278 files changed, 3794 insertions, 1091 deletions

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index ae7b1089a..562d6b9e1 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -12,9 +12,9 @@ Write clear, concise and in textual form.
 - Describe the bug.
 - What did you expect to happen?
 
-**No profile or disabling firejail**
-- What changed calling `firejail --noprofile PROGRAM` in a shell?
-- What changed calling the program *by path*=without firejail (check `whereis PROGRAM`, `firejail --list`, `stat $programpath`)?
+**No profile and disabling firejail**
+- What changed calling `firejail --noprofile /path/to/program` in a terminal?
+- What changed calling the program by path (check `which <program>` or `firejail --list` while the sandbox is running)?
 
 **Reproduce**
 Steps to reproduce the behavior:
@@ -24,19 +24,19 @@ Steps to reproduce the behavior:
 4. Scroll down to '....'
 
 **Environment**
- - Linux distribution and version (ie output of `lsb_release -a`)
- - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`)
- - What other programs interact with the affected program for the functionality?
- - Are these listed in the profile? 
+ - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release`)
+ - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) 
 
 **Additional context**
 Other context about the problem like related errors to understand the problem.
 
 **Checklist**
  - [ ] The upstream profile (and redirect profile if exists) have no changes fixing it.
- - [ ] The upstream profile exists (`find / -name 'firejail' 2>/dev/null`/`fd firejail` to locate profiles ie in `/usr/local/etc/firejail/PROGRAM.profile`)
- - [ ] Programs needed for interaction are listed.
- - [ ] Error was checked in search engine and on issue list without success.
+ - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
+ - [ ] Programs needed for interaction are listed in the profile.
+ - [ ] A short search for duplicates was performed.
+ - [ ] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile.
+ - [ ] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages.
 
 
 <details><summary> debug output </summary>
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 000000000..71cb7f0b4
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,55 @@
+name: Build CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build_and_test:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: install dependencies
+      run: sudo apt-get install gcc-10 libapparmor-dev libselinux1-dev expect xzdec
+    - name: configure
+      run: CC=gcc-10 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
+    - name: make
+      run: make
+    - name: make install
+      run: sudo make install
+    - name: run tests
+      run: SHELL=/bin/bash make test-github
+  build-clang:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: configure
+      run: CC=clang-10 ./configure --enable-fatal-warnings
+    - name: make
+      run: make
+  scan-build:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: install clang-tools-10
+      run: sudo apt-get install clang-tools-10
+    - name: configure
+      run: CC=clang-10 ./configure --enable-fatal-warnings
+    - name: scan-build
+      run: NO_EXTRA_CFLAGS="yes" scan-build-10 --status-bugs make
+  cppcheck:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: install cppcheck
+      run: sudo apt-get install cppcheck
+    - name: cppcheck
+      run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
+  profile-sort:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: check profiles
+      run: ./contrib/sort.py etc/*/{*.inc,*.net,*.profile}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 000000000..a37bbb5c7
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,71 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+name: "CodeQL"
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+  schedule:
+    - cron: '0 7 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['cpp', 'python']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file. 
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
diff --git a/.gitignore b/.gitignore
index 8142985b3..76ce6c7ec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,8 @@
 *.gcno
 *.DS_Store
 .directory
+*.man
+.vscode
 Makefile
 autom4te.cache/
 config.log
@@ -35,7 +37,7 @@ src/fsec-optimize/fsec-optimize
 src/fcopy/fcopy
 src/fldd/fldd
 src/fbuilder/fbuilder
-etc/profstats
+src/profstats/profstats
 uids.h
 seccomp
 seccomp.debug
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 11f25284d..5affd5cff 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,7 +9,7 @@ build_ubuntu_package:
     image: ubuntu:rolling
     script:
         - apt-get update -qq
-        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config python3
+        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian pkg-config python3 gawk
         - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
         - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc
 
@@ -17,7 +17,7 @@ build_debian_package:
     image: debian:stretch
     script:
         - apt-get update -qq
-        - apt-get install -y -qq build-essential lintian pkg-config
+        - apt-get install -y -qq build-essential lintian pkg-config gawk
         - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
 
 build_redhat_package:
@@ -40,7 +40,7 @@ build_src_package:
     script:
         - apk update
         - apk upgrade
-        - apk add build-base linux-headers python3
+        - apk add build-base linux-headers python3 gawk
         - ./configure --prefix=/usr && make && make install-strip
         # - python3 contrib/sort.py etc/*.{profile,inc}
 
@@ -48,26 +48,9 @@ build_apparmor:
     image: ubuntu:latest
     script:
         - apt-get update -qq
-        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config
+        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq build-essential lintian libapparmor-dev pkg-config gawk
         - ./configure --prefix=/usr && make deb-apparmor && dpkg -i firejail*.deb
 
-cppcheck:
-    image: debian:latest
-    before_script:
-        - apt-get -qq update
-        - apt-get -qq --no-install-recommends install cppcheck
-    script:
-        - cppcheck -q --force --error-exitcode=1 --enable=warning,performance .
-
-clang:
-    image: ubuntu:latest
-    script:
-        - apt-get update -qq
-        - apt-get --purge autoremove -y -qq gcc
-        - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq clang pkg-config make
-        - ./configure --prefix=/usr CC=/usr/bin/clang && make && make install-strip
-
-
 debian_ci:
     image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
     variables:
@@ -88,6 +71,6 @@ debian_ci:
         - git add debian && git commit -m "add debian/"
         - export CI_COMMIT_SHA=$(git rev-parse HEAD)
     script:
-        - apt-get --no-install-recommends install pkg-config
+        - apt-get --no-install-recommends install -y -qq gawk
         - gitlab-ci-git-buildpackage
         - gitlab-ci-lintian
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index f1590aaa2..000000000
--- a/.travis.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-language: c
-dist: trusty
-sudo: true
-
-script:
-  - sudo apt-get -y install expect csh xzdec lintian fakeroot
-  - ( ./configure --enable-fatal-warnings --prefix=/usr && make && sudo make install && make test-travis )
-  - ( sudo make install-strip DESTDIR=$(readlink -f appdir) )
-#  # If successful, build release tarball
-#  - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . )
-#  - curl --upload-file ./firejail-*.tar.bz2 https://transfer.sh/firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2
-#  - # Could use https://github.com/probonopd/uploadtool to upload to GitHub Releases instead
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 07a9eef04..688101d13 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -25,7 +25,7 @@ ensure that **both** of the following were installed:
 firejail-profiles was not installed when installing firejail.
 
 We take security bugs very seriously. If you believe you have found one, please report it by
-emailing us at netblue30@yahoo.com
+emailing us at netblue30@protonmail.com
 
 # Opening an pull request:
 Pull requests with enhancements, bugfixes or new profiles are very welcome.
diff --git a/Makefile.in b/Makefile.in
index 890ba1b0a..623c8bd39 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -10,23 +10,26 @@ VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 PACKAGE_TARNAME=@PACKAGE_TARNAME@
 DOCDIR=@docdir@
-HAVE_SECCOMP=@HAVE_SECCOMP@
 HAVE_APPARMOR=@HAVE_APPARMOR@
 HAVE_CONTRIB_INSTALL=@HAVE_CONTRIB_INSTALL@
 BUSYBOX_WORKAROUND=@BUSYBOX_WORKAROUND@
 HAVE_SUID=@HAVE_SUID@
+HAVE_MAN=@HAVE_MAN@
 
-all: all_items man filters
+ifneq ($(HAVE_MAN),no)
+MAN_TARGET = man
+MAN_SRC = src/man
+endif
+
+all: all_items mydirs $(MAN_TARGET) filters
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats
 SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee
 SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
-MYDIRS = src/lib
+MYDIRS = src/lib $(MAN_SRC)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
-ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
 SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
-endif
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
 
 .PHONY: all_items $(ALL_ITEMS)
@@ -34,18 +37,18 @@ all_items: $(ALL_ITEMS)
 $(ALL_ITEMS): $(MYDIRS)
         $(MAKE) -C $(dir $@)
 
-.PHONY: mydirs
-mydirs: mydirs $(MYDIRS)
+.PHONY: mydirs $(MYDIRS)
+mydirs: $(MYDIRS)
 $(MYDIRS):
         $(MAKE) -C $@
 
-$(MANPAGES): $(wildcard src/man/*.txt)
-        ./mkman.sh $(VERSION) src/man/$(basename $@).txt $@
+
+$(MANPAGES): src/man
+        ./mkman.sh $(VERSION) src/man/$(basename $@).man $@
 
 man: $(MANPAGES)
 
 filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
-ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
 seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
         src/fseccomp/fseccomp default seccomp
         src/fsec-optimize/fsec-optimize seccomp
@@ -66,12 +69,12 @@ seccomp.mdwx: src/fseccomp/fseccomp
 
 seccomp.mdwx.32: src/fseccomp/fseccomp
         src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
-endif
 
 clean:
         for dir in $$(dirname $(ALL_ITEMS)) $(MYDIRS); do \
                 $(MAKE) -C $$dir clean; \
         done
+        $(MAKE) -C test clean
         rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
         rm -f $(SECCOMP_FILTERS)
         rm -f test/utils/index.html*
@@ -108,7 +111,8 @@ endif
         install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
         install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
         # non-dumpable plugins
-        install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
+        install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
+        install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
 ifeq ($(HAVE_CONTRIB_INSTALL),yes)
         # contrib scripts
         install -m 0755 -t $(DESTDIR)$(libdir)/firejail contrib/*.py contrib/*.sh
@@ -136,6 +140,7 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
         # install apparmor profile customization file
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"
 endif
+ifneq ($(HAVE_MAN),no)
         # man pages
         install -m 0755 -d $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(mandir)/man5
         for man in $(MANPAGES); do \
@@ -147,6 +152,7 @@ endif
                 esac; \
         done
         rm -f $(MANPAGES) $(MANPAGES:%=%.gz)
+endif
         # bash completion
         install -m 0755 -d $(DESTDIR)$(datarootdir)/bash-completion/completions
         install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail
@@ -176,7 +182,7 @@ uninstall:
         @echo "If you want to install a different version of firejail, you might also need to run 'rm -fr $(DESTDIR)$(sysconfdir)/firejail', see #2038."
 
