
-                fprintf(fp, "nameserver %s\n", cfg.dns1);
-        }
-        if (cfg.dns2)
-                fprintf(fp, "nameserver %s\n", cfg.dns2);
-        if (cfg.dns3)
-                fprintf(fp, "nameserver %s\n", cfg.dns3);
-        if (cfg.dns4)
-                fprintf(fp, "nameserver %s\n", cfg.dns4);
-
-        // mode and owner
-        SET_PERMS_STREAM(fp, 0, 0, 0644);
-
-        fclose(fp);
-
-        fs_logger("create /etc/resolv.conf");
-}
-
 char *fs_check_hosts_file(const char *fname) {
         assert(fname);
         invalid_filename(fname, 0); // no globbing
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 5df356d04..9d7a17cf3 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -178,8 +178,7 @@ void fslib_mount(const char *full_path) {
 
         if (*full_path == '\0' ||
             !valid_full_path(full_path) ||
-            access(full_path, F_OK) != 0 ||
-            stat(full_path, &s) != 0 ||
+            stat_as_user(full_path, &s) != 0 ||
             s.st_uid != 0)
                 return;
 
@@ -203,7 +202,7 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
         }
 
         if (arg_debug || arg_debug_private_lib)
-                printf("    fslib_mount_libs %s (parse as %s)\n", full_path, user ? "user" : "root");
+                printf("    fslib_mount_libs %s\n", full_path);
         // create an empty RUN_LIB_FILE and allow the user to write to it
         unlink(RUN_LIB_FILE);                     // in case is there
         create_empty_file_as_root(RUN_LIB_FILE, 0644);
@@ -212,7 +211,7 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
 
         // run fldd to extract the list of files
         if (arg_debug || arg_debug_private_lib)
-                printf("    running fldd %s\n", full_path);
+                printf("    running fldd %s as %s\n", full_path, user ? "user" : "root");
         unsigned mask;
         if (user)
                 mask = SBOX_USER;
@@ -246,7 +245,7 @@ static void load_library(const char *fname) {
 
         // existing file owned by root
         struct stat s;
-        if (!access(fname, F_OK) && stat(fname, &s) == 0 && s.st_uid == 0) {
+        if (stat_as_user(fname, &s) == 0 && s.st_uid == 0) {
                 // load directories, regular 64 bit libraries, and 64 bit executables
                 if (S_ISDIR(s.st_mode))
                         fslib_mount(fname);
@@ -286,19 +285,21 @@ static void install_list_entry(const char *lib) {
 #define DO_GLOBBING
 #ifdef DO_GLOBBING
                 // globbing
+                EUID_USER();
                 glob_t globbuf;
                 int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
                 if (globerr) {
                         fprintf(stderr, "Error: failed to glob private-lib pattern %s\n", fname);
                         exit(1);
                 }
+                EUID_ROOT();
                 size_t j;
                 for (j = 0; j < globbuf.gl_pathc; j++) {
                         assert(globbuf.gl_pathv[j]);
 //printf("glob %s\n", globbuf.gl_pathv[j]);
                         // GLOB_NOCHECK - no pattern matched returns the original pattern; try to load it anyway
 
-                        // foobar/* includes foobar/. and foobar/..
+                        // foobar/* expands to foobar/. and foobar/..
                         const char *base = gnu_basename(globbuf.gl_pathv[j]);
                         if (strcmp(base, ".") == 0 || strcmp(base, "..") == 0)
                                 continue;
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 8cfeea582..4983db0a0 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
@@ -25,7 +26,6 @@
 #include <sys/wait.h>
 #include <string.h>
 
-
 static void check(const char *fname) {
         // manufacture /run/user directory
         char *runuser;
@@ -95,9 +95,9 @@ void fs_mkdir(const char *name) {
 
                 // create directory
                 mkdir_recursive(expanded);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 1fc38361e..475a391ec 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -71,12 +71,8 @@ void fs_tracefile(void) {
         // mount using the symbolic link in /proc/self/fd
         if (arg_debug)
                 printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE);
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_fd_to_path(fd, RUN_TRACE_FILE))
                 errExit("mount bind " RUN_TRACE_FILE);
-        free(proc);
         close(fd);
         // now that RUN_TRACE_FILE is user-writable, mount it noexec
         fs_remount(RUN_TRACE_FILE, MOUNT_NOEXEC, 0);
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index bae3d6df0..20e262d80 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -323,4 +323,8 @@ void fs_var_utmp(void) {
         if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                 errExit("mount bind utmp");
         fs_logger2("create", UTMP_FILE);
+
+        // blacklist RUN_UTMP_FILE
+        if (mount(RUN_RO_FILE, RUN_UTMP_FILE, NULL, MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount bind");
 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index c7dbe6496..943f275de 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -104,21 +104,19 @@ static int whitelist_mkpath(const char* path, mode_t mode) {
         return fd;
 }
 
-static void whitelist_file(int dirfd, const char *topdir, const char *relpath, const char *path) {
-        assert(topdir && relpath && path);
-
-        if (arg_debug || arg_debug_whitelists)
-                printf("Debug %d: dirfd: %d; topdir: %s; relpath: %s; path: %s\n", __LINE__, dirfd, topdir, relpath, path);
+static void whitelist_file(int dirfd, const char *relpath, const char *path) {
+        assert(relpath && path);
 
         // open mount source, using a file descriptor that refers to the
         // top level directory
         // as the top level directory was opened before mounting the tmpfs
         // we still have full access to all directory contents
-        // take care to not follow symbolic links
+        // take care to not follow symbolic links (dirfd was obtained without
+        // following a link, too)
         int fd = safer_openat(dirfd, relpath, O_PATH|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1) {
                 if (arg_debug || arg_debug_whitelists)
-                        printf("Debug %d: skip whitelisting of %s\n", __LINE__, path);
+                        printf("Debug %d: skip whitelist %s\n", __LINE__, path);
                 return;
         }
         struct stat s;
@@ -126,14 +124,15 @@ static void whitelist_file(int dirfd, const char *topdir, const char *relpath, c
                 errExit("fstat");
         if (S_ISLNK(s.st_mode)) {
                 if (arg_debug || arg_debug_whitelists)
-                        printf("Debug %d: skip whitelisting of %s\n", __LINE__, path);
+                        printf("Debug %d: skip whitelist %s\n", __LINE__, path);
                 close(fd);
                 return;
         }
 
         // create mount target as root, except if inside home or run/user/$UID directory
         int userprivs = 0;
-        if (strcmp(topdir, cfg.homedir) == 0 || strcmp(topdir, runuser) == 0) {
+        if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') ||
+            (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) {
                 EUID_USER();
                 userprivs = 1;
         }
@@ -145,7 +144,7 @@ static void whitelist_file(int dirfd, const char *topdir, const char *relpath, c
                 // if there is a symlink somewhere in the path of the mount target,
                 // assume the file is whitelisted already
                 if (arg_debug || arg_debug_whitelists)
-                        printf("Debug %d: skip whitelisting of %s\n", __LINE__, path);
+                        printf("Debug %d: skip whitelist %s\n", __LINE__, path);
                 close(fd);
                 if (userprivs)
                         EUID_ROOT();
@@ -163,7 +162,7 @@ static void whitelist_file(int dirfd, const char *topdir, const char *relpath, c
                 if (mkdirat(fd2, file, 0755) == -1 && errno != EEXIST) {
                         if (arg_debug || arg_debug_whitelists) {
                                 perror("mkdir");
-                                printf("Debug %d: skip whitelisting of %s\n", __LINE__, path);
+                                printf("Debug %d: skip whitelist %s\n", __LINE__, path);
                         }
                         close(fd);
                         close(fd2);
@@ -181,7 +180,7 @@ static void whitelist_file(int dirfd, const char *topdir, const char *relpath, c
         if (fd3 == -1) {
                 if (errno != EEXIST && (arg_debug || arg_debug_whitelists)) {
                         perror("open");
-                        printf("Debug %d: skip whitelisting of %s\n", __LINE__, path);
+                        printf("Debug %d: skip whitelist %s\n", __LINE__, path);
                 }
                 close(fd);
                 close(fd2);
@@ -196,15 +195,7 @@ static void whitelist_file(int dirfd, const char *topdir, const char *relpath, c
 
         if (arg_debug || arg_debug_whitelists)
                 printf("Whitelisting %s\n", path);
-
-        // in order to make this mount resilient against symlink attacks, use
-        // magic links in /proc/self/fd instead of mounting the paths directly
-        char *proc_src, *proc_dst;
-        if (asprintf(&proc_src, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (asprintf(&proc_dst, "/proc/self/fd/%d", fd3) == -1)
-                errExit("asprintf");
-        if (mount(proc_src, proc_dst, NULL, MS_BIND | MS_REC, NULL) < 0)
+        if (bind_mount_by_fd(fd, fd3))
                 errExit("mount bind");
         // check the last mount operation
         MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
@@ -222,22 +213,18 @@ static void whitelist_file(int dirfd, const char *topdir, const char *relpath, c
         //  - there should be more than one '/' char in dest string
         if (mptr->dir == strrchr(mptr->dir, '/'))
                 errLogExit("invalid whitelist mount");
-        free(proc_src);
-        free(proc_dst);
         close(fd);
         close(fd3);
         fs_logger2("whitelist", path);
 }
 
-static void whitelist_symlink(const char *topdir, const char *link, const char *target) {
-        assert(topdir && link && target);
-
-        if (arg_debug || arg_debug_whitelists)
-                printf("Debug %d: topdir: %s; link: %s; target: %s\n", __LINE__, topdir, link, target);
+static void whitelist_symlink(const char *link, const char *target) {
+        assert(link && target);
 
         // create files as root, except if inside home or run/user/$UID directory
         int userprivs = 0;
-        if (strcmp(topdir, cfg.homedir) == 0 || strcmp(topdir, runuser) == 0) {
+        if ((strncmp(link, cfg.homedir, homedir_len) == 0 && link[homedir_len] == '/') ||
+            (strncmp(link, runuser, runuser_len) == 0 && link[runuser_len] == '/')) {
                 EUID_USER();
                 userprivs = 1;
         }
@@ -270,6 +257,7 @@ static void whitelist_symlink(const char *topdir, const char *link, const char *
 }
 
 static void globbing(const char *pattern) {
+        EUID_ASSERT();
         assert(pattern);
 
         // globbing
@@ -313,7 +301,10 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
 
         int i;
         for (i = 0; i < TOP_MAX && topdirs[i].path; i++) {
-                // do user home and /run/user/$UID last
+                // do nested top level directories last
+                // this way '--whitelist=nested_top_level_dir'
+                // yields the full, unmodified directory
+                // instead of the tmpfs
                 if (strcmp(topdirs[i].path, cfg.homedir) == 0) {
                         tmpfs_home = 1;
                         continue;
@@ -334,25 +325,22 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
 
                 // mount tmpfs
                 fs_tmpfs(topdirs[i].path, 0);
+                selinux_relabel_path(topdirs[i].path, topdirs[i].path);
 
                 // init tmpfs
                 if (strcmp(topdirs[i].path, "/run") == 0) {
                         // restore /run/firejail directory
                         if (mkdir(RUN_FIREJAIL_DIR, 0755) == -1)
                                 errExit("mkdir");
-                        char *proc;
-                        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                                errExit("asprintf");
-                        if (mount(proc, RUN_FIREJAIL_DIR, NULL, MS_BIND | MS_REC, NULL) < 0)
+                        if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR))
                                 errExit("mount bind");
-                        free(proc);
                         close(fd);
                         fs_logger2("whitelist", RUN_FIREJAIL_DIR);
 
                         // restore /run/user/$UID directory
                         // get path relative to /run
                         const char *rel = runuser + 5;
-                        whitelist_file(topdirs[i].fd, topdirs[i].path, rel, runuser);
+                        whitelist_file(topdirs[i].fd, rel, runuser);
                 }
                 else if (strcmp(topdirs[i].path, "/tmp") == 0) {
                         // fix pam-tmpdir (#2685)
@@ -376,19 +364,21 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
 
                 // restore user home directory if it is masked by the tmpfs
                 // creates path owned by root
+                // does nothing if user home directory doesn't exist
                 size_t topdir_len = strlen(topdirs[i].path);
                 if (strncmp(topdirs[i].path, cfg.homedir, topdir_len) == 0 && cfg.homedir[topdir_len] == '/') {
                         // get path relative to top level directory
                         const char *rel = cfg.homedir + topdir_len + 1;
-                        whitelist_file(topdirs[i].fd, topdirs[i].path, rel, cfg.homedir);
+                        whitelist_file(topdirs[i].fd, rel, cfg.homedir);
                 }
-
-                selinux_relabel_path(topdirs[i].path, topdirs[i].path);
         }
 
         // user home directory
-        if (tmpfs_home)
+        if (tmpfs_home) {
+                EUID_USER();
                 fs_private(); // checks owner if outside /home
+                EUID_ROOT();
+        }
 
         // /run/user/$UID directory
         if (tmpfs_runuser) {
@@ -420,6 +410,13 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
             strcmp(dir, "/sys") == 0)
                 whitelist_error(path);
 
+        // whitelisting home directory is disabled if --private option is present
+        if (arg_private && strcmp(dir, cfg.homedir) == 0) {
+                if (arg_debug || arg_debug_whitelists)
+                        printf("Debug %d: skip %s - a private home dir is configured!\n", __LINE__, path);
+                return NULL;
+        }
+
         // do nothing if directory doesn't exist
         struct stat s;
         if (lstat(dir, &s) != 0) {
@@ -437,8 +434,7 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
         }
         // do nothing if directory is disabled by administrator
         if (reject_topdir(dir)) {
-                fwarning("skipping whitelist %s because\n"
-                        "whitelist top level directory is disabled in Firejail configuration file\n", path);
+                fmessage("Whitelist top level directory %s is disabled in Firejail configuration file\n", dir);
                 return NULL;
         }
 
@@ -453,15 +449,14 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
         TopDir *rv = topdirs + cnt;
         cnt++;
 
-        char *dup = strdup(dir);
-        if (!dup)
+        rv->path = strdup(dir);
+        if (!rv->path)
                 errExit("strdup");
-        rv->path = dup;
 
         // open the directory, don't follow symbolic links
-        rv->fd = safer_openat(-1, dup, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC);
+        rv->fd = safer_openat(-1, dir, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC);
         if (rv->fd == -1) {
-                fprintf(stderr, "Error: cannot open %s\n", dup);
+                fprintf(stderr, "Error: cannot open %s\n", dir);
                 exit(1);
         }
 
@@ -592,6 +587,10 @@ void fs_whitelist(void) {
                 if (strstr(new_name, ".."))
                         whitelist_error(new_name);
 
+                // /run/firejail is not allowed
+                if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0)
+                        whitelist_error(new_name);
+
                 TopDir *current_top = NULL;
                 if (!nowhitelist_flag) {
                         // extract whitelist top level directory
@@ -649,6 +648,10 @@ void fs_whitelist(void) {
                         continue;
                 }
 