 DISTFILES = "src etc m4 platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh.in COPYING README RELNOTES"
-DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
+DISTFILES_TEST = "test/Makefile.in test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
 
 dist:
         mv config.status config.status.old
@@ -205,7 +211,7 @@ test-compile: dist
         cd test/compile; ./compile.sh $(NAME)-$(VERSION)
 
 .PHONY: rpms
-rpms:
+rpms: src/man
         ./platform/rpm/mkrpm.sh $(NAME) $(VERSION)
 
 extras: all
@@ -222,47 +228,11 @@ scan-build: clean
 # make test
 #
 
+TESTS=profiles private-lib apps apps-x11 apps-x11-xorg sysutils utils environment filters arguments fs fcopy fnetfilter
+TEST_TARGETS=$(patsubst %,test-%,$(TESTS))
 
-test-profiles:
-        cd test/profiles; ./profiles.sh | grep TESTING
-
-test-private-lib:
-        cd test/private-lib; ./private-lib.sh | grep TESTING
-
-test-apps:
-        cd test/apps; ./apps.sh | grep TESTING
-
-test-apps-x11:
-        cd test/apps-x11; ./apps-x11.sh | grep TESTING
-
-test-apps-x11-xorg:
-        cd test/apps-x11-xorg; ./apps-x11-xorg.sh | grep TESTING
-
-test-sysutils:
-        cd test/sysutils; ./sysutils.sh | grep TESTING
-
-test-utils:
-        cd test/utils; ./utils.sh | grep TESTING
-
-test-environment:
-        cd test/environment; ./environment.sh | grep TESTING
-
-test-filters:
-ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
-        cd test/filters; ./filters.sh | grep TESTING
-endif
-
-test-arguments:
-        cd test/arguments; ./arguments.sh | grep TESTING
-
-test-fs:
-        cd test/fs; ./fs.sh | grep TESTING
-
-test-fcopy:
-        cd test/fcopy; ./fcopy.sh | grep TESTING
-
-test-fnetfilter:
-        cd test/fnetfilter; ./fnetfilter.sh | grep TESTING
+$(TEST_TARGETS):
+        $(MAKE) -C test $(subst test-,,$@)
 
 test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
         echo "TEST COMPLETE"
@@ -270,7 +240,7 @@ test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-uti
 test-noprofiles: test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
         echo "TEST COMPLETE"
 
-test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-filters test-arguments
+test-github: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-arguments
         echo "TEST COMPLETE"
 
 ##########################################
@@ -281,32 +251,32 @@ test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sy
 
 # a firejail-test account is required, public/private key setup
 test-ssh:
-        cd test/ssh; ./ssh.sh | grep TESTING
+        $(MAKE) -C test $(subst test-,,$@)
 
 # requires root access
 test-chroot:
-        cd test/chroot; ./chroot.sh | grep testing
+        $(MAKE) -C test $(subst test-,,$@)
 
 # Huge appimage files, not included in "make dist" archive
 test-appimage:
-        cd test/appimage; ./appimage.sh | grep TESTING
+        $(MAKE) -C test $(subst test-,,$@)
 
 # Root access, network devices are created before the test
 # restart your computer to get rid of these devices
 test-network:
-        cd test/network; ./network.sh | grep TESTING
+        $(MAKE) -C test $(subst test-,,$@)
 
 # requires the same setup as test-network
 test-stress:
-        cd test/stress; ./stress.sh | grep TESTING
+        $(MAKE) -C test $(subst test-,,$@)
 
 # Tests running a root user
 test-root:
-        cd test/root; su -c ./root.sh | grep TESTING
+        $(MAKE) -C test $(subst test-,,$@)
 
 # OverlayFS is not available on all platforms
 test-overlay:
-        cd test/overlay; ./overlay.sh | grep TESTING
+        $(MAKE) -C test $(subst test-,,$@)
 
 # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
 
diff --git a/README b/README
index 04a3fda59..81f5fd5e8 100644
--- a/README
+++ b/README
@@ -15,7 +15,7 @@ Documentation and support: https://firejail.wordpress.com/
 Development: https://github.com/netblue30/firejail
 License: GPL v2
 
-
+Please report all security vulnerabilities at netblue30@protonmail.com
 
 Compile and install mainline version from GitHub:
 
@@ -27,12 +27,12 @@ On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor
 development libraries and pkg-config are required when using --apparmor
 ./configure option:
 
-$ sudo apt-get install git build-essential libapparmor-dev pkg-config
+$ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
 
 For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
 
 Maintainer:
-- netblue30 (netblue30@yahoo.com)
+- netblue30 (netblue30@protonmail.com)
 
 Committers
 - chiraag-nataraj (https://github.com/chiraag-nataraj)
@@ -49,7 +49,7 @@ Committers
 - Topi Miettinen (https://github.com/topimiettinen)
 - veloute (https://github.com/veloute)
 - Vincent43 (https://github.com/Vincent43)
-- netblue30 (netblue30@yahoo.com)
+- netblue30 (netblue30@protonmail.com)
 
 
 
@@ -100,6 +100,7 @@ Alexander Stein (https://github.com/ajstein)
 Amin Vakil (https://github.com/aminvakil)
         - whois profile fix
         - added profile for strawberry
+        - w3m profile fix
 Andreas Hunkeler (https://github.com/Karneades)
         - Add profile for offical Linux Teams application
 Andrey Alekseenko (https://github.com/al42and)
@@ -113,6 +114,8 @@ announ (https://github.com/announ)
         - mpv and youtube-dl profile fixes
         - git profile fix
         - evince profile fix
+Anton Shestakov (https://github.com/antonv6)
+        - add whitelist items for uim
 Antonio Russo (https://github.com/aerusso)
         - enumerate root directories in apparmor profile
         - fix join-or-start
@@ -121,6 +124,8 @@ Antonio Russo (https://github.com/aerusso)
         - manpage fixes
 aoand (https://github.com/aoand)
         - seccomp fix: allow numeric syscalls
+Arne Welzel (https://github.com/awelzel)
+        - ignore SIGTTOU during flush_stdin()
 Atrate (https://github.com/Atrate)
         - BetterDiscord support
 Austin Morton (https://github.com/apmorton)
@@ -145,6 +150,9 @@ avoidr (https://github.com/avoidr)
         - added mcabber profile
         - fixed mpv profile
         - various other fixes
+backspac (https://github.com/backspac)
+        - firecfg fixes
+        - add steam-runtime alias
 Bader Zaidan (https://github.com/BaderSZ)
         - Telegram profile
 Bandie (https://github.com/Bandie)
@@ -168,12 +176,15 @@ BogDan Vatra (https://github.com/bog-dan-ro)
         - zoom profile
 Brad Ackerman
         - blacklist Bitwarden config in disable-passwdmgr.inc
+briaeros (https://github.com/briaeros)
+        - fix command test in jail_prober.py
 Bruno Nova (https://github.com/brunonova)
         - whitelist fix
         - bash arguments fix
 Bundy01 (https://github.com/Bundy01)
         - fixup geary
         - add gradio profile
+        - update virtualbox.profile
 BytesTuner (https://github.com/BytesTuner)
         - provided keepassxc profile
 caoliver (https://github.com/caoliver)
@@ -181,10 +192,12 @@ caoliver (https://github.com/caoliver)
 Carlo Abelli (https://github.com/carloabelli)
         - fixed udiskie profile
         - Allow mbind syscall for GIMP
+        - fixed simple-scan
 Cat (https://github.com/ecat3)
         - prevent tmux connecting to an existing session
 Christian Pinedo (https://github.com/chrpinedo)
         - added nicotine profile
+        - allow python3 in totem profile
 creideiki (https://github.com/creideiki)
         - make the sandbox process reap all children
         - tor browser profile fix
@@ -202,6 +215,7 @@ Clayton Williams (https://github.com/gosre)
 corecontingency (https://https://github.com/corecontingency)
         - tighten private-bin and etc for torbrowser-launcher.profile
         - added i2prouter profile
+        - add several games to steam and disable-programs
 crass (https://github.com/crass)
         - extract_command_name fixes
         - update appimage size calculation to newest code from libappimage
@@ -238,10 +252,14 @@ Danil Semelenov (https://github.com/sgtpep)
 Dara Adib (https://github.com/daradib)
         - ssh profile fix
         - evince profile fix
+Dario Pellegrini (https://github.com/dpellegr)
+        - allowing links in netns
 David Thole (https://github.com/TheDarkTrumpet)
         - added profile for teams-for-linux
 Davide Beatrici (https://github.com/davidebeatrici)
         - steam.profile: correctly blacklist unneeded directories in user's home
+David Hyrule (https://github.com/Svaag)
+        - remove nou2f in ssh profile
 Deelvesh Bunjun (https://github.com/DeelveshBunjun)
         - added xpdf profile
 Denys Havrysh (https://github.com/vutny)
@@ -253,6 +271,7 @@ dewbasaur (https://github.com/dewbasaur)
         - Steam profile
 DiGitHubCap (https://github.com/DiGitHubCap)
         - deluge profile fix
+        - fix qt5ct colour schemes and QSS
 Disconnect3d (https://github.com/disconnect3d)
         - code cleanup
 dmfreemon (https://github.com/dmfreemon)
@@ -269,6 +288,8 @@ Eduard Tolosa (https://github.com/Edu4rdSHL)
         - fixed gajim.profile
 emacsomancer (https://github.com/emacsomancer)
         - added profile for Conkeror browser
+Emil Gedda (https://github.com/EmilGedda)
+        - fix multicast CIDR address in nolocal.net
 eventyrer (https://github.com/eventyrer)
         - update gnome-mplayer.profile
 Ethan R (https://github.com/AN3223)
@@ -397,8 +418,12 @@ hawkey116477 (https://github.com/hawkeye116477)
         - updated Waterfox profile
 Helmut Grohne (https://github.com/helmutg)
         -  compiler support in the build system - Debian bug #869707
+hlein (https://github.com/hlein)
+        - strip out \r's from jail prober
 Holger Heinz (https://github.com/hheinz)
         - manpage work
+Haowei Yu (https://github.com/sfc-gh-hyu)
+        - add configure options when building rpm
 Icaro Perseo (https://github.com/icaroperseo)
         - Icecat profile
         - several profile fixes
@@ -442,6 +467,8 @@ Jean Lucas (https://github.com/flacks)
         - allow reading of system-wide Flatpak locale in gajim profile
 Jean-Philippe Eisenbarth (https://github.com/jpeisenbarth)
         - fixed spotify.profile
+Jeff Squyres (https://github.com/jsquyres)
+        - various manpage fixes
 Jericho (https://github.com/attritionorg)
         - spelling
 Jesse Smith (https://github.com/slicer69)
@@ -478,6 +505,8 @@ juan (https://github.com/nyancat18)
         - profile hardening
 Kaan Genç (https://github.com/SeriousBug)
         - dynamic allocation of noblacklist buffer
+Karoshi42 (https://github.com/karoshi42)
+        - update dino-im.profile
 KellerFuchs (https://github.com/KellerFuchs)
         - nonewpriv support, extended profiles for this feature
         - make `restricted-network` prevent use of netfilter
@@ -488,10 +517,17 @@ KellerFuchs (https://github.com/KellerFuchs)
         - make ~/.local read-only
 Kishore96in (https://github.com/Kishore96in)
         - added falkon profile
+        - kxmlgui fixes
+        - okular profile fixes
+        -  jitsi-meet-desktop profile
+        - konversatin profile fix
 KOLANICH (https://github.com/KOLANICH)
         - added symlink fixer fix_private-bin.py in contrib section
         - update fix_private-bin.py
         - fix meld
+kortewegdevries (https://github.com/kortewegdevries)
+        - a whole bunch of new profiles and fixes
+        - whitelisting evolution, kmail
 Kristóf Marussy (https://github.com/kris7t)
         - dns support
 Kunal Mehta (https://github.com/legoktm)
@@ -509,6 +545,7 @@ Loïc Damien (https://github.com/dzamlo)
 Liorst4 (https://github.com/Liorst4)
         - Preserve CFLAGS given to configure in common.mk.in
         - fix emacs config to load as read-write
+        - disable browser drm by default
 Lockdis (https://github.com/Lockdis)
         - Added crow, nyx, and google-earth-pro profiles
 Lukáš Krejčí (https://github.com/lskrejci)
@@ -556,11 +593,17 @@ mirabellette (https://github.com/mirabellette)
 mjudtmann (https://github.com/mjudtmann)
         - lock firejail configuration in disable-mgmt.inc
 mustaqimM (https://github.com/mustaqimM)
-    - added profile for Nylas Mail
+        - added profile for Nylas Mail
 n1trux (https://github.com/n1trux)
         - fix flashpeak-slimjet profile typos
 nblock (https://github.com/nblock)
         - cmus: allow access to resolv.conf
+neirenoir (https://github.com/neirenoir) and noir <noir@neire.dev>
+        - fixed Blender profile being unable to import numpy
+Neo00001 (https://github.com/Neo00001)
+        - add vmware profile
+        - update virtualbox profile
+        - update telegram profile
 Nick Fox (https://github.com/njfox)
         - add a profile alias for code-oss
         - add code-oss config directory
@@ -575,6 +618,13 @@ nyancat18 (https://github.com/nyancat18)
         - added ardour4, dooble, karbon, krita profiles
 Ondra Nekola (https://github.com/satai)
         - allow firefox theming with non-global themes
+OndrejMalek (https://github.com/OndrejMalek)
+        - various manpage fixes
+Ondřej Nový (https://github.com/onovy)
+        -  allow video for Signal profile
+        - added Mattermost desktop profile
+        - hardened Zoom profile
+        - hardened Signal desktop profile
 Lorenzo "Palinuro" Faletra (https://github.com/PalinuroSec)
         - prevent thunderbird conflicts when firefox is running
         - add join-or-start to pluma to open multiple files in tabs
@@ -702,6 +752,8 @@ Senemu (https://github.com/Senemu)
 Sergey Alirzaev (https://github.com/l29ah)
         - firejail.h enum fix
         - firefox-common-addons.inc: + tridactyl
+Slava Monich (https://github.com/monich)
+        - added configure option to disable man pages
 Tobias Schmidl (https://github.com/schtobia)
         - added profile for webui-aria2
 Simon Peter (https://github.com/probonopd)
diff --git a/README.md b/README.md
index 14ca60e33..a9a89a63c 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,4 @@
 # Firejail
-[![Test Status](https://travis-ci.org/netblue30/firejail.svg?branch=master)](https://travis-ci.org/netblue30/firejail)
 [![Build Status](https://gitlab.com/Firejail/firejail_ci/badges/master/pipeline.svg)](https://gitlab.com/Firejail/firejail_ci/pipelines/)
 [![Packaging status](https://repology.org/badge/tiny-repos/firejail.svg)](https://repology.org/project/firejail/versions)
 