+                // /run/firejail is not allowed
+                if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0)
+                        whitelist_error(fname);
+
                 if (nowhitelist_flag) {
                         // store the path in nowhitelist array
                         if (arg_debug || arg_debug_whitelists)
@@ -727,14 +730,18 @@ void fs_whitelist(void) {
                         if (strncmp(file, topdir, topdir_len) == 0 && file[topdir_len] == '/') {
                                 // get path relative to top level directory
                                 const char *rel = file + topdir_len + 1;
-                                whitelist_file(dirfd, topdir, rel, file);
+
+                                if (arg_debug || arg_debug_whitelists)
+                                        printf("Debug %d: file: %s; dirfd: %d; topdir: %s; rel: %s\n", __LINE__, file, dirfd, topdir, rel);
+                                whitelist_file(dirfd, rel, file);
                         }
 
                         // create the link if any
-                        if (link)
-                                whitelist_symlink(topdir, link, file);
+                        if (link) {
+                                whitelist_symlink(link, file);
+                                free(link);
+                        }
 
-                        free(link);
                         free(file);
                         free(entry->wparam);
                         entry->wparam = NULL;
diff --git a/src/firejail/join.c b/src/firejail/join.c
index bab4b830f..394bbb528 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -147,7 +147,7 @@ static void extract_command(int argc, char **argv, int index) {
         }
 
         // build command
-        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index);
+        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index, true);
 }
 
 static void extract_nogroups(pid_t pid) {
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 796c42290..70985ba9e 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -19,6 +19,7 @@
 */
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
@@ -349,9 +350,8 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         ls(fname1);
                 else
                         cat(fname1);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
         }
         // get file from host and store it in the sandbox
         else if (op == SANDBOX_FS_PUT && path2) {
@@ -383,9 +383,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         // copy the file
                         if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
@@ -415,9 +415,9 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                         // copy the file
                         if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
                                 _exit(1);
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
index bcac1feb4..cd29d8f85 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
@@ -149,6 +149,7 @@ static char *resolve_xdg(const char *var) {
 
 // returns mallocated memory
 static char *resolve_hardcoded(char *entries[]) {
+        EUID_ASSERT();
         char *fname;
         struct stat s;
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7cfa58078..f64994e02 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -20,6 +20,7 @@
 #include "firejail.h"
 #include "../include/pid.h"
 #include "../include/firejail_user.h"
+#include "../include/gcov_wrapper.h"
 #include "../include/syscall.h"
 #include "../include/seccomp.h"
 #define _GNU_SOURCE
@@ -259,8 +260,8 @@ static void init_cfg(int argc, char **argv) {
                 fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username);
                 exit(1);
         }
+        check_homedir(pw->pw_dir);
         cfg.homedir = clean_pathname(pw->pw_dir);
-        check_homedir();
 
         // initialize random number generator
         sandbox_pid = getpid();
@@ -862,12 +863,11 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 char *guess_shell(void) {
         const char *shell;
         char *retval;
-        struct stat s;
 
         shell = env_get("SHELL");
         if (shell) {
                 invalid_filename(shell, 0); // no globbing
-                if (!is_dir(shell) && strstr(shell, "..") == NULL && stat(shell, &s) == 0 && access(shell, X_OK) == 0 &&
+                if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL &&
                     strcmp(shell, PATH_FIREJAIL) != 0)
                         goto found;
         }
@@ -878,12 +878,15 @@ char *guess_shell(void) {
         int i = 0;
         while (shells[i] != NULL) {
                 // access call checks as real UID/GID, not as effective UID/GID
-                if (stat(shells[i], &s) == 0 && access(shells[i], X_OK) == 0) {
+                if (access(shells[i], X_OK) == 0) {
                         shell = shells[i];
-                        break;
+                        goto found;
                 }
                 i++;
         }
+
+        return NULL;
+
  found:
         retval = strdup(shell);
         if (!retval)
@@ -961,7 +964,7 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b
 static int check_postexec(const char *list) {
         char *prelist, *postlist;
 
-        if (list) {
+        if (list && list[0]) {
                 syscalls_in_list(list, "@default-keep", -1, &prelist, &postlist, true);
                 if (postlist)
                         return 1;
@@ -1256,17 +1259,19 @@ int main(int argc, char **argv, char **envp) {
         for (i = 1; i < argc; i++) {
                 run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized
 
-                if (strcmp(argv[i], "--debug") == 0 && !arg_quiet)
+                if (strcmp(argv[i], "--debug") == 0) {
                         arg_debug = 1;
-                else if (strcmp(argv[i], "--debug-blacklists") == 0)
+                        arg_quiet = 0;
+                }
+                else if (strcmp(argv[i], "--debug-deny") == 0)
                         arg_debug_blacklists = 1;
-                else if (strcmp(argv[i], "--debug-whitelists") == 0)
+                else if (strcmp(argv[i], "--debug-allow") == 0)
                         arg_debug_whitelists = 1;
                 else if (strcmp(argv[i], "--debug-private-lib") == 0)
                         arg_debug_private_lib = 1;
                 else if (strcmp(argv[i], "--quiet") == 0) {
-                        arg_quiet = 1;
-                        arg_debug = 0;
+                        if (!arg_debug)
+                                arg_quiet = 1;
                 }
                 else if (strcmp(argv[i], "--allow-debuggers") == 0) {
                         // already handled
@@ -1488,8 +1493,11 @@ int main(int argc, char **argv, char **envp) {
                         arg_rlimit_nproc = 1;
                 }
                 else if (strncmp(argv[i], "--rlimit-fsize=", 15) == 0) {
-                        check_unsigned(argv[i] + 15, "Error: invalid rlimit");
-                        sscanf(argv[i] + 15, "%llu", &cfg.rlimit_fsize);
+                        cfg.rlimit_fsize = parse_arg_size(argv[i] + 15);
+                        if (cfg.rlimit_fsize == 0) {
+                                perror("Error: invalid rlimit-fsize. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_fsize = 1;
                 }
                 else if (strncmp(argv[i], "--rlimit-sigpending=", 20) == 0) {
@@ -1498,8 +1506,11 @@ int main(int argc, char **argv, char **envp) {
                         arg_rlimit_sigpending = 1;
                 }
                 else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) {
-                        check_unsigned(argv[i] + 12, "Error: invalid rlimit");
-                        sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as);
+                        cfg.rlimit_as = parse_arg_size(argv[i] + 12);
+                        if (cfg.rlimit_as == 0) {
+                                perror("Error: invalid rlimit-as. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_as = 1;
                 }
                 else if (strncmp(argv[i], "--ipc-namespace", 15) == 0)
@@ -1554,6 +1565,8 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
+
+                // blacklist/deny
                 else if (strncmp(argv[i], "--blacklist=", 12) == 0) {
                         char *line;
                         if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1)
@@ -1562,6 +1575,14 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
+                else if (strncmp(argv[i], "--deny=", 7) == 0) {
+                        char *line;
+                        if (asprintf(&line, "blacklist %s", argv[i] + 7) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
                 else if (strncmp(argv[i], "--noblacklist=", 14) == 0) {
                         char *line;
                         if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1)
@@ -1570,19 +1591,31 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
+                else if (strncmp(argv[i], "--nodeny=", 9) == 0) {
+                        char *line;
+                        if (asprintf(&line, "noblacklist %s", argv[i] + 9) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
 
-#ifdef HAVE_WHITELIST
+                // whitelist
                 else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
-                        if (checkcfg(CFG_WHITELIST)) {
-                                char *line;
-                                if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
-                                        errExit("asprintf");
+                        char *line;
+                        if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+                                errExit("asprintf");
 
-                                profile_check_line(line, 0, NULL);      // will exit if something wrong
-                                profile_add(line);
-                        }
-                        else
-                                exit_err_feature("whitelist");
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
+                else if (strncmp(argv[i], "--allow=", 8) == 0) {
+                        char *line;
+                        if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
                 }
                 else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {
                         char *line;
@@ -1592,7 +1625,16 @@ int main(int argc, char **argv, char **envp) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
-#endif
+                else if (strncmp(argv[i], "--noallow=", 10) == 0) {
+                        char *line;
+                        if (asprintf(&line, "nowhitelist %s", argv[i] + 10) == -1)
+                                errExit("asprintf");
+
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
+
+
                 else if (strncmp(argv[i], "--mkdir=", 8) == 0) {
                         char *line;
                         if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1)
@@ -1957,61 +1999,77 @@ int main(int argc, char **argv, char **envp) {
                         arg_keep_dev_shm = 1;
                 }
                 else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
-                        if (arg_writable_etc) {
-                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
-                                exit(1);
-                        }
+                        if (checkcfg(CFG_PRIVATE_ETC)) {
+                                if (arg_writable_etc) {
+                                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                        exit(1);
+                                }
 
-                        // extract private etc list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-etc option\n");
-                                exit(1);
+                                // extract private etc list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-etc option\n");
+                                        exit(1);
+                                }
+                                if (cfg.etc_private_keep) {
+                                        if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.etc_private_keep = argv[i] + 14;
+                                arg_private_etc = 1;
                         }
-                        if (cfg.etc_private_keep) {
-                                if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.etc_private_keep = argv[i] + 14;
-                        arg_private_etc = 1;
+                        else
+                                exit_err_feature("private-etc");
                 }
                 else if (strncmp(argv[i], "--private-opt=", 14) == 0) {
-                        // extract private opt list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-opt option\n");
-                                exit(1);
+                        if (checkcfg(CFG_PRIVATE_OPT)) {
+                                // extract private opt list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-opt option\n");
+                                        exit(1);
+                                }
+                                if (cfg.opt_private_keep) {
+                                        if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.opt_private_keep = argv[i] + 14;
+                                arg_private_opt = 1;
                         }
-                        if (cfg.opt_private_keep) {
-                                if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.opt_private_keep = argv[i] + 14;
-                        arg_private_opt = 1;
+                        else
+                                exit_err_feature("private-opt");
                 }
                 else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
-                        // extract private srv list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-srv option\n");
-                                exit(1);
+                        if (checkcfg(CFG_PRIVATE_SRV)) {
+                                // extract private srv list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-srv option\n");
+                                        exit(1);
+                                }
+                                if (cfg.srv_private_keep) {
+                                        if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.srv_private_keep = argv[i] + 14;
+                                arg_private_srv = 1;
                         }
-                        if (cfg.srv_private_keep) {
-                                if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.srv_private_keep = argv[i] + 14;
-                        arg_private_srv = 1;
+                        else
+                                exit_err_feature("private-srv");
                 }
                 else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
-                        // extract private bin list
-                        if (*(argv[i] + 14) == '\0') {
-                                fprintf(stderr, "Error: invalid private-bin option\n");
-                                exit(1);
+                        if (checkcfg(CFG_PRIVATE_BIN)) {
+                                // extract private bin list
+                                if (*(argv[i] + 14) == '\0') {
+                                        fprintf(stderr, "Error: invalid private-bin option\n");
+                                        exit(1);
+                                }
+                                if (cfg.bin_private_keep) {
+                                        if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
+                                                errExit("asprintf");
+                                } else
+                                        cfg.bin_private_keep = argv[i] + 14;
+                                arg_private_bin = 1;
                         }
-                        if (cfg.bin_private_keep) {
-                                if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
-                                        errExit("asprintf");
-                        } else
-                                cfg.bin_private_keep = argv[i] + 14;
-                        arg_private_bin = 1;
+                        else
+                                exit_err_feature("private-bin");
                 }
                 else if (strncmp(argv[i], "--private-lib", 13) == 0) {
                         if (checkcfg(CFG_PRIVATE_LIB)) {
@@ -2799,6 +2857,11 @@ int main(int argc, char **argv, char **envp) {
         // build the sandbox command
         if (prog_index == -1 && cfg.shell) {
                 assert(cfg.command_line == NULL); // runs cfg.shell
+                if (arg_appimage) {
+                        fprintf(stderr, "Error: no appimage archive specified\n");
+                        exit(1);
+                }
+
                 cfg.window_title = cfg.shell;
                 cfg.command_name = cfg.shell;
         }
@@ -2806,10 +2869,11 @@ int main(int argc, char **argv, char **envp) {
                 if (arg_debug)
                         printf("Configuring appimage environment\n");
                 appimage_set(cfg.command_name);
-                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true);
         }
         else {
-                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                // Only add extra quotes if we were not launched by sshd.
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, !parent_sshd);
         }
 /*      else {
                 fprintf(stderr, "Error: command must be specified when --shell=none used.\n");
@@ -2823,7 +2887,13 @@ int main(int argc, char **argv, char **envp) {
 
         // load the profile
         if (!arg_noprofile && !custom_profile) {
-                custom_profile = profile_find_firejail(cfg.command_name, 1);
+                if (arg_appimage) {
+                        custom_profile = appimage_find_profile(cfg.command_name);
+                        // disable shell=* for appimages
+                        arg_shell_none = 0;
+                }
+                else
+                        custom_profile = profile_find_firejail(cfg.command_name, 1);
         }
 
         // use default.profile as the default
@@ -2837,7 +2907,7 @@ int main(int argc, char **argv, char **envp) {
                 custom_profile = profile_find_firejail(profile_name, 1);
 
                 if (!custom_profile) {
-                        fprintf(stderr, "Error: no default.profile installed\n");
+                        fprintf(stderr, "Error: no %s installed\n", profile_name);
                         exit(1);
                 }
 
@@ -2853,6 +2923,15 @@ int main(int argc, char **argv, char **envp) {
         // check network configuration options - it will exit if anything went wrong
         net_check_cfg();
 
+        // customization of default seccomp filter
+        if (config_seccomp_filter_add) {
+                if (arg_seccomp && !cfg.seccomp_list_keep && !cfg.seccomp_list_drop)
+                        profile_list_augment(&cfg.seccomp_list, config_seccomp_filter_add);
+
+                if (arg_seccomp32 && !cfg.seccomp_list_keep32 && !cfg.seccomp_list_drop32)
+                        profile_list_augment(&cfg.seccomp_list32, config_seccomp_filter_add);
+        }
+
         if (arg_seccomp)
                 arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop);
 
@@ -2988,9 +3067,9 @@ int main(int argc, char **argv, char **envp) {
                         network_main(child);
                         if (arg_debug)
                                 printf("Host network configured\n");
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
 
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index a700729d3..64a94bd84 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -22,7 +22,7 @@
 
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 
 #define MAX_BUF 4096
@@ -153,6 +153,7 @@ MountData *get_last_mount(void) {
 