@@ -66,14 +65,12 @@ FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
 
 Wiki: https://github.com/netblue30/firejail/wiki
 
-Travis-CI status: https://travis-ci.org/netblue30/firejail
-
 GitLab-CI status: https://gitlab.com/Firejail/firejail_ci/pipelines/
 
 
 ## Security vulnerabilities
 
-We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com
+We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@protonmail.com
 
 ## Installing
 
@@ -92,7 +89,7 @@ On Debian/Ubuntu you will need to install git and gcc compiler. AppArmor
 development libraries and pkg-config are required when using --apparmor
 ./configure option:
 `````
-$ sudo apt-get install git build-essential libapparmor-dev pkg-config
+$ sudo apt-get install git build-essential libapparmor-dev pkg-config gawk
 `````
 For --selinux option, add libselinux1-dev (libselinux-devel for Fedora).
 
@@ -154,46 +151,47 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 `````
 
 `````
-## Latest released version: 0.9.62
+## Latest released version: 0.9.64
+
+## Current development version: 0.9.65
+
+Milestone page: https://github.com/netblue30/firejail/milestone/1
+Release discussion: https://github.com/netblue30/firejail/issues/3696
+
 
-## Current development version: 0.9.63
 
 ### Profile Statistics
 
-A small tool to print profile statistics. Compile as usual and run:
+A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
 `````
-$ make
-$ cd etc
+$ sudo cp src/profstats/profstats /etc/firejail/.
+$ cd /etc/firejail
 $ ./profstats *.profile
-    profiles                    966
-    include local profile       966   (include profile-name.local)
-    include globals             966   (include globals.local)
-    blacklist ~/.ssh            951   (include disable-common.inc)
-    seccomp                     908
-    capabilities                965
-    noexec                      830   (include disable-exec.inc)
-    memory-deny-write-execute   214
-    apparmor                    488
-    private-bin                 483
-    private-dev                 829
-    private-etc                 366
-    private-tmp                 726
-    whitelist var               638   (include whitelist-var-common.inc)
-    whitelist run/user          282   (include whitelist-runuser-common.inc
+Warning: multiple caps in transmission-daemon.profile
+
+Stats:
+    profiles                    1031
+    include local profile       1031   (include profile-name.local)
+    include globals             1031   (include globals.local)
+    blacklist ~/.ssh            1007   (include disable-common.inc)
+    seccomp                     976
+    capabilities                1030
+    noexec                      901   (include disable-exec.inc)
+    memory-deny-write-execute   221
+    apparmor                    555
+    private-bin                 544
+    private-dev                 897
+    private-etc                 435
+    private-tmp                 785
+    whitelist home directory    474
+    whitelist var               699   (include whitelist-var-common.inc)
+    whitelist run/user          336   (include whitelist-runuser-common.inc
                                         or blacklist ${RUNUSER})
-    whitelist usr/share         275   (include whitelist-usr-share-common.inc
-    net none                    313
-`````
-
-Run ./profstats -h for help.
+    whitelist usr/share         359   (include whitelist-usr-share-common.inc
+    net none                    333
+    dbus-user none              523
+    dbus-system none            632
 
 ### New profiles:
 
-gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et,
-multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl,
-muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal,
-gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer,
-penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword,
-four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars,
-hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers,
-seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded, cawbird, freetube, homebank, mattermost-desktop, newsflash, com.gitlab.newsflash, element-desktop, sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx, minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar, vmware, git-cola, otter-browser
+spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer
diff --git a/RELNOTES b/RELNOTES
index 07dd9f8a9..8662125f5 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,15 @@
-firejail (0.9.63) baseline; urgency=low
-  * work in progress
-  * security: fixes for CVE-2020-17367 & CVE-2020-17368, reported by Tim Starling
+firejail (0.9.65) baseline; urgency=low
+  * allow --tmpfs inside $HOME for unprivileged users
+  * --disable-usertmpfs  compile time option
+  * allow AF_BLUETOOTH via --protocol=bluetooth
+  * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer
+  * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer
+  * new profiles: straw-viewer
+
+ -- netblue30 <netblue30@yahoo.com>  Wed, 21 Oct 2020 09:00:00 -0500
+
+firejail (0.9.64) baseline; urgency=low
+  * replaced --nowrap option with --wrap in firemon
   * The blocking action of seccomp filters has been changed from
     killing the process to returning EPERM to the caller. To get the
     previous behaviour, use --seccomp-error-action=kill or
@@ -19,6 +28,8 @@ firejail (0.9.63) baseline; urgency=low
   * whitelist globbing
   * mkdir and mkfile support for /run/user directory
   * support ignore for include
+  * --include on the command line
+  * splitting up media players whitelists in whitelist-players.inc
   * new condition: HAS_NOSOUND
   * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
   * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
@@ -36,15 +47,21 @@ firejail (0.9.63) baseline; urgency=low
   * new profiles: hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless
   * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers
   * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski
-  * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop
-  * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im, strawberry
+  * new profiles: swell-foop, fdns, five-or-more, steam-runtime
+  * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im
   * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper
-  * new profiles: gapplication, openarena_ded, element-desktop, cawbird, freetube
+  * new profiles: gapplication, openarena_ded, element-desktop, cawbird
+  * new profiles: freetube, strawberry, jitsi-meet-desktop
   * new profiles: homebank, mattermost-desktop, newsflash, com.gitlab.newsflash
   * new profiles: sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx
   * new profiles: minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar
-  * new profiles: vmware, git-cola, otter-browser
- -- netblue30 <netblue30@yahoo.com>  Tue, 21 Apr 2020 08:00:00 -0500
+  * new profiles: vmware, git-cola, otter-browser, kazam, menulibre, musictube
+  * new profiles: onboard, fractal, mirage, quaternion, spectral, man, psi
+  * new profiles: smuxi-frontend-gnome, balsa, kube, trojita, youtube
+  * new profiles: youtubemusic-nativefier, cola, dbus-send, notify-send
+  * new profiles: qrencode, ytmdesktop, twitch
+  * new profiles: xournalpp, chromium-freeworld, equalx
+ -- netblue30 <netblue30@yahoo.com>  Wed, 21 Oct 2020 08:00:00 -0500
 
 firejail (0.9.62) baseline; urgency=low
   * added file-copy-limit in /etc/firejail/firejail.config
diff --git a/SECURITY.md b/SECURITY.md
index 883f915ed..6df34685b 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -21,4 +21,4 @@
 
 ## Security vulnerabilities
 
-We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@yahoo.com
+We take security bugs very seriously. If you believe you have found one, please report it by emailing us at netblue30@@protonmail.com
diff --git a/configure b/configure
index 12881fcaf..75c2499a9 100755
--- a/configure
+++ b/configure
@@ -1,8 +1,8 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.63.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.65.
 #
-# Report bugs to <netblue30@yahoo.com>.
+# Report bugs to <netblue30@protonmail.com>.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -267,10 +267,10 @@ fi
     $as_echo "$0: be upgraded to zsh 4.3.4 or later."
   else
     $as_echo "$0: Please tell bug-autoconf@gnu.org and
-$0: netblue30@yahoo.com about your system, including any
-$0: error possibly output before this message. Then install
-$0: a modern shell, or manually run the script under such a
-$0: shell if you do have one."
+$0: netblue30@protonmail.com about your system, including
+$0: any error possibly output before this message. Then
+$0: install a modern shell, or manually run the script
+$0: under such a shell if you do have one."
   fi
   exit 1
 fi
@@ -580,9 +580,9 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.63'
-PACKAGE_STRING='firejail 0.9.63'
-PACKAGE_BUGREPORT='netblue30@yahoo.com'
+PACKAGE_VERSION='0.9.65'
+PACKAGE_STRING='firejail 0.9.65'
+PACKAGE_BUGREPORT='netblue30@protonmail.com'
 PACKAGE_URL='https://firejail.wordpress.com'
 
 ac_unique_file="src/firejail/main.c"
@@ -624,7 +624,6 @@ ac_includes_default="\
 
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
-HAVE_SECCOMP_H
 EGREP
 GREP
 CPP
@@ -641,10 +640,13 @@ HAVE_USERNS
 HAVE_NETWORK
 HAVE_GLOBALCFG
 HAVE_CHROOT
-HAVE_SECCOMP
 HAVE_PRIVATE_HOME
 HAVE_FIRETUNNEL
+HAVE_GAWK
+HAVE_MAN
+HAVE_USERTMPFS
 HAVE_OVERLAYFS
+HAVE_DBUSPROXY
 EXTRA_LDFLAGS
 EXTRA_CFLAGS
 HAVE_APPARMOR
@@ -706,11 +708,14 @@ SHELL'
 ac_subst_files=''
 ac_user_opts='
 enable_option_checking
+enable_analyzer
 enable_apparmor
+enable_dbusproxy
 enable_overlayfs
+enable_usertmpfs
+enable_man
 enable_firetunnel
 enable_private_home
-enable_seccomp
 enable_chroot
 enable_globalcfg
 enable_network
@@ -1289,7 +1294,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures firejail 0.9.63 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.65 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1351,7 +1356,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.63:";;
+     short | recursive ) echo "Configuration of firejail 0.9.65:";;
    esac
   cat <<\_ACEOF
 