 // Extract the mount id from /proc/self/fdinfo and return it.
 int get_mount_id(const char *path) {
+        EUID_ASSERT();
         assert(path);
 
         int fd = open(path, O_PATH|O_CLOEXEC);
@@ -162,7 +163,9 @@ int get_mount_id(const char *path) {
         char *fdinfo;
         if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1)
                 errExit("asprintf");
+        EUID_ROOT();
         FILE *fp = fopen(fdinfo, "re");
+        EUID_USER();
         free(fdinfo);
         if (!fp)
                 goto errexit;
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 0e153c47b..665bef73d 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -204,7 +204,7 @@ void run_no_sandbox(int argc, char **argv) {
                 // force --shell=none in order to not break firecfg symbolic links
                 arg_shell_none = 1;
 
-                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
+                build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, true);
         }
 
         fwarning("an existing sandbox was detected. "
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index b800fa944..d58a9d272 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -136,7 +136,7 @@ int program_in_path(const char *program) {
                         // ('x' permission means something different for directories).
                         // exec follows symlinks, so use stat, not lstat.
                         struct stat st;
-                        if (stat(scratch, &st)) {
+                        if (stat_as_user(scratch, &st)) {
                                 perror(scratch);
                                 exit(1);
                         }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index dd4506ac1..b7c7185a6 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -18,10 +18,12 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include "../include/seccomp.h"
 #include "../include/syscall.h"
 #include <dirent.h>
 #include <sys/stat.h>
+
 extern char *xephyr_screen;
 
 #define MAX_READ 8192                             // line buffer for profile files
@@ -1275,56 +1277,69 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // private /etc list of files and directories
         if (strncmp(ptr, "private-etc ", 12) == 0) {
-                if (arg_writable_etc) {
-                        fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
-                        exit(1);
-                }
-                if (cfg.etc_private_keep) {
-                        if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.etc_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_ETC)) {
+                        if (arg_writable_etc) {
+                                fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+                                exit(1);
+                        }
+                        if (cfg.etc_private_keep) {
+                                if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.etc_private_keep = ptr + 12;
+                        }
+                        arg_private_etc = 1;
                 }
-                arg_private_etc = 1;
-
+                else
+                        warning_feature_disabled("private-etc");
                 return 0;
         }
 
         // private /opt list of files and directories
         if (strncmp(ptr, "private-opt ", 12) == 0) {
-                if (cfg.opt_private_keep) {
-                        if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.opt_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_OPT)) {
+                        if (cfg.opt_private_keep) {
+                                if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.opt_private_keep = ptr + 12;
+                        }
+                        arg_private_opt = 1;
                 }
-                arg_private_opt = 1;
-
+                else
+                        warning_feature_disabled("private-opt");
                 return 0;
         }
 
         // private /srv list of files and directories
         if (strncmp(ptr, "private-srv ", 12) == 0) {
-                if (cfg.srv_private_keep) {
-                        if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.srv_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_SRV)) {
+                        if (cfg.srv_private_keep) {
+                                if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.srv_private_keep = ptr + 12;
+                        }
+                        arg_private_srv = 1;
                 }
-                arg_private_srv = 1;
-
+                else
+                        warning_feature_disabled("private-srv");
                 return 0;
         }
 
         // private /bin list of files
         if (strncmp(ptr, "private-bin ", 12) == 0) {
-                if (cfg.bin_private_keep) {
-                        if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
-                                errExit("asprintf");
-                } else {
-                        cfg.bin_private_keep = ptr + 12;
+                if (checkcfg(CFG_PRIVATE_BIN)) {
+                        if (cfg.bin_private_keep) {
+                                if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
+                                        errExit("asprintf");
+                        } else {
+                                cfg.bin_private_keep = ptr + 12;
+                        }
+                        arg_private_bin = 1;
                 }
-                arg_private_bin = 1;
+                else
+                        warning_feature_disabled("private-bin");
                 return 0;
         }
 
@@ -1492,8 +1507,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         arg_rlimit_nproc = 1;
                 }
                 else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) {
-                        check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: ");
-                        sscanf(ptr + 13, "%llu", &cfg.rlimit_fsize);
+                        cfg.rlimit_fsize = parse_arg_size(ptr + 13);
+                        if (cfg.rlimit_fsize == 0) {
+                                perror("Error: invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_fsize = 1;
                 }
                 else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) {
@@ -1502,8 +1520,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         arg_rlimit_sigpending = 1;
                 }
                 else if (strncmp(ptr, "rlimit-as ", 10) == 0) {
-                        check_unsigned(ptr + 10, "Error: invalid rlimit in profile file: ");
-                        sscanf(ptr + 10, "%llu", &cfg.rlimit_as);
+                        cfg.rlimit_as = parse_arg_size(ptr + 10);
+                        if (cfg.rlimit_as == 0) {
+                                perror("Error: invalid rlimit-as in profile file. Only use positive numbers and k, m or g suffix.");
+                                exit(1);
+                        }
                         arg_rlimit_as = 1;
                 }
                 else {
@@ -1568,22 +1589,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         else if (strncmp(ptr, "noblacklist ", 12) == 0)
                 ptr += 12;
         else if (strncmp(ptr, "whitelist ", 10) == 0) {
-#ifdef HAVE_WHITELIST
-                if (checkcfg(CFG_WHITELIST)) {
-                        arg_whitelist = 1;
-                        ptr += 10;
-                }
-                else {
-                        static int whitelist_warning_printed = 0;
-                        if (!whitelist_warning_printed) {
-                                warning_feature_disabled("whitelist");
-                                whitelist_warning_printed = 1;
-                        }
-                        return 0;
-                }
-#else
-                return 0;
-#endif
+                arg_whitelist = 1;
+                ptr += 10;
         }
         else if (strncmp(ptr, "nowhitelist ", 12) == 0)
                 ptr += 12;
@@ -1714,23 +1721,65 @@ void profile_read(const char *fname) {
         int lineno = 0;
         while (fgets(buf, MAX_READ, fp)) {
                 ++lineno;
+
+                // remove comments
+                char *ptr = strchr(buf, '#');
+                if (ptr)
+                        *ptr = '\0';
+
                 // remove empty space - ptr in allocated memory
-                char *ptr = line_remove_spaces(buf);
+                ptr = line_remove_spaces(buf);
                 if (ptr == NULL)
                         continue;
-
-                // comments
-                if (*ptr == '#' || *ptr == '\0') {
+                if (*ptr == '\0') {
                         free(ptr);
                         continue;
                 }
 
+                // translate allow/deny to whitelist/blacklist
+                if (strncmp(ptr, "allow ", 6) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "whitelist %s", ptr + 6) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                else if (strncmp(ptr, "deny ", 5) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "blacklist %s", ptr + 5) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                else if (strncmp(ptr, "deny-nolog ", 11) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "blacklist-nolog %s", ptr + 11) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                // translate noallow/nodeny to nowhitelist/noblacklist
+                else if (strncmp(ptr, "noallow ", 8) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "nowhitelist %s", ptr + 8) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                else if (strncmp(ptr, "nodeny ", 7) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "noblacklist %s", ptr + 7) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+
                 // process quiet
                 // todo: a quiet in the profile file cannot be disabled by --ignore on command line
                 if (strcmp(ptr, "quiet") == 0) {
                         if (is_in_ignore_list(ptr))
                                 arg_quiet = 0;
-                        else
+                        else if (!arg_debug)
                                 arg_quiet = 1;
                         free(ptr);
                         continue;
@@ -1777,9 +1826,8 @@ void profile_read(const char *fname) {
 //              else {
 //                      free(ptr);
 //              }
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
         }
         fclose(fp);
 }
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 1b01a71c6..f8d4c2f3c 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -75,31 +75,34 @@ void pulseaudio_disable(void) {
         closedir(dir);
 }
 
-static void pulseaudio_fallback(const char *path) {
-        assert(path);
-
-        fmessage("Cannot mount tmpfs on %s/.config/pulse\n", cfg.homedir);
-        env_store_name_val("PULSE_CLIENTCONFIG", path, SETENV);
-}
-
 // disable shm in pulseaudio (issue #69)
 void pulseaudio_init(void) {
-        struct stat s;
-
         // do we have pulseaudio in the system?
-        if (stat(PULSE_CLIENT_SYSCONF, &s) == -1) {
+        if (access(PULSE_CLIENT_SYSCONF, R_OK)) {
                 if (arg_debug)
-                        printf("%s not found\n", PULSE_CLIENT_SYSCONF);
+                        printf("Cannot read %s\n", PULSE_CLIENT_SYSCONF);
                 return;
         }
 
+        // create ~/.config/pulse directory if not present
+        char *homeusercfg = NULL;
+        if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (create_empty_dir_as_user(homeusercfg, 0700))
+                fs_logger2("create", homeusercfg);
+
+        free(homeusercfg);
+        if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
+                errExit("asprintf");
+        if (create_empty_dir_as_user(homeusercfg, 0700))
+                fs_logger2("create", homeusercfg);
+
         // create the new user pulseaudio directory
+        // that will be mounted over ~/.config/pulse
         if (mkdir(RUN_PULSE_DIR, 0700) == -1)
                 errExit("mkdir");
-        selinux_relabel_path(RUN_PULSE_DIR, RUN_PULSE_DIR);
-        // mount it nosuid, noexec, nodev
+        selinux_relabel_path(RUN_PULSE_DIR, homeusercfg);
         fs_remount(RUN_PULSE_DIR, MOUNT_NOEXEC, 0);
-
         // create the new client.conf file
         char *pulsecfg = NULL;
         if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
@@ -116,37 +119,14 @@ void pulseaudio_init(void) {
         if (set_perms(RUN_PULSE_DIR, getuid(), getgid(), 0700))
                 errExit("set_perms");
 
-        // create ~/.config/pulse directory if not present
-        char *homeusercfg = NULL;
-        if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1)
-                errExit("asprintf");
-        if (create_empty_dir_as_user(homeusercfg, 0700))
-                fs_logger2("create", homeusercfg);
-
-        free(homeusercfg);
-        if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
-                errExit("asprintf");
-        if (create_empty_dir_as_user(homeusercfg, 0700))
-                fs_logger2("create", homeusercfg);
-
         // if ~/.config/pulse exists and there are no symbolic links, mount the new directory
         // else set environment variable
+        EUID_USER();
         int fd = safer_openat(-1, homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        EUID_ROOT();
         if (fd == -1) {
-                pulseaudio_fallback(pulsecfg);
-                goto out;
-        }
-        // confirm the actual mount destination is owned by the user
-        if (fstat(fd, &s) == -1) { // FUSE
-                if (errno != EACCES)
-                        errExit("fstat");
-                close(fd);
-                pulseaudio_fallback(pulsecfg);
-                goto out;
-        }
-        if (s.st_uid != getuid()) {
-                close(fd);
-                pulseaudio_fallback(pulsecfg);
+                fwarning("not mounting tmpfs on %s\n", homeusercfg);
+                env_store_name_val("PULSE_CLIENTCONFIG", pulsecfg, SETENV);
                 goto out;
         }
         // preserve a read-only mount
@@ -158,17 +138,13 @@ void pulseaudio_init(void) {
         // mount via the link in /proc/self/fd
         if (arg_debug)
                 printf("Mounting %s on %s\n", RUN_PULSE_DIR, homeusercfg);
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(RUN_PULSE_DIR, proc, "none", MS_BIND, NULL) < 0)
+        if (bind_mount_path_to_fd(RUN_PULSE_DIR, fd))
                 errExit("mount pulseaudio");
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
         if (strcmp(mptr->dir, homeusercfg) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
                 errLogExit("invalid pulseaudio mount");
         fs_logger2("tmpfs", homeusercfg);
-        free(proc);
         close(fd);
 
         char *p;
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 53e395b89..6f17231a4 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -104,12 +104,8 @@ static void sanitize_home(void) {
         selinux_relabel_path(cfg.homedir, cfg.homedir);
 
         // bring back real user home directory
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_fd_to_path(fd, cfg.homedir))
                 errExit("mount bind");
-        free(proc);
         close(fd);
 
         if (!arg_private)
@@ -154,12 +150,8 @@ static void sanitize_run(void) {
         selinux_relabel_path(runuser, runuser);
 
         // bring back real run/user/$UID directory
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_fd_to_path(fd, runuser))
                 errExit("mount bind");
-        free(proc);
         close(fd);
 
         fs_logger2("whitelist", runuser);
@@ -246,6 +238,11 @@ static void sanitize_passwd(void) {
         // mount-bind tne new password file
         if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
                 errExit("mount");
+
+        // blacklist RUN_PASSWD_FILE
+        if (mount(RUN_RO_FILE, RUN_PASSWD_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount");
+
         fs_logger("create /etc/passwd");
 
         return;
@@ -376,6 +373,11 @@ static void sanitize_group(void) {
         // mount-bind tne new group file
         if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
                 errExit("mount");
+
+        // blacklist RUN_GROUP_FILE
+        if (mount(RUN_RO_FILE, RUN_GROUP_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount");
+
         fs_logger("create /etc/group");
 
         return;
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index 78f00bc63..f177f4b89 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/time.h>
 #include <sys/resource.h>
 
@@ -33,9 +34,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_cpu;
                 rl.rlim_max = (rlim_t) cfg.rlimit_cpu;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_CPU, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -50,9 +51,10 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_nofile;
                 rl.rlim_max = (rlim_t) cfg.rlimit_nofile;
-#ifdef HAVE_GCOV        // gcov-instrumented programs might crash at this point
+
+                // gcov-instrumented programs might crash at this point
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_NOFILE, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -67,9 +69,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_nproc;
                 rl.rlim_max = (rlim_t) cfg.rlimit_nproc;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_NPROC, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -84,9 +86,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_fsize;
                 rl.rlim_max = (rlim_t) cfg.rlimit_fsize;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_FSIZE, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -101,9 +103,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending;
                 rl.rlim_max = (rlim_t) cfg.rlimit_sigpending;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
@@ -118,9 +120,9 @@ void set_rlimits(void) {
                 // set the new limit
                 rl.rlim_cur = (rlim_t) cfg.rlimit_as;
                 rl.rlim_max = (rlim_t) cfg.rlimit_as;
-#ifdef HAVE_GCOV
+
                 __gcov_dump();
-#endif
+
                 if (setrlimit(RLIMIT_AS, &rl) == -1)
                         errExit("setrlimit");
                 if (arg_debug)
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 08f0f32c9..59ddfb855 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -19,6 +19,7 @@
 */
 
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
 #include <sys/mount.h>
@@ -49,7 +50,6 @@
 #include <sys/apparmor.h>
 #endif
 
-
 static int force_nonewprivs = 0;
 
 static int monitored_pid = 0;
@@ -227,7 +227,7 @@ static void sandbox_if_up(Bridge *br) {
         if (br->arg_ip_none == 1);      // do nothing
         else if (br->arg_ip_none == 0 && br->macvlan == 0) {
                 if (br->ipsandbox == br->ip) {
-                        fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address.\n", PRINT_IP(br->ipsandbox), br->dev);
+                        fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address, exiting...\n", PRINT_IP(br->ipsandbox), br->dev);
                         exit(1);
                 }
 