@@ -1359,11 +1364,14 @@ Optional Features:
   --disable-option-checking  ignore unrecognized --enable/--with options
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --enable-analyzer       enable GCC 10 static analyzer
   --enable-apparmor       enable apparmor
+  --disable-dbusproxy     disable dbus proxy
   --disable-overlayfs     disable overlayfs
+  --disable-usertmpfs     disable tmpfs as regular user
+  --disable-man           disable man pages
   --disable-firetunnel    disable firetunnel
   --disable-private-home  disable private home feature
-  --disable-seccomp       disable seccomp
   --disable-chroot        disable chroot
   --disable-globalcfg     if the global config file firejail.cfg is not
                           present, continue the program using defaults
@@ -1401,7 +1409,7 @@ Some influential environment variables:
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
 
-Report bugs to <netblue30@yahoo.com>.
+Report bugs to <netblue30@protonmail.com>.
 firejail home page: <https://firejail.wordpress.com>.
 _ACEOF
 ac_status=$?
@@ -1465,7 +1473,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-firejail configure 0.9.63
+firejail configure 0.9.65
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1670,9 +1678,9 @@ $as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;}
 $as_echo "$as_me: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&2;}
     { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
-( $as_echo "## ---------------------------------- ##
-## Report this to netblue30@yahoo.com ##
-## ---------------------------------- ##"
+( $as_echo "## --------------------------------------- ##
+## Report this to netblue30@protonmail.com ##
+## --------------------------------------- ##"
      ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
@@ -1767,7 +1775,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by firejail $as_me 0.9.63, which was
+It was created by firejail $as_me 0.9.65, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3270,6 +3278,17 @@ else
 fi
 
 
+# Check whether --enable-analyzer was given.
+if test "${enable_analyzer+set}" = set; then :
+  enableval=$enable_analyzer;
+fi
+
+if test "x$enable_analyzer" = "xyes"; then :
+
+        EXTRA_CFLAGS+=" -fanalyzer"
+
+fi
+
 HAVE_APPARMOR=""
 # Check whether --enable-apparmor was given.
 if test "${enable_apparmor+set}" = set; then :
@@ -3498,6 +3517,19 @@ fi
 
 
 
+HAVE_DBUSPROXY=""
+# Check whether --enable-dbusproxy was given.
+if test "${enable_dbusproxy+set}" = set; then :
+  enableval=$enable_dbusproxy;
+fi
+
+if test "x$enable_dbusproxy" != "xno"; then :
+
+        HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
+
+
+fi
+
 HAVE_OVERLAYFS=""
 # Check whether --enable-overlayfs was given.
 if test "${enable_overlayfs+set}" = set; then :
@@ -3511,6 +3543,73 @@ if test "x$enable_overlayfs" != "xno"; then :
 
 fi
 
+HAVE_USERTMPS=""
+# Check whether --enable-usertmpfs was given.
+if test "${enable_usertmpfs+set}" = set; then :
+  enableval=$enable_usertmpfs;
+fi
+
+if test "x$enable_usertmpfs" != "xno"; then :
+
+        HAVE_USERTMPFS="-DHAVE_USERTMPFS"
+
+
+fi
+
+HAVE_MAN="no"
+# Check whether --enable-man was given.
+if test "${enable_man+set}" = set; then :
+  enableval=$enable_man;
+fi
+
+if test "x$enable_man" != "xno"; then :
+
+        HAVE_MAN="-DHAVE_MAN"
+
+        # Extract the first word of "gawk", so it can be a program name with args.
+set dummy gawk; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_HAVE_GAWK+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if test -n "$HAVE_GAWK"; then
+  ac_cv_prog_HAVE_GAWK="$HAVE_GAWK" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_HAVE_GAWK="yes"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  test -z "$ac_cv_prog_HAVE_GAWK" && ac_cv_prog_HAVE_GAWK="no"
+fi
+fi
+HAVE_GAWK=$ac_cv_prog_HAVE_GAWK
+if test -n "$HAVE_GAWK"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_GAWK" >&5
+$as_echo "$HAVE_GAWK" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+        if test "x$HAVE_GAWK" != "xyes"; then :
+  as_fn_error $? "\"*** gawk not found ***\"" "$LINENO" 5
+fi
+
+fi
+
 HAVE_FIRETUNNEL=""
 # Check whether --enable-firetunnel was given.
 if test "${enable_firetunnel+set}" = set; then :
@@ -3537,19 +3636,6 @@ if test "x$enable_private_home" != "xno"; then :
 
 fi
 
-HAVE_SECCOMP=""
-# Check whether --enable-seccomp was given.
-if test "${enable_seccomp+set}" = set; then :
-  enableval=$enable_seccomp;
-fi
-
-if test "x$enable_seccomp" != "xno"; then :
-
-        HAVE_SECCOMP="-DHAVE_SECCOMP"
-
-
-fi
-
 HAVE_CHROOT=""
 # Check whether --enable-chroot was given.
 if test "${enable_chroot+set}" = set; then :
@@ -4173,14 +4259,13 @@ fi
 
 ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default"
 if test "x$ac_cv_header_linux_seccomp_h" = xyes; then :
-  HAVE_SECCOMP_H="-DHAVE_SECCOMP_H"
+
 else
-  HAVE_SECCOMP_H=""
+  as_fn_error $? "*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***" "$LINENO" 5
 fi
 
 
 
-
 # set sysconfdir
 if test "$prefix" = /usr; then
         test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc"
@@ -4188,7 +4273,7 @@ fi
 
 ac_config_files="$ac_config_files mkdeb.sh"
 
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile test/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4732,7 +4817,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.63, which was
+This file was extended by firejail $as_me 0.9.65, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4779,14 +4864,14 @@ Usage: $0 [OPTION]... [TAG]...
 Configuration files:
 $config_files
 
-Report bugs to <netblue30@yahoo.com>.
+Report bugs to <netblue30@protonmail.com>.
 firejail home page: <https://firejail.wordpress.com>."
 
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.63
+firejail config.status 0.9.65
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -4918,6 +5003,8 @@ do
     "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;
     "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;
     "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;;
+    "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;;
+    "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
@@ -5382,8 +5469,6 @@ echo
 echo "Configuration options:"
 echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
-echo "   seccomp: $HAVE_SECCOMP"
-echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
 echo "   apparmor: $HAVE_APPARMOR"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
@@ -5394,6 +5479,9 @@ echo "   whitelisting: $HAVE_WHITELIST"
 echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   DBUS proxy support: $HAVE_DBUSPROXY"
+echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
+echo "   Manpage support: $HAVE_MAN"
 echo "   firetunnel support: $HAVE_FIRETUNNEL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
 echo "   Spectre compiler patch: $HAVE_SPECTRE"
diff --git a/configure.ac b/configure.ac
index feb0b38a6..e21e4a01f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -12,7 +12,7 @@
 #
 
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.63, netblue30@yahoo.com, , https://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.65, netblue30@protonmail.com, , https://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 
 AC_CONFIG_MACRO_DIR([m4])
@@ -39,6 +39,12 @@ AX_CHECK_COMPILE_FLAG(
     [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-protector-strong"]
 )
 
+AC_ARG_ENABLE([analyzer],
+    AS_HELP_STRING([--enable-analyzer], [enable GCC 10 static analyzer]))
+AS_IF([test "x$enable_analyzer" = "xyes"], [
+        EXTRA_CFLAGS+=" -fanalyzer"
+])
+
 HAVE_APPARMOR=""
 AC_ARG_ENABLE([apparmor],
     AS_HELP_STRING([--enable-apparmor], [enable apparmor]))
@@ -52,6 +58,14 @@ AC_SUBST([EXTRA_CFLAGS])
 AC_SUBST([EXTRA_LDFLAGS])
 
 
+HAVE_DBUSPROXY=""
+AC_ARG_ENABLE([dbusproxy],
+    AS_HELP_STRING([--disable-dbusproxy], [disable dbus proxy]))
+AS_IF([test "x$enable_dbusproxy" != "xno"], [
+        HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
+        AC_SUBST(HAVE_DBUSPROXY)
+])
+
 HAVE_OVERLAYFS=""
 AC_ARG_ENABLE([overlayfs],
     AS_HELP_STRING([--disable-overlayfs], [disable overlayfs]))
@@ -60,6 +74,24 @@ AS_IF([test "x$enable_overlayfs" != "xno"], [
         AC_SUBST(HAVE_OVERLAYFS)
 ])
 
+HAVE_USERTMPS=""
+AC_ARG_ENABLE([usertmpfs],
+    AS_HELP_STRING([--disable-usertmpfs], [disable tmpfs as regular user]))
+AS_IF([test "x$enable_usertmpfs" != "xno"], [
+        HAVE_USERTMPFS="-DHAVE_USERTMPFS"
+        AC_SUBST(HAVE_USERTMPFS)
+])
+
+HAVE_MAN="no"
+AC_ARG_ENABLE([man],
+    AS_HELP_STRING([--disable-man], [disable man pages]))
+AS_IF([test "x$enable_man" != "xno"], [
+        HAVE_MAN="-DHAVE_MAN"
+        AC_SUBST(HAVE_MAN)
+        AC_CHECK_PROG([HAVE_GAWK], [gawk], [yes], [no])
+        AS_IF([test "x$HAVE_GAWK" != "xyes"], [AC_MSG_ERROR("*** gawk not found ***")])
+])
+
 HAVE_FIRETUNNEL=""
 AC_ARG_ENABLE([firetunnel],
     AS_HELP_STRING([--disable-firetunnel], [disable firetunnel]))
@@ -76,14 +108,6 @@ AS_IF([test "x$enable_private_home" != "xno"], [
         AC_SUBST(HAVE_PRIVATE_HOME)
 ])
 
-HAVE_SECCOMP=""
-AC_ARG_ENABLE([seccomp],
-    AS_HELP_STRING([--disable-seccomp], [disable seccomp]))
-AS_IF([test "x$enable_seccomp" != "xno"], [
-        HAVE_SECCOMP="-DHAVE_SECCOMP"
-        AC_SUBST(HAVE_SECCOMP)
-])
-
 HAVE_CHROOT=""
 AC_ARG_ENABLE([chroot],
     AS_HELP_STRING([--disable-chroot], [disable chroot]))
@@ -196,8 +220,7 @@ AS_IF([test "x$enable_selinux" = "xyes"], [
 # checking pthread library
 AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***]))
 AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***]))
-AC_CHECK_HEADER([linux/seccomp.h], HAVE_SECCOMP_H="-DHAVE_SECCOMP_H", HAVE_SECCOMP_H="")
-AC_SUBST(HAVE_SECCOMP_H)
+AC_CHECK_HEADER([linux/seccomp.h],,AC_MSG_ERROR([*** SECCOMP support is not installed (/usr/include/linux/seccomp.h missing) ***]))
 