@@ -245,13 +245,17 @@ static void sandbox_if_up(Bridge *br) {
                         br->ipsandbox = arp_assign(dev, br); //br->ip, br->mask);
                 else {
                         if (br->ipsandbox == br->ip) {
-                                fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address.\n", PRINT_IP(br->ipsandbox), br->dev);
+                                fprintf(stderr, "Error: %d.%d.%d.%d is interface %s address, exiting...\n", PRINT_IP(br->ipsandbox), br->dev);
+                                exit(1);
+                        }
+                        if (br->ipsandbox == cfg.defaultgw) {
+                                fprintf(stderr, "Error: %d.%d.%d.%d is the default gateway, exiting...\n", PRINT_IP(br->ipsandbox));
                                 exit(1);
                         }
 
                         uint32_t rv = arp_check(dev, br->ipsandbox);
                         if (rv) {
-                                fprintf(stderr, "Error: the address %d.%d.%d.%d is already in use.\n", PRINT_IP(br->ipsandbox));
+                                fprintf(stderr, "Error: the address %d.%d.%d.%d is already in use, exiting...\n", PRINT_IP(br->ipsandbox));
                                 exit(1);
                         }
                 }
@@ -500,9 +504,8 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
                         exit(1);
                 }
 
-#ifdef HAVE_GCOV
                 __gcov_dump();
-#endif
+
                 seccomp_install_filters();
 
                 if (set_sandbox_status)
@@ -556,9 +559,8 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
                 if (!arg_command && !arg_quiet)
                         print_time();
 
-#ifdef HAVE_GCOV
                 __gcov_dump();
-#endif
+
                 seccomp_install_filters();
 
                 if (set_sandbox_status)
@@ -833,6 +835,7 @@ int sandbox(void* sandbox_arg) {
         // private mode
         //****************************
         if (arg_private) {
+                EUID_USER();
                 if (cfg.home_private) { // --private=
                         if (cfg.chrootdir)
                                 fwarning("private=directory feature is disabled in chroot\n");
@@ -851,6 +854,7 @@ int sandbox(void* sandbox_arg) {
                 }
                 else // --private
                         fs_private();
+                EUID_ROOT();
         }
 
         if (arg_private_dev)
@@ -1039,7 +1043,7 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // set dns
         //****************************
-        fs_resolvconf();
+        fs_rebuild_etc();
 
         //****************************
         // start dhcp client
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 4a8dd1bf7..37111324a 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -265,7 +265,6 @@ int sbox_run(unsigned filtermask, int num, ...) {
 }
 
 int sbox_run_v(unsigned filtermask, char * const arg[]) {
-        EUID_ROOT();
         assert(arg);
 
         if (arg_debug) {
@@ -285,6 +284,7 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
         if (child < 0)
                 errExit("fork");
         if (child == 0) {
+                EUID_ROOT();
                 sbox_do_exec_v(filtermask, arg);
         }
 
@@ -293,7 +293,7 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
                 errExit("waitpid");
         }
         if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
-                fprintf(stderr, "Error: failed to run %s\n", arg[0]);
+                fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]);
                 exit(1);
         }
 
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 9670fe816..3d9bf9082 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -208,7 +208,8 @@ int seccomp_filter_drop(bool native) {
         //      - seccomp
         if (cfg.seccomp_list_drop == NULL) {
                 // default seccomp if error action is not changed
-                if (cfg.seccomp_list == NULL && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
+                if ((cfg.seccomp_list == NULL || cfg.seccomp_list[0] == '\0')
+                    && arg_seccomp_error_action == DEFAULT_SECCOMP_ERROR_ACTION) {
                         if (arg_seccomp_block_secondary)
                                 seccomp_filter_block_secondary();
                         else {
@@ -261,7 +262,7 @@ int seccomp_filter_drop(bool native) {
                         }
 
                         // build the seccomp filter as a regular user
-                        if (list)
+                        if (list && list[0])
                                 if (arg_allow_debuggers)
                                         rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7,
                                                       PATH_FSECCOMP, command, "drop", filter, postexec_filter, list, "allow-debuggers");
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
index 06189d7f6..6969e7a3d 100644
--- a/src/firejail/selinux.c
+++ b/src/firejail/selinux.c
@@ -19,10 +19,13 @@
 */
 #if HAVE_SELINUX
 #include "firejail.h"
-
 #include <sys/types.h>
 #include <sys/stat.h>
+
 #include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
 
 #include <selinux/context.h>
 #include <selinux/label.h>
@@ -52,8 +55,9 @@ void selinux_relabel_path(const char *path, const char *inside_path)
         if (!label_hnd)
                 errExit("selabel_open");
 
-        /* Open the file as O_PATH, to pin it while we determine and adjust the label */
-        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+        /* Open the file as O_PATH, to pin it while we determine and adjust the label
+         * Defeat symlink races by not allowing symbolic links */
+        fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
         if (fd < 0)
                 return;
         if (fstat(fd, &st) < 0)
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index fbfe1765b..d1be6eed4 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -36,8 +36,10 @@ void shut(pid_t pid) {
                 }
                 free(comm);
         }
-        else
-                errExit("/proc/PID/comm");
+        else {
+                fprintf(stderr, "Error: cannot find process %d\n", pid);
+                exit(1);
+        }
 
         // check privileges for non-root users
         uid_t uid = getuid();
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 888a6ffed..b4f3021c7 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -28,6 +28,7 @@ static char *usage_str =
         "\n"
         "Options:\n"
         "    -- - signal the end of options and disables further option processing.\n"
+        "    --allow=filename - allow file system access.\n"
         "    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
         "    --allusers - all user home directories are visible inside the sandbox.\n"
         "    --apparmor - enable AppArmor confinement.\n"
@@ -38,13 +39,12 @@ static char *usage_str =
 #endif
         "    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"
         "    --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"
-        "    --blacklist=filename - blacklist directory or file.\n"
-        "    --build - build a whitelisted profile for the application.\n"
-        "    --build=filename - build a whitelisted profile for the application.\n"
+        "    --build - build a profile for the application.\n"
+        "    --build=filename - build a profile for the application.\n"
         "    --caps - enable default Linux capabilities filter.\n"
         "    --caps.drop=all - drop all capabilities.\n"
-        "    --caps.drop=capability,capability - blacklist capabilities filter.\n"
-        "    --caps.keep=capability,capability - whitelist capabilities filter.\n"
+        "    --caps.drop=capability,capability - drop capabilities.\n"
+        "    --caps.keep=capability,capability - allow capabilities.\n"
         "    --caps.print=name|pid - print the caps filter.\n"
 #ifdef HAVE_FILE_TRANSFER
         "    --cat=name|pid filename - print content of file from sandbox container.\n"
@@ -58,34 +58,35 @@ static char *usage_str =
 #ifdef HAVE_DBUSPROXY
         "    --dbus-log=file - set DBus log file location.\n"
         "    --dbus-system=filter|none - set system DBus access policy.\n"
-        "    --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n"
+        "    --dbus-system.broadcast=rule - allow signals on the system DBus according\n"
+        "\tto rule.\n"
         "    --dbus-system.call=rule - allow calls on the system DBus according to rule.\n"
-        "    --dbus-system.log - turn on logging for the system DBus."
+        "    --dbus-system.log - turn on logging for the system DBus.\n"
         "    --dbus-system.own=name - allow ownership of name on the system DBus.\n"
         "    --dbus-system.see=name - allow seeing name on the system DBus.\n"
         "    --dbus-system.talk=name - allow talking to name on the system DBus.\n"
         "    --dbus-user=filter|none - set session DBus access policy.\n"
-        "    --dbus-user.broadcast=rule - allow signals on the session DBus according to rule.\n"
+        "    --dbus-user.broadcast=rule - allow signals on the session DBus according\n"
+        "\tto rule.\n"
         "    --dbus-user.call=rule - allow calls on the session DBus according to rule.\n"
-        "    --dbus-user.log - turn on logging for the user DBus."
+        "    --dbus-user.log - turn on logging for the user DBus.\n"
         "    --dbus-user.own=name - allow ownership of name on the session DBus.\n"
         "    --dbus-user.see=name - allow seeing name on the session DBus.\n"
         "    --dbus-user.talk=name - allow talking to name on the session DBus.\n"
 #endif
         "    --debug - print sandbox debug messages.\n"
-        "    --debug-blacklists - debug blacklisting.\n"
+        "    --debug-allow - debug file system access.\n"
+        "    --debug-deny - debug file system access.\n"
         "    --debug-caps - print all recognized capabilities.\n"
         "    --debug-errnos - print all recognized error numbers.\n"
         "    --debug-private-lib - debug for --private-lib option.\n"
         "    --debug-protocols - print all recognized protocols.\n"
         "    --debug-syscalls - print all recognized system calls.\n"
         "    --debug-syscalls32 - print all recognized 32 bit system calls.\n"
-#ifdef HAVE_WHITELIST
-        "    --debug-whitelists - debug whitelisting.\n"
-#endif
 #ifdef HAVE_NETWORK
         "    --defaultgw=address - configure default gateway.\n"
 #endif
+        "    --deny=filename - deny access to directory or file.\n"
         "    --deterministic-exit-code - always exit with first child's status code.\n"
         "    --dns=address - set DNS server.\n"
         "    --dns.print=name|pid - print DNS configuration.\n"
@@ -143,14 +144,15 @@ static char *usage_str =
         "    --netfilter.print=name|pid - print the firewall.\n"
         "    --netfilter6=filename - enable IPv6 firewall.\n"
         "    --netfilter6.print=name|pid - print the IPv6 firewall.\n"
-        "    --netmask=address - define a network mask when dealing with unconfigured"
+        "    --netmask=address - define a network mask when dealing with unconfigured\n"
         "\tparrent interfaces.\n"
         "    --netns=name - Run the program in a named, persistent network namespace.\n"
         "    --netstats - monitor network statistics.\n"
 #endif
         "    --nice=value - set nice value.\n"
         "    --no3d - disable 3D hardware acceleration.\n"
-        "    --noblacklist=filename - disable blacklist for file or directory.\n"
+        "    --noallow=filename - disable allow command for file or directory.\n"
+        "    --nodeny=filename - disable deny command for file or directory.\n"
         "    --nodbus - disable D-Bus access.\n"
         "    --nodvd - disable DVD and audio CD devices.\n"
         "    --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"
@@ -165,7 +167,6 @@ static char *usage_str =
         "    --noautopulse - disable automatic ~/.config/pulse init.\n"
         "    --novideo - disable video devices.\n"
         "    --nou2f - disable U2F devices.\n"
-        "    --nowhitelist=filename - disable whitelist for file or directory.\n"
 #ifdef HAVE_OUTPUT
         "    --output=logfile - stdout logging and log rotation.\n"
         "    --output-stderr=logfile - stdout and stderr logging and log rotation.\n"
@@ -222,14 +223,14 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
         "    --scan - ARP-scan all the networks from inside a network namespace.\n"
 #endif
-        "    --seccomp - enable seccomp filter and apply the default blacklist.\n"
-        "    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"
+        "    --seccomp - enable seccomp filter and drop the default syscalls.\n"
+        "    --seccomp=syscall,syscall,syscall - enable seccomp filter, drop the\n"
         "\tdefault syscall list and the syscalls specified by the command.\n"
         "    --seccomp.block-secondary - build only the native architecture filters.\n"
         "    --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"
-        "\tblacklist the syscalls specified by the command.\n"
+        "\tdrop the syscalls specified by the command.\n"
         "    --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"
-        "\twhitelist the syscalls specified by the command.\n"
+        "\tallow the syscalls specified by the command.\n"
         "    --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"
         "\tidentified by name or PID.\n"
         "    --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
@@ -244,7 +245,7 @@ static char *usage_str =
         "    --top - monitor the most CPU-intensive sandboxes.\n"
         "    --trace - trace open, access and connect system calls.\n"
         "    --tracelog - add a syslog message for every access to files or\n"
-        "\tdirectories blacklisted by the security profile.\n"
+        "\tdirectories dropped by the security profile.\n"
         "    --tree - print a tree of all sandboxed processes.\n"
         "    --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
         "\tfiretunnel utility.\n"
@@ -252,9 +253,6 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
         "    --veth-name=name - use this name for the interface connected to the bridge.\n"
 #endif
-#ifdef HAVE_WHITELIST
-        "    --whitelist=filename - whitelist directory or file.\n"
-#endif
         "    --writable-etc - /etc directory is mounted read-write.\n"
         "    --writable-run-user - allow access to /run/user/$UID/systemd and\n"
         "\t/run/user/$UID/gnupg.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 2731f61dc..de31ebdd6 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -19,6 +19,7 @@
  */
 #define _XOPEN_SOURCE 500
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <ftw.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
@@ -31,6 +32,9 @@
 #include <sys/wait.h>
 #include <limits.h>
 
+#include <string.h>
+#include <ctype.h>
+
 #include <fcntl.h>
 #ifndef O_PATH
 #define O_PATH 010000000
@@ -46,6 +50,44 @@
 #define EMPTY_STRING ("")
 
 
+long long unsigned parse_arg_size(char *str) {
+        long long unsigned result = 0;
+        int len = strlen(str);
+        sscanf(str, "%llu", &result);
+
+        char suffix = *(str + len - 1);
+        if (!isdigit(suffix) && (suffix == 'k' || suffix == 'm' || suffix == 'g')) {
+                len -= 1;
+        }
+
+        /* checks for is value valid positive number */
+        for (int i = 0; i < len; i++) {
+                if (!isdigit(*(str+i))) {
+                        return 0;
+                }
+        }
+
+        if (isdigit(suffix))
+                return result;
+
+        switch (suffix) {
+        case 'k':
+                result *= 1024;
+                break;
+        case 'm':
+                result *= 1024 * 1024;
+                break;
+        case 'g':
+                result *= 1024 * 1024 * 1024;
+                break;
+        default:
+                result = 0;
+                break;
+        }
+
+        return result;
+}
+
 // send the error to /var/log/auth.log and exit after a small delay
 void errLogExit(char* fmt, ...) {
         va_list args;
@@ -325,7 +367,7 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m
 }
 
 // return -1 if error, 0 if no error
-void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
+void copy_file_as_user(const char *srcname, const char *destname, mode_t mode) {
         pid_t child = fork();
         if (child < 0)
                 errExit("fork");
@@ -333,13 +375,13 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid
                 // drop privileges
                 drop_privs(0);
 
-                // copy, set permissions and ownership
-                int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
+                // copy, set permissions
+                int rv = copy_file(srcname, destname, -1, -1, mode); // already a regular user
                 if (rv)
                         fwarning("cannot copy %s\n", srcname);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -371,9 +413,9 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_
                         close(src);
                 }
                 close(dst);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -394,17 +436,17 @@ void touch_file_as_user(const char *fname, mode_t mode) {
                 // drop privileges
                 drop_privs(0);
 