 # set sysconfdir
 if test "$prefix" = /usr; then
@@ -208,14 +231,12 @@ AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
 AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
-src/profstats/Makefile)
+src/profstats/Makefile src/man/Makefile test/Makefile)
 
 echo
 echo "Configuration options:"
 echo "   prefix: $prefix"
 echo "   sysconfdir: $sysconfdir"
-echo "   seccomp: $HAVE_SECCOMP"
-echo "   <linux/seccomp.h>: $HAVE_SECCOMP_H"
 echo "   apparmor: $HAVE_APPARMOR"
 echo "   global config: $HAVE_GLOBALCFG"
 echo "   chroot: $HAVE_CHROOT"
@@ -226,6 +247,9 @@ echo "   whitelisting: $HAVE_WHITELIST"
 echo "   private home support: $HAVE_PRIVATE_HOME"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   overlayfs support: $HAVE_OVERLAYFS"
+echo "   DBUS proxy support: $HAVE_DBUSPROXY"
+echo "   allow tmpfs as regular user: $HAVE_USERTMPFS"
+echo "   Manpage support: $HAVE_MAN"
 echo "   firetunnel support: $HAVE_FIRETUNNEL"
 echo "   busybox workaround: $BUSYBOX_WORKAROUND"
 echo "   Spectre compiler patch: $HAVE_SPECTRE"
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py
index 668d68ff2..12b596749 100755
--- a/contrib/fix_private-bin.py
+++ b/contrib/fix_private-bin.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/env python3
 __author__ = "KOLANICH"
 __copyright__ = """This is free and unencumbered software released into the public domain.
 
diff --git a/contrib/fj-mkdeb.py b/contrib/fj-mkdeb.py
index 429cb9db4..487df4c83 100755
--- a/contrib/fj-mkdeb.py
+++ b/contrib/fj-mkdeb.py
@@ -5,12 +5,16 @@
 
 # This script automates the workaround for https://github.com/netblue30/firejail/issues/772
 
-import os, re, shlex, subprocess, sys
+import os, shlex, subprocess, sys
 
 
 def run(srcdir, args):
     if srcdir: os.chdir(srcdir)
 
+    if not (os.path.isfile('./mkdeb.sh.in')):
+        print('Error: Not a firejail source tree?  Exiting.')
+        return 1
+
     dry_run = False
     escaped_args = []
     # We need to modify the list as we go.  So be sure to copy the list to be iterated!
@@ -25,23 +29,21 @@ def run(srcdir, args):
         else:
             escaped_args.append(shlex.quote(a))
 
-    # Fix up mkdeb.sh to include custom configure options.
+    # Run configure to generate mkdeb.sh.
+    first_config = subprocess.call(['./configure', '--prefix=/usr'] + args)
+    if first_config != 0:
+        return first_config
+
+    # Fix up dynamically-generated mkdeb.sh to include custom configure options.
     with open('mkdeb.sh', 'rb') as f:
         sh = str(f.read(), 'utf_8')
-    rx = re.compile(r'^\./configure\s.*$', re.M)
     with open('mkdeb.sh', 'wb') as f:
-        f.write(
-            bytes(
-                rx.sub('./configure --prefix=/usr ' + (' '.join(escaped_args)),
-                       sh), 'utf_8'))
+        f.write(bytes(sh.replace('./configure $CONFIG_ARGS',
+                                 './configure $CONFIG_ARGS ' + (' '.join(escaped_args))), 'utf_8'))
 
     if dry_run: return 0
 
-    # now run configure && make
-    if subprocess.call(['./configure', '--prefix=/usr'] + args) == 0:
-        subprocess.call(['make', 'deb'])
-
-    return 0
+    return subprocess.call(['make', 'deb'])
 
 
 if __name__ == '__main__':
@@ -71,9 +73,9 @@ usage:
         if not (srcdir):
             # srcdir not manually specified, try to auto-detect
             srcdir = os.path.dirname(os.path.abspath(sys.argv[0] + '/..'))
-            if not (os.path.isfile(srcdir + '/mkdeb.sh')):
+            if not (os.path.isfile(srcdir + '/mkdeb.sh.in')):
                 # Script is probably installed.  Check the cwd.
-                if os.path.isfile('./mkdeb.sh'):
+                if os.path.isfile('./mkdeb.sh.in'):
                     srcdir = None
                 else:
                     print(
diff --git a/contrib/jail_prober.py b/contrib/jail_prober.py
index 6f8e98b6a..67e851282 100755
--- a/contrib/jail_prober.py
+++ b/contrib/jail_prober.py
@@ -1,166 +1,186 @@
-#!/usr/bin/env python3

-# This file is part of Firejail project

-# Copyright (C) 2014-2020 Firejail Authors

-# License GPL v2

-"""

-Figure out which profile options may be causing a particular program to break

-when run in firejail.

-

-Instead of having to comment out each line in a profile by hand, and then

-enable each line individually until the bad line or lines are found, this

-largely automates the process. Users only have to provide the path to the

-profile, program name, and answer 'y' for yes or 'n' for no when prompted.

-

-After completion, you'll be provided with some information to copy and then

-paste into a GitHub issue in the Firejail project repository:

-https://github.com/netblue30/firejail/issues

-

-Paths to the profile should be absolute. If the program is in your path, then

-you only have to type the profile name. Else, you'll need to provide the

-absolute path to the profile.

-

-Examples:

-python jail_prober.py /etc/firejail/spotify.profile spotify

-python jail_prober.py /usr/local/etc/firejail/firefox.profile /usr/bin/firefox

-"""

-

-import sys

-import os

-import subprocess

-

-

-def check_params(profilePath):

-    """

-    Ensure the path to the profile is valid and that an actual profile has been

-    passed (as opposed to a config or .local file).

-

-    :params profilePath: The absolute path to the problematic profile.

-    """

-    if not os.path.isfile(profilePath):

-        raise FileNotFoundError(

-            'The path %s is not a valid system path.' % profilePath)

-    if not profilePath.endswith('.profile'):

-        raise ValueError('%s is not a valid Firejail profile.' % profilePath)

-

-

-def get_args(profilePath):

-    """

-    Read the profile, stripping out comments and newlines

-

-    :params profilePath: The absolute path to the problematic profile.

-

-    :returns profile: A list containing all active profile arguments

-    """

-    with open(profilePath, 'r') as f:

-        profile = f.readlines()

-        profile = [

-            arg.strip() for arg in profile

-            if not arg.startswith('#') and arg.strip() != ''

-        ]

-

-    return profile

-

-

-def arg_converter(argList, style):

-    """

-    Convert between firejail command-line arguments (--example=something) and

-    profile arguments (example something)

-

-    :params argList: A list of firejail arguments

-

-    :params style: Whether to convert arguments to command-line form or profile

-    form

-    """

-    if style == 'to_profile':

-        oldSep = '='

-        newSep = ' '

-        prefix = ''

-    elif style == 'to_commandline':

-        oldSep = ' '

-        newSep = '='

-        prefix = '--'

-    newArgs = [prefix + word.replace(oldSep, newSep) for word in argList]

-    # Additional strip of '--' if converting to profile form

-    if style == 'to_profile':

-        newArgs = [word[2:] for word in newArgs]

-

-    # Remove invalid '--include' args if converting to command-line form

-    elif style == 'to_commandline':

-        newArgs = [word for word in newArgs if 'include' not in word]

-

-    return newArgs

-

-

-def run_firejail(program, allArgs):

-    """

-    Attempt to run the program in firejail, incrementally adding to the number

-    of firejail arguments. Initial run has no additional params besides

-    noprofile.

-

-    :params program: The program name. If it doesn't exist in the user's path

-    then the full path should be provided.

-

-    :params allArgs: A list of all Firejail arguments to try, in command-line

-    format.

-

-    :returns goodArgs: A list of arguments that the user has reported to not

-    affect the program

-

-    :returns badArgs: A list of arguments that the user has reported to break

-    the program when sandboxing with Firejail

-    """

-    goodArgs = ['firejail', '--noprofile', program]

-    badArgs = []

-    print('Attempting to run %s in Firejail' % program)

-    for arg in allArgs:

-        print('Running with', arg)

-        subprocess.call(goodArgs)

-        ans = input('Did %s run correctly? [y]/n ' % program)

-        if ans in ['n', 'N']:

-            badArgs.append(arg)

-        else:

-            goodArgs.insert(-1, arg)

-        print('\n')

-    # Don't include 'firejail', '--noprofile', or program name in arguments

-    goodArgs = goodArgs[2:-1]

-

-    return goodArgs, badArgs

-

-

-def main():

-    profilePath = sys.argv[1]

-    program = sys.argv[2]

-    # Quick error check and extract arguments

-    check_params(profilePath)

-    profile = get_args(profilePath)

-    allArgs = arg_converter(profile, 'to_commandline')

-    # Find out which profile options break the program when running in firejail

-    goodArgs, badArgs = run_firejail(program, allArgs)

-

-    goodArgs = arg_converter(goodArgs, 'to_profile')

-    badArgs = arg_converter(badArgs, 'to_profile')

-

-    print('\n###########################')

-    print('Debugging completed.')

-    print(

-        'Please copy the following and report it to the Firejail development',

-        'team on GitHub at %s \n\n' %

-        'https://github.com/netblue30/firejail/issues')

-

-    subprocess.call(['firejail', '--version'])

-

-    print('These profile options break the program.')

-    print('```')

-    for item in badArgs:

-        print(item)

-    print('```\n\n\n')

-

-    print('This is a minimal working profile:')

-    print('```')

-    for item in goodArgs:

-        print(item)

-    print('```')

-

-

-if __name__ == '__main__':

-    main()

+#!/usr/bin/env python3
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+"""
+Figure out which profile options may be causing a particular program to break
+when run in firejail.
+
+Instead of having to comment out each line in a profile by hand, and then
+enable each line individually until the bad line or lines are found, this
+largely automates the process. Users only have to provide the path to the
+profile, program name, and answer 'y' for yes or 'n' for no when prompted.
+
+After completion, you'll be provided with some information to copy and then
+paste into a GitHub issue in the Firejail project repository:
+https://github.com/netblue30/firejail/issues
+
+Paths to the profile should be absolute. If the program is in your path, then
+you only have to type the profile name. Else, you'll need to provide the
+absolute path to the profile.
+
+Examples:
+python jail_prober.py /etc/firejail/spotify.profile spotify
+python jail_prober.py /usr/local/etc/firejail/firefox.profile /usr/bin/firefox
+"""
+
+import sys
+import os
+import subprocess
+
+
+def check_params(profile_path):
+    """
+    Ensure the path to the profile is valid and that an actual profile has been
+    passed (as opposed to a config or .local file).
+
+    Args:
+        profile_path:       The absolute path to the problematic profile
+
+    Raises:
+        FileNotFoundError:  If the provided path isn't real
+
+        ValueError:         If the provided path is real but doesn't point to
+                            a Firejail profile
+    """
+    if not os.path.isfile(profile_path):
+        raise FileNotFoundError('The path %s is not a valid system path.' %
+                                profile_path)
+    if not profile_path.endswith('.profile'):
+        raise ValueError('%s is not a valid Firejail profile.' % profile_path)
+
+
+def get_args(profile_path):
+    """
+    Read the profile, stripping out comments and newlines
+
+    Args:
+        profile_path:   The absolute path to the problematic profile.
+
+    Returns:
+        A list containing all active profile arguments
+    """
+    with open(profile_path, 'r') as f:
+        profile = f.readlines()
+        profile = [
+            arg.strip() for arg in profile
+            if not arg.startswith('#') and arg.strip() != ''
+        ]
+
+    return profile
+
+
+def arg_converter(arg_list, style):
+    """
+    Convert between firejail command-line arguments (--example=something) and
+    profile arguments (example something)
+
+    Args:
+        arg_list:   A list of firejail arguments
+
+        style:      String, one of {'to_profile', 'to_commandline'}. Whether to
+                    convert arguments to command-line form or profile form
+    """
+    if style == 'to_profile':
+        old_sep = '='
+        new_sep = ' '
+        prefix = ''
+    elif style == 'to_commandline':
+        old_sep = ' '
+        new_sep = '='
+        prefix = '--'
+    new_args = [prefix + word.replace(old_sep, new_sep) for word in arg_list]
+    # Additional strip of '--' if converting to profile form
+    if style == 'to_profile':
+        new_args = [word[2:] for word in new_args]
+
+    # Remove invalid '--include' args if converting to command-line form
+    elif style == 'to_commandline':
+        new_args = [word for word in new_args if 'include' not in word]
+
+    return new_args
+
+
+def run_firejail(program, all_args):
+    """
+    Attempt to run the program in firejail, incrementally adding to the number
+    of firejail arguments. Initial run has no additional params besides
+    noprofile.
+
+    Args:
+        program:    String, the program name. If it doesn't exist in $PATH then
+                    the full path to the program should be provided
+
+        all_args:   List, all Firejail arguments to try, in command-line format
+                    (i.e. prefixed by '--')
+
+    Returns:
+        good_args:  List, all Firejail arguments that the user has reported to
+                    not adversely affect the program
+
+        bad_args:   List, all Firejail arguments that the user has reported to
+                    break the program
+    """
+    good_args = ['firejail', '--noprofile', program]
+    bad_args = []
+    all_args.insert(0, "")
+    print('Attempting to run %s in Firejail' % program)
+    for arg in all_args:
+        if arg:
+            print('Running with', arg)
+        else:
+            print('Running without profile')
+        #We are adding the argument in a copy of the actual list to avoid modify it now.
+        myargs = good_args.copy()
+        if arg:
+            myargs.insert(-1, arg)
+        subprocess.call(myargs)
+        ans = input('Did %s run correctly? [y]/n ' % program)
+        if ans in ['n', 'N']:
+            bad_args.append(arg)
+        elif arg:
+            good_args.insert(-1, arg)
+        print('\n')
+    # Don't include 'firejail', '--noprofile', or program name in arguments
+    good_args = good_args[2:-1]
+
+    return good_args, bad_args
+
+
+def main():
+    profile_path = sys.argv[1]
+    program = sys.argv[2]
+    # Quick error check and extract arguments
+    check_params(profile_path)
+    profile = get_args(profile_path)
+    all_args = arg_converter(profile, 'to_commandline')
+    # Find out which profile options break the program when running in firejail
+    good_args, bad_args = run_firejail(program, all_args)
+
+    good_args = arg_converter(good_args, 'to_profile')
+    bad_args = arg_converter(bad_args, 'to_profile')
+
+    print('\n###########################')
+    print('Debugging completed.')
+    print(
+        'Please copy the following and report it to the Firejail development',
+        'team on GitHub at %s \n\n' %
+        'https://github.com/netblue30/firejail/issues')
+
+    subprocess.call(['firejail', '--version'])
+
+    print('These profile options break the program.')
+    print('```')
+    for item in bad_args:
+        print(item)
+    print('```\n\n\n')
+
+    print('This is a minimal working profile:')
+    print('```')
+    for item in good_args:
+        print(item)
+    print('```')
+
+
+if __name__ == '__main__':
+    main()
diff --git a/contrib/sort.py b/contrib/sort.py
index e2f82012b..54b2cbaa6 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -34,7 +34,7 @@ def sort_alphabetical(raw_items):
 
 
 def sort_protocol(protocols):
-    """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet"""
+    """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
     # shortcut for common protocol lines
     if protocols in ("unix", "unix,inet,inet6"):
         return protocols
@@ -45,6 +45,7 @@ def sort_protocol(protocols):
         "inet6": False,
         "netlink": False,
         "packet": False,
+        "bluetooth": False,
     }
     for protocol in protocols.split(","):
         if protocol == "unix":
@@ -57,6 +58,8 @@ def sort_protocol(protocols):
             present_protocols["netlink"] = True
         elif protocol == "packet":
             present_protocols["packet"] = True
+        elif protocol == "bluetooth":
+            present_protocols["bluetooth"] = True
     if present_protocols["unix"]:
         fixed_protocols += "unix,"
     if present_protocols["inet"]:
@@ -67,6 +70,8 @@ def sort_protocol(protocols):
         fixed_protocols += "netlink,"
     if present_protocols["packet"]:
         fixed_protocols += "packet,"
+    if present_protocols["bluetooth"]:
+        fixed_protocols += "bluetooth,"
     return fixed_protocols[:-1]
 
 
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index 68e20d9b9..ec87f1d2d 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -2,6 +2,10 @@
 # Generic Firejail AppArmor profile
 #########################################
 
+# AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
+# and <abstractions/dbus-session-strict>.
+#include <tunables/global>
+
 ##########
 # A simple PID declaration based on Ubuntu's @{pid}
 # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
@@ -108,7 +112,8 @@ network inet6,
 network unix,
 network netlink,
 network raw,
-# needed for wireshark
+# needed for wireshark, tcpdump etc
+network bluetooth,
 network packet,
 
 ##########
diff --git a/etc/inc/allow-lua.inc b/etc/inc/allow-lua.inc
index 9df8e8d32..9c47e7a3b 100644
--- a/etc/inc/allow-lua.inc
+++ b/etc/inc/allow-lua.inc
@@ -6,5 +6,7 @@ noblacklist ${PATH}/lua*
 noblacklist /usr/include
 noblacklist /usr/lib/liblua*
 noblacklist /usr/lib/lua
+noblacklist /usr/lib64/liblua*
+noblacklist /usr/lib64/lua
 noblacklist /usr/share/lua
 noblacklist /usr/share/lua*
diff --git a/etc/inc/allow-perl.inc b/etc/inc/allow-perl.inc
index f44e1e3cc..5a1952c94 100644
--- a/etc/inc/allow-perl.inc
+++ b/etc/inc/allow-perl.inc
@@ -8,4 +8,5 @@ noblacklist ${PATH}/perl
 noblacklist ${PATH}/site_perl
 noblacklist ${PATH}/vendor_perl
 noblacklist /usr/lib/perl*
+noblacklist /usr/lib64/perl*
 noblacklist /usr/share/perl*
diff --git a/etc/inc/chromium-common-hardened.inc b/etc/inc/chromium-common-hardened.inc
new file mode 100644
index 000000000..f33ce3115
--- /dev/null
+++ b/etc/inc/chromium-common-hardened.inc
@@ -0,0 +1,5 @@
+caps.drop all
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp !chroot
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index c7516ab42..3bdad3138 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -69,6 +69,7 @@ read-only ${HOME}/.Xauthority
 #?HAS_X11: blacklist /tmp/.ICE-unix
 
 # KDE config
+blacklist ${HOME}/.cache/konsole
 blacklist ${HOME}/.config/khotkeysrc
 blacklist ${HOME}/.config/krunnerrc
 blacklist ${HOME}/.config/kscreenlockerrc
@@ -76,6 +77,7 @@ blacklist ${HOME}/.config/ksslcertificatemanager
 blacklist ${HOME}/.config/kwalletrc
 blacklist ${HOME}/.config/kwinrc
 blacklist ${HOME}/.config/kwinrulesrc
+blacklist ${HOME}/.config/plasma-locale-settings.sh
 blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
 blacklist ${HOME}/.config/plasmashellrc
 blacklist ${HOME}/.config/plasmavaultrc
@@ -106,6 +108,7 @@ blacklist ${HOME}/.local/share/kwin
 blacklist ${HOME}/.local/share/plasma
 blacklist ${HOME}/.local/share/plasmashell
 blacklist ${HOME}/.local/share/solid
+blacklist /tmp/konsole-*.history
 read-only ${HOME}/.cache/ksycoca5_*
 read-only ${HOME}/.config/*notifyrc
 read-only ${HOME}/.config/kdeglobals
@@ -144,6 +147,8 @@ blacklist ${RUNUSER}/kdesud_*
 # gnome
 # contains extensions, last used times of applications, and notifications
 blacklist ${HOME}/.local/share/gnome-shell
+# contains recently used files and serials of static/removable storage
+blacklist ${HOME}/.local/share/gvfs-metadata
 # no direct modification of dconf database
 read-only ${HOME}/.config/dconf
 blacklist ${RUNUSER}/gnome-session-leader-fifo
@@ -263,9 +268,11 @@ read-only ${HOME}/.config/fish
 read-only ${HOME}/.csh_files
 read-only ${HOME}/.cshrc
 read-only ${HOME}/.forward
+read-only ${HOME}/.kshrc
 read-only ${HOME}/.local/share/fish
 read-only ${HOME}/.login
 read-only ${HOME}/.logout
+read-only ${HOME}/.mkshrc
 read-only ${HOME}/.oh-my-zsh
 read-only ${HOME}/.pam_environment
 read-only ${HOME}/.pgpkey
@@ -273,6 +280,7 @@ read-only ${HOME}/.plan
 read-only ${HOME}/.profile
 read-only ${HOME}/.project
 read-only ${HOME}/.tcshrc
+read-only ${HOME}/.zfunc
 read-only ${HOME}/.zlogin
 read-only ${HOME}/.zlogout
 read-only ${HOME}/.zprofile
@@ -472,22 +480,19 @@ blacklist /.snapshots
 # flatpak
 blacklist ${HOME}/.cache/flatpak
 blacklist ${HOME}/.config/flatpak
-blacklist ${HOME}/.local/share/flatpak/app
-blacklist ${HOME}/.local/share/flatpak/appstream
-blacklist ${HOME}/.local/share/flatpak/db
+noblacklist ${HOME}/.local/share/flatpak/exports
 read-only ${HOME}/.local/share/flatpak/exports
-blacklist ${HOME}/.local/share/flatpak/oci
-blacklist ${HOME}/.local/share/flatpak/overrides
-blacklist ${HOME}/.local/share/flatpak/repo
-blacklist ${HOME}/.local/share/flatpak/runtime
+blacklist ${HOME}/.local/share/flatpak/*
 blacklist ${HOME}/.var
 blacklist ${RUNUSER}/app
 blacklist ${RUNUSER}/doc
 blacklist ${RUNUSER}/.dbus-proxy
 blacklist ${RUNUSER}/.flatpak
+blacklist ${RUNUSER}/.flatpak-cache
 blacklist ${RUNUSER}/.flatpak-helper
 blacklist /usr/share/flatpak
-blacklist /var/lib/flatpak
+noblacklist /var/lib/flatpak/exports
+blacklist /var/lib/flatpak/*
 # most of the time bwrap is SUID binary
 blacklist ${PATH}/bwrap
 