-                FILE *fp = fopen(fname, "wx");
-                if (fp) {
-                        fprintf(fp, "\n");
-                        SET_PERMS_STREAM(fp, -1, -1, mode);
-                        fclose(fp);
+                int fd = open(fname, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
+                if (fd > -1) {
+                        int err = fchmod(fd, mode);
+                        (void) err;
+                        close(fd);
                 }
                 else
                         fwarning("cannot create %s\n", fname);
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
         // wait for the child to finish
@@ -417,6 +459,13 @@ int is_dir(const char *fname) {
         if (*fname == '\0')
                 return 0;
 
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
         // if fname doesn't end in '/', add one
         int rv;
         struct stat s;
@@ -432,6 +481,9 @@ int is_dir(const char *fname) {
                 free(tmp);
         }
 
+        if (called_as_root)
+                EUID_ROOT();
+
         if (rv == -1)
                 return 0;
 
@@ -447,18 +499,83 @@ int is_link(const char *fname) {
         if (*fname == '\0')
                 return 0;
 
-        char *dup = strdup(fname);
-        if (!dup)
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        // remove trailing '/' if any
+        char *tmp = strdup(fname);
+        if (!tmp)
                 errExit("strdup");
-        trim_trailing_slash_or_dot(dup);
+        trim_trailing_slash_or_dot(tmp);
 
         char c;
-        ssize_t rv = readlink(dup, &c, 1);
+        ssize_t rv = readlink(tmp, &c, 1);
+        free(tmp);
+
+        if (called_as_root)
+                EUID_ROOT();
 
-        free(dup);
         return (rv != -1);
 }
 
+char *realpath_as_user(const char *fname) {
+        assert(fname);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        char *rv = realpath(fname, NULL);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
+int stat_as_user(const char *fname, struct stat *s) {
+        assert(fname);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        int rv = stat(fname, s);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
+int lstat_as_user(const char *fname, struct stat *s) {
+        assert(fname);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        int rv = lstat(fname, s);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
 // remove all slashes and single dots from the end of a path
 // for example /foo/bar///././. -> /foo/bar
 void trim_trailing_slash_or_dot(char *path) {
@@ -647,9 +764,11 @@ int find_child(pid_t parent, pid_t *child) {
                                 if (parent == atoi(ptr)) {
                                         // we don't want /usr/bin/xdg-dbus-proxy!
                                         char *cmdline = pid_proc_cmdline(pid);
-                                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
-                                                *child = pid;
-                                        free(cmdline);
+                                        if (cmdline) {
+                                                if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
+                                                        *child = pid;
+                                                free(cmdline);
+                                        }
                                 }
                                 break;            // stop reading the file
                         }
@@ -889,35 +1008,37 @@ static int remove_callback(const char *fpath, const struct stat *sb, int typefla
 
 int remove_overlay_directory(void) {
         EUID_ASSERT();
-        struct stat s;
         sleep(1);
 
         char *path;
         if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
                 errExit("asprintf");
 
-        if (lstat(path, &s) == 0) {
-                // deal with obvious problems such as symlinks and root ownership
-                if (!S_ISDIR(s.st_mode)) {
-                        if (S_ISLNK(s.st_mode))
-                                fprintf(stderr, "Error: %s is a symbolic link\n", path);
-                        else
-                                fprintf(stderr, "Error: %s is not a directory\n", path);
-                        exit(1);
-                }
-                if (s.st_uid != getuid()) {
-                        fprintf(stderr, "Error: %s is not owned by the current user\n", path);
-                        exit(1);
-                }
-
+        if (access(path, F_OK) == 0) {
                 pid_t child = fork();
                 if (child < 0)
                         errExit("fork");
                 if (child == 0) {
-                        // open ~/.firejail, fails if there is any symlink
-                        int fd = safer_openat(-1, path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                        if (fd == -1)
-                                errExit("safer_openat");
+                        // open ~/.firejail
+                        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+                        if (fd == -1) {
+                                fprintf(stderr, "Error: cannot open %s\n", path);
+                                exit(1);
+                        }
+                        struct stat s;
+                        if (fstat(fd, &s) == -1)
+                                errExit("fstat");
+                        if (!S_ISDIR(s.st_mode)) {
+                                if (S_ISLNK(s.st_mode))
+                                        fprintf(stderr, "Error: %s is a symbolic link\n", path);
+                                else
+                                        fprintf(stderr, "Error: %s is not a directory\n", path);
+                                exit(1);
+                        }
+                        if (s.st_uid != getuid()) {
+                                fprintf(stderr, "Error: %s is not owned by the current user\n", path);
+                                exit(1);
+                        }
                         // chdir to ~/.firejail
                         if (fchdir(fd) == -1)
                                 errExit("fchdir");
@@ -932,15 +1053,15 @@ int remove_overlay_directory(void) {
                         // remove ~/.firejail
                         if (rmdir(path) == -1)
                                 errExit("rmdir");
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
                 // wait for the child to finish
                 waitpid(child, NULL, 0);
                 // check if ~/.firejail was deleted
-                if (stat(path, &s) == 0)
+                if (access(path, F_OK) == 0)
                         return 1;
         }
         return 0;
@@ -973,9 +1094,8 @@ void flush_stdin(void) {
 int create_empty_dir_as_user(const char *dir, mode_t mode) {
         assert(dir);
         mode &= 07777;
-        struct stat s;
 
-        if (stat(dir, &s)) {
+        if (access(dir, F_OK) != 0) {
                 if (arg_debug)
                         printf("Creating empty %s directory\n", dir);
                 pid_t child = fork();
@@ -986,18 +1106,18 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
                         drop_privs(0);
 
                         if (mkdir(dir, mode) == 0) {
-                                if (chmod(dir, mode) == -1)
-                                        {;} // do nothing
+                                int err = chmod(dir, mode);
+                                (void) err;
                         }
                         else if (arg_debug)
                                 printf("Directory %s not created: %s\n", dir, strerror(errno));
-#ifdef HAVE_GCOV
+
                         __gcov_flush();
-#endif
+
                         _exit(0);
                 }
                 waitpid(child, NULL, 0);
-                if (stat(dir, &s) == 0)
+                if (access(dir, F_OK) == 0)
                         return 1;
         }
         return 0;
@@ -1030,8 +1150,10 @@ void create_empty_file_as_root(const char *fname, mode_t mode) {
         if (stat(fname, &s)) {
                 if (arg_debug)
                         printf("Creating empty %s file\n", fname);
-
-                FILE *fp = fopen(fname, "wxe");
+                /* coverity[toctou] */
+                // don't fail if file already exists. This can be the case in a race
+                // condition, when two jails launch at the same time. Compare to #1013
+                FILE *fp = fopen(fname, "we");
                 if (!fp)
                         errExit("fopen");
                 SET_PERMS_STREAM(fp, 0, 0, mode);
@@ -1106,20 +1228,35 @@ unsigned extract_timeout(const char *str) {
 }
 
 void disable_file_or_dir(const char *fname) {
+        assert(geteuid() == 0);
+        assert(fname);
+
+        EUID_USER();
+        int fd = open(fname, O_PATH|O_CLOEXEC);
+        EUID_ROOT();
+        if (fd < 0)
+                return;
+
         struct stat s;
-        if (stat(fname, &s) != -1) {
-                if (arg_debug)
-                        printf("blacklist %s\n", fname);
-                if (is_dir(fname)) {
-                        if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                                errExit("disable directory");
-                }
-                else {
-                        if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
-                                errExit("disable file");
-                }
-                fs_logger2("blacklist", fname);
+        if (fstat(fd, &s) < 0) { // FUSE
+                if (errno != EACCES)
+                        errExit("fstat");
+                close(fd);
+                return;
+        }
+
+        if (arg_debug)
+                printf("blacklist %s\n", fname);
+        if (S_ISDIR(s.st_mode)) {
+                if (bind_mount_path_to_fd(RUN_RO_DIR, fd) < 0)
+                        errExit("disable directory");
         }
+        else {
+                if (bind_mount_path_to_fd(RUN_RO_FILE, fd) < 0)
+                        errExit("disable file");
+        }
+        close(fd);
+        fs_logger2("blacklist", fname);
 }
 
 void disable_file_path(const char *path, const char *file) {
@@ -1206,6 +1343,60 @@ int safer_openat(int dirfd, const char *path, int flags) {
         return fd;
 }
 
+int remount_by_fd(int dst, unsigned long mountflags) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+
+        int rv = mount(NULL, proc, NULL, mountflags|MS_BIND|MS_REMOUNT, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc);
+        return rv;
+}
+
+int bind_mount_by_fd(int src, int dst) {
+        char *proc_src, *proc_dst;
+        if (asprintf(&proc_src, "/proc/self/fd/%d", src) < 0 ||
+            asprintf(&proc_dst, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+
+        int rv = mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc_src);
+        free(proc_dst);
+        return rv;
+}
+
+int bind_mount_fd_to_path(int src, const char *destname) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", src) < 0)
+                errExit("asprintf");
+
+        int rv = mount(proc, destname, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc);
+        return rv;
+}
+
+int bind_mount_path_to_fd(const char *srcname, int dst) {
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", dst) < 0)
+                errExit("asprintf");
+
+        int rv = mount(srcname, proc, NULL, MS_BIND|MS_REC, NULL);
+        if (rv < 0 && arg_debug)
+                printf("Failed mount: %s\n", strerror(errno));
+
+        free(proc);
+        return rv;
+}
+
 int has_handler(pid_t pid, int signal) {
         if (signal > 0 && signal <= SIGRTMAX) {
                 char *fname;
@@ -1315,14 +1506,14 @@ static int has_link(const char *dir) {
         return 0;
 }
 
-void check_homedir(void) {
-        assert(cfg.homedir);
-        if (cfg.homedir[0] != '/') {
+void check_homedir(const char *dir) {
+        assert(dir);
+        if (dir[0] != '/') {
                 fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir);
                 exit(1);
         }
         // symlinks are rejected in many places
-        if (has_link(cfg.homedir)) {
+        if (has_link(dir)) {
                 fprintf(stderr, "No full support for symbolic links in path of user directory.\n"
                         "Please provide resolved path in password database (/etc/passwd).\n\n");
         }
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 257d376a1..896aa2fd3 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -204,7 +204,6 @@ static int random_display_number(void) {
 void x11_start_xvfb(int argc, char **argv) {
         EUID_ASSERT();
         int i;
-        struct stat s;
         pid_t jail = 0;
         pid_t server = 0;
 
@@ -348,7 +347,7 @@ void x11_start_xvfb(int argc, char **argv) {
         // wait for x11 server to start
         while (++n < 10) {
                 sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         break;
         };
 
@@ -427,7 +426,6 @@ static char *extract_setting(int argc, char **argv, const char *argument) {
 void x11_start_xephyr(int argc, char **argv) {
         EUID_ASSERT();
         int i;
-        struct stat s;
         pid_t jail = 0;
         pid_t server = 0;
 
@@ -586,7 +584,7 @@ void x11_start_xephyr(int argc, char **argv) {
         // wait for x11 server to start
         while (++n < 10) {
                 sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         break;
         };
 
@@ -701,7 +699,6 @@ static char * get_title_arg_str() {
 static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv, int display, char *display_str) {
         EUID_ASSERT();
         int i;
-        struct stat s;
         pid_t client = 0;
         pid_t server = 0;
 
@@ -818,7 +815,7 @@ static void __attribute__((noreturn)) x11_start_xpra_old(int argc, char **argv,
         // wait for x11 server to start
         while (++n < 10) {
                 sleep(1);
-                if (stat(fname, &s) == 0)
+                if (access(fname, F_OK) == 0)
                         break;
         }
 
@@ -1207,14 +1204,13 @@ void x11_xorg(void) {
         fmessage("Generating a new .Xauthority file\n");
         mkdir_attr(RUN_XAUTHORITY_SEC_DIR, 0700, getuid(), getgid());
         // create new Xauthority file in RUN_XAUTHORITY_SEC_DIR
+        EUID_USER();
         char tmpfname[] = RUN_XAUTHORITY_SEC_DIR "/.Xauth-XXXXXX";
         int fd = mkstemp(tmpfname);
         if (fd == -1) {
                 fprintf(stderr, "Error: cannot create .Xauthority file\n");
                 exit(1);
         }
-        if (fchown(fd, getuid(), getgid()) == -1)
-                errExit("chown");
         close(fd);
 
         // run xauth
@@ -1224,16 +1220,14 @@ void x11_xorg(void) {
         else
                 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 7, RUN_XAUTH_FILE, "-f", tmpfname,
                         "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted");
-        // remove xauth copy
-        unlink(RUN_XAUTH_FILE);
 
         // ensure there is already a file ~/.Xauthority, so that bind-mount below will work.
         char *dest;
         if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                 errExit("asprintf");
-        if (lstat(dest, &s) == -1) {
+        if (access(dest, F_OK) == -1) {
                 touch_file_as_user(dest, 0600);
-                if (stat(dest, &s) == -1) {
+                if (access(dest, F_OK) == -1) {
                         fprintf(stderr, "Error: cannot create %s\n", dest);
                         exit(1);
                 }
@@ -1276,21 +1270,16 @@ void x11_xorg(void) {
         // mount via the link in /proc/self/fd
         if (arg_debug)
                 printf("Mounting %s on %s\n", tmpfname, dest);
-        char *proc_src, *proc_dst;
-        if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
-                errExit("asprintf");
-        if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
-                errExit("asprintf");
-        if (mount(proc_src, proc_dst, NULL, MS_BIND, NULL) == -1) {
+        EUID_ROOT();
+        if (bind_mount_by_fd(src, dst)) {
                 fprintf(stderr, "Error: cannot mount the new .Xauthority file\n");
                 exit(1);
         }
+        EUID_USER();
         // check /proc/self/mountinfo to confirm the mount is ok
         MountData *mptr = get_last_mount();
         if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0)
                 errLogExit("invalid .Xauthority mount");
-        free(proc_src);
-        free(proc_dst);
         close(src);
         close(dst);
 
@@ -1301,8 +1290,11 @@ void x11_xorg(void) {
         if (envar) {
                 char *rp = realpath(envar, NULL);
                 if (rp) {
-                        if (strcmp(rp, dest) != 0)
+                        if (strcmp(rp, dest) != 0) {
+                                EUID_ROOT();
                                 disable_file_or_dir(rp);
+                                EUID_USER();
+                        }
                         free(rp);
                 }
         }
@@ -1311,9 +1303,13 @@ void x11_xorg(void) {
         free(dest);
 
         // mask RUN_XAUTHORITY_SEC_DIR
+        EUID_ROOT();
         if (mount("tmpfs", RUN_XAUTHORITY_SEC_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                 errExit("mounting tmpfs");
         fs_logger2("tmpfs", RUN_XAUTHORITY_SEC_DIR);
+
+        // cleanup
+        unlink(RUN_XAUTH_FILE);
 #endif
 }
 
@@ -1327,7 +1323,7 @@ void fs_x11(void) {
         struct stat s1, s2;
         if (stat("/tmp", &s1) != 0 || lstat("/tmp/.X11-unix", &s2) != 0)
                 return;
-        if ((s1.st_mode & S_ISVTX) == 0) {
+        if ((s1.st_mode & S_ISVTX) != S_ISVTX) {
                 fwarning("cannot mask X11 sockets: sticky bit not set on /tmp directory\n");
                 return;
         }
@@ -1335,68 +1331,46 @@ void fs_x11(void) {
                 fwarning("cannot mask X11 sockets: /tmp/.X11-unix not owned by root user\n");
                 return;
         }
+
+        // the mount source is under control of the user, so be careful and
+        // mount without following symbolic links, using a file descriptor
         char *x11file;
         if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1)
                 errExit("asprintf");
-        struct stat x11stat;
-        if (lstat(x11file, &x11stat) != 0 || !S_ISSOCK(x11stat.st_mode)) {
+        int src = open(x11file, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+        if (src < 0) {
+                free(x11file);
+                return;
+        }
+        struct stat s3;
+        if (fstat(src, &s3) < 0)
+                errExit("fstat");
+        if (!S_ISSOCK(s3.st_mode)) {
+                close(src);
                 free(x11file);
                 return;
         }
 
         if (arg_debug || arg_debug_whitelists)
                 fprintf(stderr, "Masking all X11 sockets except %s\n", x11file);
-
-        // Move the real /tmp/.X11-unix to a scratch location
-        // so we can still access x11file after we mount a
-        // tmpfs over /tmp/.X11-unix.
-        if (mkdir(RUN_WHITELIST_X11_DIR, 0700) == -1)
-                errExit("mkdir");
-        if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0)
-                errExit("mount bind");
-
         // This directory must be mode 1777
         if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs",
                 MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,
                 "mode=1777,uid=0,gid=0") < 0)
                 errExit("mounting tmpfs on /tmp/.X11-unix");
+        selinux_relabel_path("/tmp/.X11-unix", "/tmp/.X11-unix");
         fs_logger("tmpfs /tmp/.X11-unix");
 
         // create an empty root-owned file which will have the desired socket bind-mounted over it
-        int fd = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
-        if (fd < 0)
-                errExit(x11file);
-        close(fd);
+        int dst = open(x11file, O_RDONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR);
+        if (dst < 0)
+                errExit("open");
 
-        // the mount source is under control of the user, so be careful and
-        // mount without following symbolic links, using a file descriptor
-        char *wx11file;
-        if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1)
-                errExit("asprintf");
-        fd = safer_openat(-1, wx11file, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-        if (fd == -1)
-                errExit("opening X11 socket");
-        // confirm once more we are mounting a socket
-        if (fstat(fd, &x11stat) == -1)
-                errExit("fstat");
-        if (!S_ISSOCK(x11stat.st_mode)) {
-                errno = ENOTSOCK;
-                errExit("mounting X11 socket");
-        }
-        char *proc;
-        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
-                errExit("asprintf");
-        if (mount(proc, x11file, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (bind_mount_by_fd(src, dst))
                 errExit("mount bind");
+        close(src);
+        close(dst);
         fs_logger2("whitelist", x11file);
-        close(fd);
-        free(proc);
-
-        // block access to RUN_WHITELIST_X11_DIR
-        if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0)
-                errExit("mount");
-        fs_logger2("blacklist", RUN_WHITELIST_X11_DIR);
-        free(wx11file);
         free(x11file);
 #endif
 }
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index e04b6f431..780e3d706 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <netdb.h>
@@ -145,9 +146,9 @@ static void print_sandbox(pid_t pid) {
                 if (rv)
                         return;
                 net_ifprint();
-#ifdef HAVE_GCOV
+
                 __gcov_flush();
-#endif
+
                 _exit(0);
         }
 
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 850959eb3..9d8e5d7f5 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <termios.h>
 #include <sys/ioctl.h>
 #include <sys/types.h>
@@ -242,8 +243,7 @@ void netstats(void) {
                                 print_proc(i, itv, col);
                         }
                 }
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
+
+                __gcov_flush();
         }
 }
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 8085d2d29..716a9cba4 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/socket.h>
 #include <linux/connector.h>
 #include <linux/netlink.h>
@@ -230,9 +231,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my
         tv.tv_usec = 0;
 
         while (1) {
-#ifdef HAVE_GCOV
                 __gcov_flush();
-#endif
 
 #define BUFFSIZE 4096
                 char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE];
diff --git a/src/firemon/top.c b/src/firemon/top.c
index a25e3c0d8..2217cc7de 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -18,6 +18,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firemon.h"
+#include "../include/gcov_wrapper.h"
 #include <termios.h>
 #include <sys/ioctl.h>
 #include <sys/types.h>
@@ -326,8 +327,7 @@ void top(void) {
                         }
                 }
                 head_print(col, row);
-#ifdef HAVE_GCOV
-                        __gcov_flush();
-#endif
+
+                __gcov_flush();
         }
 }
diff --git a/src/include/gcov_wrapper.h b/src/include/gcov_wrapper.h
new file mode 100644
index 000000000..4aafb8e18
--- /dev/null
+++ b/src/include/gcov_wrapper.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef GCOV_WRAPPER_H
+#define GCOV_WRAPPER_H
+
+#ifdef HAS_GCOV
+#include <gcov.h>
+
+/*
+ * __gcov_flush was removed on gcc 11.1.0 (as it's no longer needed), but it
+ * appears to be the safe/"correct" way to do things on previous versions (as
+ * it ensured proper locking, which is now done elsewhere).  Thus, keep using
+ * it in the code and ensure that it exists, in order to support gcc <11.1.0
+ * and gcc >=11.1.0, respectively.
+ */
+#if __GNUC__ > 11 || (__GNUC__ == 11 && __GNUC_MINOR__ >= 1)
+static void __gcov_flush(void) {
+       __gcov_dump();
+       __gcov_reset();
+}
+#endif
+#else
+#define __gcov_dump() ((void)0)
+#define __gcov_reset() ((void)0)
+#define __gcov_flush() ((void)0)
+#endif /* HAS_GCOV */
+
+#endif /* GCOV_WRAPPER_H */
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index a172dd511..3db750da3 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -79,12 +79,8 @@
 #define PATH_SECCOMP_MDWX_32            LIBDIR "/firejail/seccomp.mdwx.32"
 #define PATH_SECCOMP_BLOCK_SECONDARY    LIBDIR "/firejail/seccomp.block_secondary"      // secondary arch blocking filter built during make
 
-
 #define RUN_DEV_DIR                     RUN_MNT_DIR "/dev"
 #define RUN_DEVLOG_FILE                 RUN_MNT_DIR "/devlog"
-
-#define RUN_WHITELIST_X11_DIR           RUN_MNT_DIR "/orig-x11"
-
 #define RUN_XAUTHORITY_FILE             RUN_MNT_DIR "/.Xauthority"              // private options
 #define RUN_XAUTH_FILE                  RUN_MNT_DIR "/xauth"                    // x11=xorg
 #define RUN_XAUTHORITY_SEC_DIR          RUN_MNT_DIR "/.sec.Xauthority"          // x11=xorg
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c
index c18d64a82..3c2f46495 100644
--- a/src/jailcheck/access.c
+++ b/src/jailcheck/access.c
@@ -36,7 +36,7 @@ void access_setup(const char *directory) {
         assert(user_home_dir);
 
         if (files_cnt >= MAX_TEST_FILES) {
-                fprintf(stderr, "Error: maximum number of test directories exceded\n");
+                fprintf(stderr, "Error: maximum number of test directories exceeded\n");
                 exit(1);
         }
 
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h
index 32be1c978..be3104da3 100644
--- a/src/jailcheck/jailcheck.h
+++ b/src/jailcheck/jailcheck.h
@@ -53,6 +53,8 @@ void apparmor_test(pid_t pid);
 // seccomp.c
 void seccomp_test(pid_t pid);
 
+// network.c
+void network_test(void);
 // utils.c
 char *get_sudo_user(void);
 char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c
index 4d642bf96..812ac5808 100644
--- a/src/jailcheck/main.c
+++ b/src/jailcheck/main.c
@@ -157,6 +157,7 @@ int main(int argc, char **argv) {
                         seccomp_test(pid);
                         fflush(0);
 
+                        // filesystem tests
                         pid_t child = fork();
                         if (child == -1)
                                 errExit("fork");
@@ -185,6 +186,28 @@ int main(int argc, char **argv) {
                         }
                         int status;
                         wait(&status);
+
+                        // network test
+                        child = fork();
+                        if (child == -1)
+                                errExit("fork");
+                        if (child == 0) {
+                                int rv = join_namespace(pid, "net");
+                                if (rv == 0)
+                                        network_test();
+                                else {
+                                        printf("   Error: I cannot join the process network stack\n");
+                                        exit(1);
+                                }
+
+                                // drop privileges in order not to trigger cleanup()
+                                if (setgid(user_gid) != 0)
+                                        errExit("setgid");
+                                if (setuid(user_uid) != 0)
+                                        errExit("setuid");
+                                return 0;
+                        }
+                        wait(&status);
                 }
         }
 
diff --git a/src/jailcheck/network.c b/src/jailcheck/network.c
new file mode 100644
index 000000000..636344e77
--- /dev/null
+++ b/src/jailcheck/network.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <netdb.h>
+#include <arpa/inet.h>
+#include <ifaddrs.h>
+#include <net/if.h>
+#include <linux/connector.h>
+#include <linux/netlink.h>
+#include <linux/if_link.h>
+#include <linux/sockios.h>
+#include <sys/ioctl.h>
+
+
+void network_test(void) {
+        // I am root running in a network namespace
+        struct ifaddrs *ifaddr, *ifa;
+        int found = 0;
+
+        // walk through the linked list
+        if (getifaddrs(&ifaddr) == -1)
+                errExit("getifaddrs");
+        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
+                if (strcmp(ifa->ifa_name, "lo") == 0)
+                        continue;
+                found = 1;
+                break;
+        }
+
+        freeifaddrs(ifaddr);
+
+        if (found)
+                printf("   Networking: enabled\n");
+        else
+                printf("   Networking: disabled\n");
+}
+
+
+
diff --git a/src/jailcheck/sysfiles.c b/src/jailcheck/sysfiles.c
index caeb580af..9a0d6350e 100644
--- a/src/jailcheck/sysfiles.c
+++ b/src/jailcheck/sysfiles.c
@@ -34,7 +34,7 @@ void sysfiles_setup(const char *file) {
         assert(file);
 
         if (files_cnt >= MAX_TEST_FILES) {
-                fprintf(stderr, "Error: maximum number of system test files exceded\n");
+                fprintf(stderr, "Error: maximum number of system test files exceeded\n");
                 exit(1);
         }
 
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c
index cd60d74e4..c5dde85b0 100644
--- a/src/lib/ldd_utils.c
+++ b/src/lib/ldd_utils.c
@@ -50,7 +50,7 @@ int is_lib_64(const char *exe) {
         unsigned char buf[EI_NIDENT];
         ssize_t len = 0;
         while (len < EI_NIDENT) {
-                ssize_t sz = read(fd, buf, EI_NIDENT);
+                ssize_t sz = read(fd, buf + len, EI_NIDENT - len);
                 if (sz <= 0)
                         goto doexit;
                 len += sz;
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index b3131ac17..d0d9ff5aa 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -253,9 +253,6 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_fanotify_init
           "fanotify_init,"
 #endif
-#ifdef SYS_kcmp
-          "kcmp,"
-#endif
 #ifdef SYS_add_key
           "add_key,"
 #endif
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 3d59705b9..34f5e8bf9 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -156,18 +156,23 @@ Scripting commands:
 \fBFile and directory names
 File and directory names containing spaces are supported. The space character ' ' should not be escaped.
 
-Example: "blacklist ~/My Virtual Machines"
+Example: "deny ~/My Virtual Machines"
 
 .TP
 \fB# this is a comment
+Example:
+
+# disable networking
+.br
+net none # this command creates an empty network namespace
 
 .TP
 \fB?CONDITIONAL: profile line
 Conditionally add profile line.
 
-Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
+Example: "?HAS_APPIMAGE: allow ${HOME}/special/appimage/dir"
 
-This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
+This example will load the profile line only if the \-\-appimage option has been specified on the command line.
 
 Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
 can be enabled or disabled globally in Firejail's configuration file.
@@ -200,16 +205,16 @@ storing modifications to the persistent configuration. Persistent .local files
 are included at the start of regular profile files.
 
 .TP
-\fBnoblacklist file_name
-If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
+\fBnoallow file_name
+If the file name matches file_name, the file will not be allowed in any allow commands that follow.
 
-Example: "noblacklist ${HOME}/.mozilla"
+Example: "nowhitelist ~/.config"
 
 .TP
-\fBnowhitelist file_name
-If the file name matches file_name, the file will not be whitelisted in any whitelist commands that follow.
+\fBnodeny file_name
+If the file name matches file_name, the file will not be denied any deny commands that follow.
 