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index e1ba13380..e74b1b40b 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -49,6 +49,7 @@ blacklist ${PATH}/openssl-1.0
 blacklist ${PATH}/rust-gdb
 blacklist ${PATH}/rust-lldb
 blacklist ${PATH}/rustc
+blacklist ${HOME}/.rustup
 
 # tcc - Tiny C Compiler
 blacklist ${PATH}/tcc
diff --git a/etc/inc/disable-exec.inc b/etc/inc/disable-exec.inc
index ee3391730..9b5c40a2b 100644
--- a/etc/inc/disable-exec.inc
+++ b/etc/inc/disable-exec.inc
@@ -4,6 +4,7 @@ include disable-exec.local
 
 noexec ${HOME}
 noexec ${RUNUSER}
+noexec /dev/mqueue
 noexec /dev/shm
 noexec /tmp
 # /var is noexec by default for unprivileged users
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 59e9c7de3..4f6f71098 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -15,6 +15,8 @@ blacklist ${PATH}/lua*
 blacklist /usr/include/lua*
 blacklist /usr/lib/liblua*
 blacklist /usr/lib/lua
+blacklist /usr/lib64/liblua*
+blacklist /usr/lib64/lua
 blacklist /usr/share/lua*
 
 # mozjs
@@ -34,6 +36,7 @@ blacklist ${PATH}/perl
 blacklist ${PATH}/site_perl
 blacklist ${PATH}/vendor_perl
 blacklist /usr/lib/perl*
+blacklist /usr/lib64/perl*
 blacklist /usr/share/perl*
 
 # PHP
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index e5dd9cb59..976f988b2 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -37,6 +37,7 @@ blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.WebStorm*
 blacklist ${HOME}/.Wolfram Research
 blacklist ${HOME}/.ZAP
+blacklist ${HOME}/.abook
 blacklist ${HOME}/.aMule
 blacklist ${HOME}/.android
 blacklist ${HOME}/.anydesk
@@ -49,6 +50,7 @@ blacklist ${HOME}/.asunder_album_title
 blacklist ${HOME}/.atom
 blacklist ${HOME}/.attic
 blacklist ${HOME}/.audacity-data
+blacklist ${HOME}/.balsa
 blacklist ${HOME}/.bcast5
 blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
@@ -83,6 +85,7 @@ blacklist ${HOME}/.config/Debauchee/Barrier.conf
 blacklist ${HOME}/.config/Dharkael
 blacklist ${HOME}/.config/Element
 blacklist ${HOME}/.config/Element (Riot)
+blacklist ${HOME}/.config/ENCOM
 blacklist ${HOME}/.config/Enox
 blacklist ${HOME}/.config/Ferdi
 blacklist ${HOME}/.config/Flavio Tordini
@@ -122,6 +125,7 @@ blacklist ${HOME}/.config/QMediathekView
 blacklist ${HOME}/.config/Qlipper
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
+blacklist ${HOME}/.config/Quotient
 blacklist ${HOME}/.config/Rambox
 blacklist ${HOME}/.config/Riot
 blacklist ${HOME}/.config/Rocket.Chat
@@ -131,11 +135,14 @@ blacklist ${HOME}/.config/Slack
 blacklist ${HOME}/.config/Standard Notes
 blacklist ${HOME}/.config/SubDownloader
 blacklist ${HOME}/.config/Thunar
+blacklist ${HOME}/.config/Twitch
 blacklist ${HOME}/.config/Unknown Organization
 blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Wire
+blacklist ${HOME}/.config/Youtube
 blacklist ${HOME}/.config/Zeal
 blacklist ${HOME}/.config/ZeGrapher Project
+blacklist ${HOME}/.config/aacs
 blacklist ${HOME}/.config/abiword
 blacklist ${HOME}/.config/agenda
 blacklist ${HOME}/.config/akonadi*
@@ -203,10 +210,13 @@ blacklist ${HOME}/.config/emailidentities
 blacklist ${HOME}/.config/enchant
 blacklist ${HOME}/.config/eog
 blacklist ${HOME}/.config/epiphany
+blacklist ${HOME}/.config/equalx
 blacklist ${HOME}/.config/evince
 blacklist ${HOME}/.config/evolution
 blacklist ${HOME}/.config/falkon
 blacklist ${HOME}/.config/filezilla
+blacklist ${HOME}/.config/flameshot
+blacklist ${HOME}/.config/flaska.net
 blacklist ${HOME}/.config/flowblade
 blacklist ${HOME}/.config/font-manager
 blacklist ${HOME}/.config/freecol
@@ -214,6 +224,7 @@ blacklist ${HOME}/.config/gajim
 blacklist ${HOME}/.config/galculator
 blacklist ${HOME}/.config/gconf
 blacklist ${HOME}/.config/geany
+blacklist ${HOME}/.config/geary
 blacklist ${HOME}/.config/gedit
 blacklist ${HOME}/.config/geeqie
 blacklist ${HOME}/.config/ghb
@@ -258,6 +269,7 @@ blacklist ${HOME}/.config/katerc
 blacklist ${HOME}/.config/kateschemarc
 blacklist ${HOME}/.config/katesyntaxhighlightingrc
 blacklist ${HOME}/.config/katevirc
+blacklist ${HOME}/.config/kazam
 blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/kdenliverc
 blacklist ${HOME}/.config/kfindrc
@@ -274,13 +286,16 @@ blacklist ${HOME}/.config/konversation.notifyrc
 blacklist ${HOME}/.config/kritarc
 blacklist ${HOME}/.config/ktorrentrc
 blacklist ${HOME}/.config/ktouch2rc
+blacklist ${HOME}/.config/kube
 blacklist ${HOME}/.config/kwriterc
 blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
+blacklist ${HOME}/.config/linphone
 blacklist ${HOME}/.config/lugaru
 blacklist ${HOME}/.config/lximage-qt
 blacklist ${HOME}/.config/mailtransports
+blacklist ${HOME}/.local/share/man
 blacklist ${HOME}/.config/mana
 blacklist ${HOME}/.config/mate-calc
 blacklist ${HOME}/.config/mate/eom
@@ -291,6 +306,7 @@ blacklist ${HOME}/.config/menulibre.cfg
 blacklist ${HOME}/.config/mfusion
 blacklist ${HOME}/.config/Microsoft
 blacklist ${HOME}/.config/midori
+blacklist ${HOME}/.config/mirage
 blacklist ${HOME}/.config/mono
 blacklist ${HOME}/.config/mpDris2
 blacklist ${HOME}/.config/mpd
@@ -312,6 +328,7 @@ blacklist ${HOME}/.config/nuclear
 blacklist ${HOME}/.config/obs-studio
 blacklist ${HOME}/.config/okularpartrc
 blacklist ${HOME}/.config/okularrc
+blacklist ${HOME}/.config/onboard
 blacklist ${HOME}/.config/onionshare
 blacklist ${HOME}/.config/onlyoffice
 blacklist ${HOME}/.config/opera
@@ -331,6 +348,7 @@ blacklist ${HOME}/.config/pluma
 blacklist ${HOME}/.config/ppsspp
 blacklist ${HOME}/.config/pragha
 blacklist ${HOME}/.config/profanity
+blacklist ${HOME}/.config/psi
 blacklist ${HOME}/.config/psi+
 blacklist ${HOME}/.config/qBittorrent
 blacklist ${HOME}/.config/qBittorrentrc
@@ -346,17 +364,21 @@ blacklist ${HOME}/.config/rtv
 blacklist ${HOME}/.config/scribus
 blacklist ${HOME}/.config/scribusrc
 blacklist ${HOME}/.config/sinew.in
+blacklist ${HOME}/.config/sink
 blacklist ${HOME}/.config/skypeforlinux
 blacklist ${HOME}/.config/slimjet
 blacklist ${HOME}/.config/smplayer
 blacklist ${HOME}/.config/smtube
+blacklist ${HOME}/.config/smuxi
 blacklist ${HOME}/.config/snox
 blacklist ${HOME}/.config/sound-juicer
 blacklist ${HOME}/.config/specialmailcollectionsrc
+blacklist ${HOME}/.config/spectaclerc
 blacklist ${HOME}/.config/spotify
 blacklist ${HOME}/.config/sqlitebrowser
 blacklist ${HOME}/.config/stellarium
 blacklist ${HOME}/.config/strawberry
+blacklist ${HOME}/.config/straw-viewer
 blacklist ${HOME}/.config/supertuxkart
 blacklist ${HOME}/.config/synfig
 blacklist ${HOME}/.config/teams
@@ -370,6 +392,7 @@ blacklist ${HOME}/.config/transmission
 blacklist ${HOME}/.config/truecraft
 blacklist ${HOME}/.config/tvbrowser
 blacklist ${HOME}/.config/uGet
+blacklist ${HOME}/.config/ungoogled-chromium
 blacklist ${HOME}/.config/uzbl
 blacklist ${HOME}/.config/viewnior
 blacklist ${HOME}/.config/vivaldi
@@ -396,6 +419,8 @@ blacklist ${HOME}/.config/yandex-browser
 blacklist ${HOME}/.config/yandex-browser-beta
 blacklist ${HOME}/.config/yelp
 blacklist ${HOME}/.config/youtube-dl
+blacklist ${HOME}/.config/youtubemusic-nativefier-040164
+blacklist ${HOME}/.config/youtube-music-desktop-app
 blacklist ${HOME}/.config/youtube-viewer
 blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/zoomus.conf
@@ -418,6 +443,7 @@ blacklist ${HOME}/.electrum*
 blacklist ${HOME}/.elinks
 blacklist ${HOME}/.emacs
 blacklist ${HOME}/.emacs.d
+blacklist ${HOME}/.equalx
 blacklist ${HOME}/.ethereum
 blacklist ${HOME}/.etr
 blacklist ${HOME}/.filezilla
@@ -541,6 +567,7 @@ blacklist ${HOME}/.local/share/Kingsoft
 blacklist ${HOME}/.local/share/Mendeley Ltd.
 blacklist ${HOME}/.local/share/Mumble
 blacklist ${HOME}/.local/share/PBE
+blacklist ${HOME}/.local/share/Psi
 blacklist ${HOME}/.local/share/QGIS
 blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
@@ -626,9 +653,11 @@ blacklist ${HOME}/.local/share/krita
 blacklist ${HOME}/.local/share/ktorrent
 blacklist ${HOME}/.local/share/ktorrentrc
 blacklist ${HOME}/.local/share/ktouch
+blacklist ${HOME}/.local/share/kube
 blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/kxmlgui5/*
 blacklist ${HOME}/.local/share/liferea
+blacklist ${HOME}/.local/share/linphone
 blacklist ${HOME}/.local/share/local-mail
 blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/love
@@ -637,6 +666,7 @@ blacklist ${HOME}/.local/share/mana
 blacklist ${HOME}/.local/share/maps-places.json
 blacklist ${HOME}/.local/share/meld
 blacklist ${HOME}/.local/share/midori
+blacklist ${HOME}/.local/share/mirage
 blacklist ${HOME}/.local/share/multimc
 blacklist ${HOME}/.local/share/multimc5
 blacklist ${HOME}/.local/share/mupen64plus
@@ -657,6 +687,7 @@ blacklist ${HOME}/.local/share/Paradox Interactive
 blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/profanity
+blacklist ${HOME}/.local/share/psi
 blacklist ${HOME}/.local/share/psi+
 blacklist ${HOME}/.local/share/quadrapassel
 blacklist ${HOME}/.local/share/qpdfview
@@ -666,6 +697,8 @@ blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/rtv
 blacklist ${HOME}/.local/share/scribus
 blacklist ${HOME}/.local/share/signal-cli
+blacklist ${HOME}/.local/share/sink
+blacklist ${HOME}/.local/share/smuxi
 blacklist ${HOME}/.local/share/spotify
 blacklist ${HOME}/.local/share/steam
 blacklist ${HOME}/.local/share/strawberry
@@ -798,6 +831,7 @@ blacklist ${HOME}/.xmind
 blacklist ${HOME}/.xmms
 blacklist ${HOME}/.xmr-stak
 blacklist ${HOME}/.xonotic
+blacklist ${HOME}/.xournalpp
 blacklist ${HOME}/.xpdfrc
 blacklist ${HOME}/.zoom
 blacklist /tmp/akonadi-*
@@ -815,6 +849,7 @@ blacklist ${HOME}/.cache/8pecxstudios
 blacklist ${HOME}/.cache/Authenticator
 blacklist ${HOME}/.cache/BraveSoftware
 blacklist ${HOME}/.cache/Clementine
+blacklist ${HOME}/.cache/ENCOM/Spectral
 blacklist ${HOME}/.cache/Enox
 blacklist ${HOME}/.cache/Enpass
 blacklist ${HOME}/.cache/Ferdi
@@ -824,7 +859,9 @@ blacklist ${HOME}/.cache/INRIA
 blacklist ${HOME}/.cache/MusicBrainz
 blacklist ${HOME}/.cache/NewsFlashGTK
 blacklist ${HOME}/.cache/Otter
+blacklist ${HOME}/.cache/Psi
 blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/Quotient/quaternion
 blacklist ${HOME}/.cache/Shortwave
 blacklist ${HOME}/.cache/Tox
 blacklist ${HOME}/.cache/Zeal
@@ -852,10 +889,13 @@ blacklist ${HOME}/.cache/epiphany
 blacklist ${HOME}/.cache/evolution
 blacklist ${HOME}/.cache/falkon
 blacklist ${HOME}/.cache/feedreader
+blacklist ${HOME}/.cache/flaska.net/trojita
 blacklist ${HOME}/.cache/font-manager
 blacklist ${HOME}/.cache/fossamail
+blacklist ${HOME}/.cache/fractal
 blacklist ${HOME}/.cache/freecol
 blacklist ${HOME}/.cache/gajim
+blacklist ${HOME}/.cache/geary
 blacklist ${HOME}/.cache/gegl-0.4
 blacklist ${HOME}/.cache/geeqie
 blacklist ${HOME}/.cache/gfeeds
@@ -889,12 +929,14 @@ blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
 blacklist ${HOME}/.cache/kscreenlocker_greet
 blacklist ${HOME}/.cache/ksmserver-logout-greeter
 blacklist ${HOME}/.cache/ksplashqml
+blacklist ${HOME}/.cache/kube
 blacklist ${HOME}/.cache/kwin
 blacklist ${HOME}/.cache/libgweather
 blacklist ${HOME}/.cache/liferea
 blacklist ${HOME}/.cache/Mendeley Ltd.
 blacklist ${HOME}/.cache/midori
 blacklist ${HOME}/.cache/minetest
+blacklist ${HOME}/.cache/mirage
 blacklist ${HOME}/.cache/moonchild productions/basilisk
 blacklist ${HOME}/.cache/moonchild productions/pale moon
 blacklist ${HOME}/.cache/mozilla
@@ -920,21 +962,25 @@ blacklist ${HOME}/.cache/peek
 blacklist ${HOME}/.cache/pip
 blacklist ${HOME}/.cache/plasmashell
 blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/psi
 blacklist ${HOME}/.cache/qBittorrent
 blacklist ${HOME}/.cache/qupzilla
 blacklist ${HOME}/.cache/qutebrowser
 blacklist ${HOME}/.cache/rhythmbox
 blacklist ${HOME}/.cache/simple-scan
 blacklist ${HOME}/.cache/slimjet
+blacklist ${HOME}/.cache/smuxi
 blacklist ${HOME}/.cache/snox
 blacklist ${HOME}/.cache/spotify
 blacklist ${HOME}/.cache/strawberry
+blacklist ${HOME}/.cache/straw-viewer
 blacklist ${HOME}/.cache/supertuxkart
 blacklist ${HOME}/.cache/systemsettings
 blacklist ${HOME}/.cache/telepathy
 blacklist ${HOME}/.cache/thunderbird
 blacklist ${HOME}/.cache/torbrowser
 blacklist ${HOME}/.cache/transmission
+blacklist ${HOME}/.cache/ungoogled-chromium
 blacklist ${HOME}/.cache/vivaldi
 blacklist ${HOME}/.cache/vivaldi-snapshot
 blacklist ${HOME}/.cache/vlc
diff --git a/etc/inc/disable-shell.inc b/etc/inc/disable-shell.inc
index fda528eb6..e66d23c9f 100644
--- a/etc/inc/disable-shell.inc
+++ b/etc/inc/disable-shell.inc
@@ -7,6 +7,7 @@ blacklist ${PATH}/csh
 blacklist ${PATH}/dash
 blacklist ${PATH}/fish
 blacklist ${PATH}/ksh
+blacklist ${PATH}/mksh
 blacklist ${PATH}/sh
 blacklist ${PATH}/tclsh
 blacklist ${PATH}/tcsh
diff --git a/etc/inc/disable-write-mnt.inc b/etc/inc/disable-write-mnt.inc
new file mode 100644
index 000000000..3990cf760
--- /dev/null
+++ b/etc/inc/disable-write-mnt.inc
@@ -0,0 +1,8 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-write-mnt.local
+
+read-only /mnt
+read-only /media
+read-only /run/mount
+read-only /run/media
diff --git a/etc/inc/firefox-common-addons.inc b/etc/inc/firefox-common-addons.inc
index 11acb7b42..03f09fece 100644
--- a/etc/inc/firefox-common-addons.inc
+++ b/etc/inc/firefox-common-addons.inc
@@ -2,6 +2,8 @@
 # Persistent customizations should go in a .local file.
 include firefox-common-addons.local
 