-Example: "nowhitelist ~/.config"
+Example: "nodeny ${HOME}/.mozilla"
 
 .TP
 \fBignore
@@ -237,19 +242,17 @@ HOME directories are searched, see the \fBfirejail\f(1) \fBFILE GLOBBING\fR sect
 for more details.
 Examples:
 .TP
-\fBblacklist file_or_directory
-Blacklist directory or file. Examples:
+\fBallow file_or_directory
+Allow directory or file. A temporary file system is mounted on the top directory, and the
+allowed files are mount-binded inside. Modifications to allowd files are persistent,
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
 .br
 
 .br
-blacklist /usr/bin
-.br
-blacklist /usr/bin/gcc*
-.br
-blacklist ${PATH}/ifconfig
-.br
-blacklist ${HOME}/.ssh
-
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
 .TP
 \fBblacklist-nolog file_or_directory
 When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory.
@@ -268,6 +271,20 @@ Mount-bind directory1 on top of directory2. This option is only available when r
 \fBbind file1,file2
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
+\fBdeny file_or_directory
+Deny access to directory or file. Examples:
+.br
+
+.br
+deny /usr/bin
+.br
+deny /usr/bin/gcc*
+.br
+deny ${PATH}/ifconfig
+.br
+deny ${HOME}/.ssh
+
+.TP
 \fBdisable-mnt
 Disable /mnt, /media, /run/mount and /run/media access.
 .TP
@@ -287,7 +304,7 @@ The directory is created if it doesn't already exist.
 .br
 
 .br
-Use this command for whitelisted directories you need to preserve
+Use this command for allowed directories you need to preserve
 when the sandbox is closed. Without it, the application will create the directory, and the directory
 will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from
 firefox profile:
@@ -300,7 +317,7 @@ whitelist ~/.mozilla
 .br
 mkdir ~/.cache/mozilla/firefox
 .br
-whitelist ~/.cache/mozilla/firefox
+allow ~/.cache/mozilla/firefox
 .br
 
 .br
@@ -406,7 +423,7 @@ expressed as foo/bar -- is disallowed).
 All modifications are discarded when the sandbox is closed.
 .TP
 \fBprivate-tmp
-Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
+Mount an empty temporary filesystem on top of /tmp directory allowing /tmp/.X11-unix.
 .TP
 \fBread-only file_or_directory
 Make directory or file read-only.
@@ -415,27 +432,16 @@ Make directory or file read-only.
 Make directory or file read-write.
 .TP
 \fBtmpfs directory
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.
 .TP
 \fBtracelog
-Blacklist violations logged to syslog.
-.TP
-\fBwhitelist file_or_directory
-Whitelist directory or file. A temporary file system is mounted on the top directory, and the
-whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-everything else is discarded when the sandbox is closed. The top directory could be
-user home, /dev, /etc, /media, /mnt, /opt, /srv, /sys/module, /usr/share, /var, and /tmp.
-.br
-
-.br
-Symbolic link handling: with the exception of user home, both the link and the real file should be in
-the same top directory. For user home, both the link and the real file should be owned by the user.
+File system deny violations logged to syslog.
 .TP
 \fBwritable-etc
 Mount /etc directory read-write.
 .TP
 \fBwritable-run-user
-Disable the default blacklisting of run/user/$UID/systemd and /run/user/$UID/gnupg.
+Disable the default denying of run/user/$UID/systemd and /run/user/$UID/gnupg.
 .TP
 \fBwritable-var
 Mount /var directory read-write.
@@ -449,7 +455,7 @@ The following security filters are currently implemented:
 
 .TP
 \fBallow-debuggers
-Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv.
+Allow tools such as strace and gdb inside the sandbox by allowing system calls ptrace and process_vm_readv.
 #ifdef HAVE_APPARMOR
 .TP
 \fBapparmor
@@ -460,13 +466,13 @@ Enable AppArmor confinement.
 Enable default Linux capabilities filter.
 .TP
 \fBcaps.drop capability,capability,capability
-Blacklist given Linux capabilities.
+Deny given Linux capabilities.
 .TP
 \fBcaps.drop all
-Blacklist all Linux capabilities.
+Deny all Linux capabilities.
 .TP
 \fBcaps.keep capability,capability,capability
-Whitelist given Linux capabilities.
+Allow given Linux capabilities.
 .TP
 \fBmemory-deny-write-execute
 Install a seccomp filter to block attempts to create memory mappings
@@ -491,32 +497,32 @@ first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
 .TP
 \fBseccomp
-Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
+Enable seccomp filter and deny the syscalls in the default list. See man 1 firejail for more details.
 .TP
 \fBseccomp.32
-Enable seccomp filter and blacklist the syscalls in the default list for 32 bit system calls on a 64 bit architecture system.
+Enable seccomp filter and deny the syscalls in the default list for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp syscall,syscall,syscall
-Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
+Enable seccomp filter and deny the system calls in the list on top of default seccomp filter.
 .TP
 \fBseccomp.32 syscall,syscall,syscall
-Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system.
+Enable seccomp filter and deny the system calls in the list on top of default seccomp filter for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp.block-secondary
 Enable seccomp filter and filter system call architectures
 so that only the native architecture is allowed.
 .TP
 \fBseccomp.drop syscall,syscall,syscall
-Enable seccomp filter and blacklist the system calls in the list.
+Enable seccomp filter and deny the system calls in the list.
 .TP
 \fBseccomp.32.drop syscall,syscall,syscall
-Enable seccomp filter and blacklist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
+Enable seccomp filter and deny the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp.keep syscall,syscall,syscall
-Enable seccomp filter and whitelist the system calls in the list.
+Enable seccomp filter and allow the system calls in the list.
 .TP
 \fBseccomp.32.keep syscall,syscall,syscall
-Enable seccomp filter and whitelist the system calls in the list for 32 bit system calls on a 64 bit architecture system.
+Enable seccomp filter and allow the system calls in the list for 32 bit system calls on a 64 bit architecture system.
 .TP
 \fBseccomp-error-action kill | log | ERRNO
 Return a different error instead of EPERM to the process, kill it when
@@ -528,7 +534,7 @@ attempt.
 Enable X11 sandboxing.
 .TP
 \fBx11 none
-Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
+Deny access to /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
 Remove DISPLAY and XAUTHORITY environment variables.
 Stop with error message if X11 abstract socket will be accessible in jail.
 .TP
@@ -731,6 +737,9 @@ Disable DVD and audio CD devices.
 \fBnogroups
 Disable supplementary user groups
 .TP
+\fBnoinput
+Disable input devices.
+.TP
 \fBnosound
 Disable sound system.
 .TP
@@ -743,9 +752,6 @@ Disable U2F devices.
 \fBnovideo
 Disable video capture devices.
 .TP
-\fBnoinput
-Disable input devices.
-.TP
 \fBshell none
 Run the program directly, without a shell.
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 690da4b4e..498ff9aa9 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -99,6 +99,40 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 \fB\-\-
 Signal the end of options and disables further option processing.
 .TP
+\fB\-\-allow=dirname_or_filename
+Allow access to a directory or file. A temporary file system is mounted on the top directory, and the
+allowed files are mount-binded inside. Modifications to allowed files are persistent,
+everything else is discarded when the sandbox is closed. The top directory can be
+all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and
+all directories in /usr.
+.br
+
+.br
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
+.br
+
+.br
+File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-noprofile \-\-allow=~/.mozilla
+.br
+$ firejail \-\-allow=/tmp/.X11-unix --allow=/dev/null
+.br
+$ firejail "\-\-allow=/home/username/My Virtual Machines"
+.br
+$ firejail \-\-allow=~/work* \-\-allow=/var/backups*
+
+
+
+
+
+
+.TP
 \fB\-\-allow-debuggers
 Allow tools such as strace and gdb inside the sandbox by whitelisting
 system calls ptrace and process_vm_readv. This option is only
@@ -147,12 +181,12 @@ private-bin and private-lib are disabled by default when running appimages.
 .br
 Example:
 .br
-$ firejail --appimage krita-3.0-x86_64.appimage
+$ firejail --appimage --profile=krita krita-3.0-x86_64.appimage
 .br
-$ firejail --appimage --private krita-3.0-x86_64.appimage
+$ firejail --appimage --private --profile=krita krita-3.0-x86_64.appimage
 .br
 #ifdef HAVE_X11
-$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
+$ firejail --appimage --net=none --x11 --profile=krita krita-3.0-x86_64.appimage
 #endif
 .TP
 #ifdef HAVE_NETWORK
@@ -169,21 +203,6 @@ Example:
 .br
 # firejail \-\-bind=/config/etc/passwd,/etc/passwd
 .TP
-\fB\-\-blacklist=dirname_or_filename
-Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
-.br
-$ firejail \-\-blacklist=~/.mozilla
-.br
-$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
-.br
-$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
-.TP
 \fB\-\-build
 The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
 builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
@@ -243,7 +262,7 @@ $ firejail \-\-caps.drop=all warzone2100
 
 .TP
 \fB\-\-caps.drop=capability,capability,capability
-Define a custom blacklist Linux capabilities filter.
+Define a custom Linux capabilities filter.
 .br
 
 .br
@@ -624,14 +643,14 @@ Example:
 $ firejail \-\-debug firefox
 
 .TP
-\fB\-\-debug-blacklists\fR
-Debug blacklisting.
+\fB\-\-debug-allow\fR
+Debug file system access.
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-debug-blacklists firefox
+$ firejail \-\-debug-allow firefox
 
 .TP
 \fB\-\-debug-caps
@@ -644,6 +663,16 @@ Example:
 $ firejail \-\-debug-caps
 
 .TP
+\fB\-\-debug-deny\fR
+Debug file access.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-debug-deny firefox
+
+.TP
 \fB\-\-debug-errnos
 Print all recognized error numbers in the current Firejail software build and exit.
 .br
@@ -677,15 +706,7 @@ $ firejail \-\-debug-syscalls
 \fB\-\-debug-syscalls32
 Print all recognized 32 bit system calls in the current Firejail software build and exit.
 .br
-.TP
-\fB\-\-debug-whitelists\fR
-Debug whitelisting.
-.br
 
-.br
-Example:
-.br
-$ firejail \-\-debug-whitelists firefox
 #ifdef HAVE_NETWORK
 .TP
 \fB\-\-defaultgw=address
@@ -697,13 +718,32 @@ Example:
 .br
 $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
 #endif
+
+.TP
+\fB\-\-deny=dirname_or_filename
+Deny access to directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-deny=/sbin \-\-deny=/usr/sbin
+.br
+$ firejail \-\-deny=~/.mozilla
+.br
+$ firejail "\-\-deny=/home/username/My Virtual Machines"
+.br
+$ firejail \-\-deny=/home/username/My\\ Virtual\\ Machines
+
+
+
 .TP
 \fB\-\-deterministic-exit-code
 Always exit firejail with the first child's exit status. The default behavior is to use the exit status of the final child to exit, which can be nondeterministic.
 .br
 .TP
 \fB\-\-disable-mnt
-Blacklist /mnt, /media, /run/mount and /run/media access.
+Deny access to /mnt, /media, /run/mount and /run/media.
 .br
 
 .br
@@ -1471,12 +1511,16 @@ Example:
 $ firejail --no3d firefox
 
 .TP
+\fB\-\-noallow=dirname_or_filename
+Disable \-\-allow for this directory or file.
+
+.TP
 \fB\-\-noautopulse \fR(deprecated)
 See --keep-config-pulse.
 
 .TP
-\fB\-\-noblacklist=dirname_or_filename
-Disable blacklist for this directory or file.
+\fB\-\-nodeny=dirname_or_filename
+Disable \-\-deny for this directory or file.
 .br
 
 .br
@@ -1492,7 +1536,7 @@ $ exit
 .br
 
 .br
-$ firejail --noblacklist=/bin/nc
+$ firejail --nodeny=/bin/nc
 .br
 $ nc dict.org 2628
 .br
@@ -1666,10 +1710,6 @@ $ firejail \-\-nou2f
 Disable video devices.
 .br
 
-.TP
-\fB\-\-nowhitelist=dirname_or_filename
-Disable whitelist for this directory or file.
-
 #ifdef HAVE_OUTPUT
 .TP
 \fB\-\-output=logfile
@@ -2129,6 +2169,7 @@ $ firejail --read-only=~/test --read-write=~/test/a
 .TP
 \fB\-\-rlimit-as=number
 Set the maximum size of the process's virtual memory (address space) in bytes.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 
 .TP
 \fB\-\-rlimit-cpu=number
@@ -2142,6 +2183,7 @@ track of CPU seconds for each process independently.
 .TP
 \fB\-\-rlimit-fsize=number
 Set the maximum file size that can be created by a process.
+Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 .TP
 \fB\-\-rlimit-nofile=number
 Set the maximum number of files that can be opened by a process.
@@ -2176,7 +2218,7 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list,
-which is  @default-nodebuggers unless allow-debuggers is specified,
+which is  @default-nodebuggers unless \-\-allow-debuggers is specified,
 then it is @default.
 
 .br
@@ -2187,18 +2229,13 @@ system call groups are defined: @aio, @basic-io, @chown, @clock,
 @network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
 @resources, @setuid, @swap, @sync, @system-service and @timer.
 More information about groups can be found in /usr/share/doc/firejail/syscalls.txt
-
-In addition, a system call can be specified by its number instead of
-name with prefix $, so for example $165 would be equal to mount on i386.
-Exceptions can be allowed with prefix !.
+.br
 
 .br
 System architecture is strictly imposed only if flag
 \-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
-and AMD64 both 32-bit and 64-bit filters are installed. On a 64 bit
-architecture, an additional filter for 32 bit system calls can be
-installed with \-\-seccomp.32.
+and AMD64 both 32-bit and 64-bit filters are installed.
 .br
 
 .br
@@ -2209,11 +2246,18 @@ Firejail will print seccomp violations to the audit log if the kernel was compil
 Example:
 .br
 $ firejail \-\-seccomp
+.br
+
+.br
+The default list can be customized, see \-\-seccomp= for a description. It can be customized
+also globally in /etc/firejail/firejail.config file.
+
 .TP
 \fB\-\-seccomp=syscall,@group,!syscall2
-Enable seccomp filter, whitelist "syscall2", but blacklist the default
-list and the syscalls or syscall groups specified by the
-command.
+Enable seccomp filter, blacklist the default list and the syscalls or syscall groups
+specified by the command, but don't blacklist "syscall2". On a 64 bit
+architecture, an additional filter for 32 bit system calls can be
+installed with \-\-seccomp.32.
 .br
 
 .br
@@ -2223,6 +2267,13 @@ $ firejail \-\-seccomp=utime,utimensat,utimes firefox
 .br
 $ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
 .br
+$ firejail '\-\-seccomp=@ipc,!pipe,!pipe2' audacious
+.br
+
+.br
+Syscalls can be specified by their number if prefix $ is added,
+so for example $165 would be equal to mount on i386.
+.br
 
 .br
 Instead of dropping the syscall by returning EPERM, another error
@@ -2235,6 +2286,7 @@ by using \fBsyscall:kill\fR syntax, or the attempt may be logged with
 
 .br
 Example:
+.br
 $ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes
 .br
 Parent pid 10662, child pid 10663
@@ -2243,9 +2295,13 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 
 .br
@@ -2258,7 +2314,7 @@ filters.
 .br
 Example:
 .br
-$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
+$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve sh
 .br
 Parent pid 32751, child pid 32752
 .br
@@ -2270,8 +2326,7 @@ Child process initialized in 46.44 ms
 .br
 $ ls
 .br
-Bad system call
-.br
+Operation not permitted
 
 .TP
 \fB\-\-seccomp.block-secondary
@@ -2315,15 +2370,15 @@ Child process initialized
 .br
 $ touch testfile
 .br
+$ ls testfile
+.br
+testfile
+.br
 $ rm testfile
 .br
-rm: cannot remove `testfile': Operation not permitted
+rm: cannot remove `testfile': No such file or directory
 .br
 
-
-
-
-
 .TP
 \fB\-\-seccomp.keep=syscall,@group,!syscall2
 Enable seccomp filter, blacklist all syscall not listed and "syscall2".
@@ -2566,14 +2621,13 @@ Kill the sandbox automatically after the time has elapsed. The time is specified
 $ firejail \-\-timeout=01:30:00 firefox
 .TP
 \fB\-\-tmpfs=dirname
-Mount a writable tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
+Mount a writable tmpfs filesystem on directory dirname. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br
 
 .br
 Example:
 .br
-# firejail \-\-tmpfs=/var
+$ firejail \-\-tmpfs=~/.local/share
 .TP
 \fB\-\-top
 Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.
@@ -2719,33 +2773,6 @@ Example:
 .br
 $ firejail \-\-net=br0 --veth-name=if0
 #endif
-.TP
-\fB\-\-whitelist=dirname_or_filename
-Whitelist directory or file. A temporary file system is mounted on the top directory, and the
-whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
-everything else is discarded when the sandbox is closed. The top directory could be
-user home, /dev, /etc, /media, /mnt, /opt, /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var.
-.br
-
-.br
-Symbolic link handling: with the exception of user home, both the link and the real file should be in
-the same top directory. For user home, both the link and the real file should be owned by the user.
-.br
-
-.br
-File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
-.br
-$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
-.br
-$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
-.br
-$ firejail \-\-whitelist=~/work* \-\-whitelist=/var/backups*
 
 .TP
 \fB\-\-writable-etc
diff --git a/src/man/jailcheck.txt b/src/man/jailcheck.txt
index c80e305cc..483f47fb9 100644
--- a/src/man/jailcheck.txt
+++ b/src/man/jailcheck.txt
@@ -23,6 +23,8 @@ them from inside the sandbox.
 .TP
 \fB5. Seccomp test
 .TP
+\fB6. Networking test
+.TP
 The program is started as root using sudo.
 
 .SH OPTIONS
@@ -56,6 +58,8 @@ $ sudo jailcheck
 .br
    Warning: I can run programs in /home/netblue
 .br
+   Networking: disabled
+.br
 
 .br
 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
@@ -64,12 +68,16 @@ $ sudo jailcheck
 .br
    Warning: I can read ~/.ssh
 .br
+   Networking: enabled
+.br
 
 .br
 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
 .br
    Virtual dirs: /tmp, /var/tmp, /dev,
 .br
+   Networking: enabled
+.br
 
 .br
 26090:netblue::/usr/bin/firejail /opt/firefox/firefox
@@ -78,6 +86,8 @@ $ sudo jailcheck
 .br
                  /run/user/1000,
 .br
+   Networking: enabled
+.br
 
 .br
 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
@@ -90,6 +100,8 @@ $ sudo jailcheck
 .br
    Warning: I can run programs in /home/netblue
 .br
+   Networking: enabled
+.br
 
 
 .SH LICENSE
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c
new file mode 100644
index 000000000..93bb3f73d
--- /dev/null
+++ b/src/tools/profcleaner.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+//*************************************************************
+// Small utility program to convert profiles from blacklist/whitelist to deny/allow
+// Compile:
+//       gcc -o profcleaner profcleaner.c
+// Usage:
+//       profcleaner *.profile
+//*************************************************************
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#define MAXBUF 4096
+
+int main(int argc, char **argv) {
+        printf("Usage: profcleaner files\n");
+        int i;
+
+        for (i = 1; i < argc; i++) {
+                FILE *fp = fopen(argv[i], "r");
+                if (!fp) {
+                        fprintf(stderr, "Error: cannot open %s\n", argv[i]);
+                        return 1;
+                }
+
+                FILE *fpout = fopen("profcleaner-tmp", "w");
+                if (!fpout) {
+                        fprintf(stderr, "Error: cannot open output file\n");
+                        return 1;
+                }
+
+                char buf[MAXBUF];
+                while (fgets(buf, MAXBUF, fp)) {
+                        if (strncmp(buf, "blacklist-nolog", 15) == 0)
+                                fprintf(fpout, "deny-nolog %s", buf + 15);
+                        else if (strncmp(buf, "blacklist", 9) == 0)
+                                fprintf(fpout, "deny %s", buf + 9);
+                        else if (strncmp(buf, "noblacklist", 11) == 0)
+                                fprintf(fpout, "nodeny %s", buf + 11);
+                        else if (strncmp(buf, "whitelist", 9) == 0)
+                                fprintf(fpout, "allow %s", buf + 9);
+                        else if (strncmp(buf, "nowhitelist", 11) == 0)
+                                fprintf(fpout, "noallow %s", buf + 11);
+                        else
+                                fprintf(fpout, "%s", buf);
+                }
+
+                fclose(fp);
+                fclose(fpout);
+                unlink(argv[i]);
+                rename("profcleaner-tmp", argv[i]);
+        }
+
+        return 0;
+}
\ No newline at end of file
diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh
new file mode 100755
index 000000000..709008e08
--- /dev/null
+++ b/src/tools/profcleaner.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Copyright (C) 2021 Firejail Authors
+#
+# This file is part of firejail project
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+if [[ $1 == --help ]]; then
+        cat <<-EOM
+        USAGE:
+          profcleaner.sh --help        Show this help message and exit
+          profcleaner.sh --system      Clean all profiles in /etc/firejail
+          profcleaner.sh --user        Clean all profiles in ~/.config/firejail
+          profcleaner.sh /path/to/profile1 /path/to/profile2 ...
+        EOM
+        exit 0
+fi
+
+if [[ $1 == --system ]]; then
+        profiles=(/etc/firejail/*.{inc,local,profile})
+elif [[ $1 == --user ]]; then
+        profiles=("$HOME"/.config/firejail/*.{inc,local,profile})
+else
+        profiles=("$@")
+fi
+
+sed -i -E \
+        -e "s/^(# |#)?blacklist/\1deny/" \
+        -e "s/^(# |#)?noblacklist/\1nodeny/" \
+        -e "s/^(# |#)?whitelist/\1allow/" \
+        -e "s/^(# |#)?nowhitelist/\1noallow/" \
+        "${profiles[@]}"
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index f1a19b86d..b703783b0 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -48,8 +48,8 @@ _firejail_args=(
     '*::arguments:_normal'
 
     '--appimage[sandbox an AppImage application]'
-    '--build[build a whitelisted profile for the application and print it on stdout]'
-    '--build=-[build a whitelisted profile for the application and save it]: :_files'
+    '--build[build a profile for the application and print it on stdout]'
+    '--build=-[build a profile for the application and save it]: :_files'
     # Ignore that you can do -? too as it's the only short option
     '--help[this help screen]'
     '--join=-[join the sandbox name|pid]: :_all_firejails'
@@ -63,14 +63,14 @@ _firejail_args=(
     '--version[print program version and exit]'
 
     '--debug[print sandbox debug messages]'
-    '--debug-blacklists[debug blacklisting]'
+    '--debug-allow[debug file system access]'
     '--debug-caps[print all recognized capabilities]'
+    '--debug-deny[debug file system access]'
     '--debug-errnos[print all recognized error numbers]'
     '--debug-private-lib[debug for --private-lib option]'
     '--debug-protocols[print all recognized protocols]'
     '--debug-syscalls[print all recognized system calls]'
     '--debug-syscalls32[print all recognized 32 bit system calls]'
-    '--debug-whitelists[debug whitelisting]'
 
     '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails'
     '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails'
@@ -83,13 +83,13 @@ _firejail_args=(
     '--allusers[all user home directories are visible inside the sandbox]'
     # Should be _files, a comma and files or files -/
     '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'
-    '*--blacklist=-[blacklist directory or file]: :_files'
     '--caps[enable default Linux capabilities filter]'
     '--caps.drop=all[drop all capabilities]'
     '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps'
     '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'
     '--cgroup=-[place the sandbox in the specified control group]: :'
     '--cpu=-[set cpu affinity]: :->cpus'
+    '*--deny=-[deny access to directory or file]: :_files'
     "--deterministic-exit-code[always exit with first child's status code]"
     '*--dns=-[set DNS server]: :'
     '*--env=-[set environment variable]: :'
@@ -112,7 +112,7 @@ _firejail_args=(
     '--nice=-[set nice value]: :(1 10 15 20)'
     '--no3d[disable 3D hardware acceleration]'
     '--noautopulse[disable automatic ~/.config/pulse init]'
-    '--noblacklist=-[disable blacklist for file or directory]: :_files'
+    '--nodeny=-[disable deny command for file or directory]: :_files'
     '--nodbus[disable D-Bus access]'
     '--nodvd[disable DVD and audio CD devices]'
     '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files'
@@ -143,13 +143,13 @@ _firejail_args=(
     '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :'
     '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :'
     '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)'
-    '--seccomp[enable seccomp filter and apply the default blacklist]: :'
-    '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp'
+    '--seccomp[enable seccomp filter and drop the default syscalls]: :'
+    '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp'
     '--seccomp.block-secondary[build only the native architecture filters]'
-    '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp'
-    '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp'
-    '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :'
-    '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :'
+    '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :'
+    '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :'
     # FIXME: Add errnos
     '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)'
     '--shell=none[run the program directly without a user shell]'
@@ -157,7 +157,7 @@ _firejail_args=(
     '--timeout=-[kill the sandbox automatically after the time has elapsed]: :'
     #'(--tracelog)--trace[trace open, access and connect system calls]'
     '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files'
-    '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]'
+    '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]'
     '(--private-etc)--writable-etc[/etc directory is mounted read-write]'
     '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]'
     '--writable-var[/var directory is mounted read-write]'
@@ -251,10 +251,8 @@ _firejail_args=(
     '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'
 #endif
 
-#ifdef HAVE_WHITELIST
-    '*--nowhitelist=-[disable whitelist for file or directory]: :_files'
-    '*--whitelist=-[whitelist directory or file]: :_files'
-#endif
+    '*--noallow=-[disable allow command for file or directory]: :_files'
+    '*--allow=-[allow file system access]: :_files'
 
 #ifdef HAVE_X11
     '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
diff --git a/test/environment/rlimit-bad-profile.exp b/test/environment/rlimit-bad-profile.exp
index b838f83f4..b1572afb6 100755
--- a/test/environment/rlimit-bad-profile.exp
+++ b/test/environment/rlimit-bad-profile.exp
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --profile=rlimit-bad1.profile\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "invalid rlimit"
+        "invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix."
 }
 after 100
 
diff --git a/test/environment/rlimit-bad.exp b/test/environment/rlimit-bad.exp
index 3a82ded9b..c05e14b97 100755
--- a/test/environment/rlimit-bad.exp
+++ b/test/environment/rlimit-bad.exp
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --rlimit-fsize=-1024\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "invalid rlimit"
+        "invalid rlimit-fsize. Only use positive numbers and k, m or g suffix."
 }
 after 100
 
diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp
index 8dd08aa72..78b6efb76 100755
--- a/test/fs/fscheck-tmpfs.exp
+++ b/test/fs/fscheck-tmpfs.exp
@@ -41,7 +41,7 @@ after 500
 send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Error"
+        "Warning: you are not allowed to mount a tmpfs"
 }
 after 500
 
diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp
index 27ee2433e..dcc2276b8 100755
--- a/test/fs/whitelist.exp
+++ b/test/fs/whitelist.exp
@@ -16,10 +16,7 @@ send -- "rm ~/fjtest-file\r"
 after 200
 send -- "rm ~/fjtest-file-lnk\r"
 after 200
-send -- "rm /tmp/fjtest-file\r"
-after 200
-send -- "rm -fr /tmp/fjtest-dir\r"
-after 200
+
 
 
 # simple files and directories
@@ -149,63 +146,7 @@ expect {
 send -- "exit\r"
 sleep 1
 
-# symlinks outside home to a file we don't own
-send -- "rm ~/fjtest-file-lnk\r"
-after 200
-send -- "ln -s /etc/passwd ~/fjtest-file-lnk\r"
-after 200
-send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
-expect {
-        timeout {puts "TESTING ERROR 30\n";exit}
-        "invalid whitelist path"
-}
-expect {
-        timeout {puts "TESTING ERROR 31\n";exit}
-        "cannot sync with peer"
-}
-sleep 1
-
-# symlinks outside home to a file we own
-send -- "rm -fr ~/fjtest-dir-lnk\r"
-after 200
-send -- "rm ~/fjtest-file-lnk\r"
-after 200
-send -- "echo 123 > /tmp/fjtest-file\r"
-after 200
-send -- "mkdir /tmp/fjtest-dir\r"
-after 200
-send -- "echo 123 > /tmp/fjtest-dir/fjtest-file\r"
-after 200
-send -- "ln -s /tmp/fjtest-file ~/fjtest-file-lnk\r"
-after 200
-send -- "ln -s /tmp/fjtest-dir ~/fjtest-dir-lnk\r"
-after 200
-send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r"
-expect {
-        timeout {puts "TESTING ERROR 40\n";exit}
-        "Child process initialized"
-}
-sleep 1
-
-send -- "ls -l ~/ | grep -v total | wc -l\r"
-expect {
-        timeout {puts "TESTING ERROR 41\n";exit}
-        "2"
-}
 
-send -- "cat ~/fjtest-file-lnk\r"
-expect {
-        timeout {puts "TESTING ERROR 42\n";exit}
-        "123"
-}
-
-send -- "cat ~/fjtest-dir-lnk/fjtest-file\r"
-expect {
-        timeout {puts "TESTING ERROR 43\n";exit}
-        "123"
-}
-send -- "exit\r"
-sleep 1
 
 # cleanup
 send -- "rm -fr ~/fjtest-dir\r"
@@ -216,10 +157,5 @@ send -- "rm ~/fjtest-file\r"
 after 200
 send -- "rm ~/fjtest-file-lnk\r"
 after 200
-send -- "rm /tmp/fjtest-file\r"
-after 200
-send -- "rm -fr /tmp/fjtest-dir\r"
-after 200
-
 
 puts "\nall done\n"
diff --git a/test/profiles/comment.profile b/test/profiles/comment.profile
new file mode 100644
index 000000000..4a907a408
--- /dev/null
+++ b/test/profiles/comment.profile
@@ -0,0 +1,3 @@
+# this is a comment
+net none # this is another comment
+private # some other comment
diff --git a/test/profiles/profile_comment.exp b/test/profiles/profile_comment.exp
new file mode 100755
index 000000000..a2be510c1
--- /dev/null
+++ b/test/profiles/profile_comment.exp
@@ -0,0 +1,52 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "rm -fr /tmp/firejailtest*\r"
+send -- "rm -fr /tmp/firejail-strace*\r"
+send -- "rm -fr /tmp/firejail-trace*\r"
+sleep 1
+
+send -- "firejail --profile=comment.profile /usr/bin/true\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Parent is shutting down"
+}
+sleep 2
+
+send -- "firejail --build=/tmp/firejailtest.profile /usr/bin/true\r"
+sleep 1
+
+send -- "cat /tmp/firejailtest.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "seccomp"
+}
+after 100
+
+send -- "firejail --profile=/tmp/firejailtest.profile /usr/bin/true\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Parent is shutting down"
+}
+after 100
+
+send -- "rm -fr /tmp/firejailtest*\r"
+send -- "rm -fr /tmp/firejail-strace*\r"
+send -- "rm -fr /tmp/firejail-trace*\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
index a5f74f2e2..cbc6fa4d9 100755
--- a/test/profiles/profiles.sh
+++ b/test/profiles/profiles.sh
@@ -7,6 +7,9 @@ export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 export LC_ALL=C
 
+echo "TESTING: profile comments (test/profiles/profilecomment.exp)"
+./profile_comment.exp
+
 echo "TESTING: profile conditional (test/profiles/conditional.exp)"
 ./conditional.exp