+ignore include whitelist-runuser-common.inc
+
 noblacklist ${HOME}/.config/kgetrc
 noblacklist ${HOME}/.config/okularpartrc
 noblacklist ${HOME}/.config/okularrc
@@ -69,3 +71,20 @@ include allow-python3.inc
 # Flash plugin
 # private-etc must first be enabled in firefox-common.profile and in profiles including it.
 #private-etc adobe
+
+# ff2mpv
+#ignore noexec ${HOME}
+#noblacklist ${HOME}/.config/mpv
+#noblacklist ${HOME}/.config/youtube-dl
+#noblacklist ${HOME}/.netrc
+#include allow-lua.inc
+#include allow-python3.inc
+#mkdir ${HOME}/.config/mpv
+#mkdir ${HOME}/.config/youtube-dl
+#whitelist ${HOME}/.config/mpv
+#whitelist ${HOME}/.config/youtube-dl
+#whitelist ${HOME}/.netrc
+#whitelist /usr/share/lua
+#whitelist /usr/share/lua*
+#whitelist /usr/share/vulkan
+#private-bin env,mpv,python3*,waf,youtube-dl
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc
index 1b4e98d0e..7ea692607 100644
--- a/etc/inc/whitelist-common.inc
+++ b/etc/inc/whitelist-common.inc
@@ -4,6 +4,7 @@ include whitelist-common.local
 # common whitelist for all profiles
 
 whitelist ${HOME}/.XCompose
+whitelist ${HOME}/.alsaequal.bin
 whitelist ${HOME}/.asoundrc
 whitelist ${HOME}/.config/ibus
 whitelist ${HOME}/.config/mimeapps.list
@@ -60,11 +61,13 @@ whitelist ${HOME}/.themes
 whitelist ${HOME}/.cache/kioexec/krun
 whitelist ${HOME}/.config/Kvantum
 whitelist ${HOME}/.config/Trolltech.conf
+whitelist ${HOME}/.config/QtProject.conf
 whitelist ${HOME}/.config/kdeglobals
 whitelist ${HOME}/.config/kio_httprc
 whitelist ${HOME}/.config/kioslaverc
 whitelist ${HOME}/.config/ksslcablacklist
 whitelist ${HOME}/.config/qt5ct
+whitelist ${HOME}/.config/qtcurve
 whitelist ${HOME}/.kde/share/config/kdeglobals
 whitelist ${HOME}/.kde/share/config/kio_httprc
 whitelist ${HOME}/.kde/share/config/kioslaverc
diff --git a/etc/inc/whitelist-players.inc b/etc/inc/whitelist-players.inc
new file mode 100644
index 000000000..0e473768b
--- /dev/null
+++ b/etc/inc/whitelist-players.inc
@@ -0,0 +1,10 @@
+# Local customizations come here
+include whitelist-players.local
+
+# common whitelist for all media players
+
+whitelist ${DESKTOP}
+whitelist ${DOWNLOADS}
+whitelist ${MUSIC}
+whitelist ${PICTURES}
+whitelist ${VIDEOS}
diff --git a/etc/inc/whitelist-runuser-common.inc b/etc/inc/whitelist-runuser-common.inc
index f2a510e9d..7d9f106ef 100644
--- a/etc/inc/whitelist-runuser-common.inc
+++ b/etc/inc/whitelist-runuser-common.inc
@@ -10,3 +10,4 @@ whitelist ${RUNUSER}/ICEauthority
 whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
 whitelist ${RUNUSER}/pulse/native
 whitelist ${RUNUSER}/wayland-0
+whitelist ${RUNUSER}/xauth_*
diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc
index ceeb14dcc..de4ae2101 100644
--- a/etc/inc/whitelist-usr-share-common.inc
+++ b/etc/inc/whitelist-usr-share-common.inc
@@ -16,6 +16,7 @@ whitelist /usr/share/enchant-2
 whitelist /usr/share/file
 whitelist /usr/share/fontconfig
 whitelist /usr/share/fonts
+whitelist /usr/share/fonts-config
 whitelist /usr/share/gir-1.0
 whitelist /usr/share/gjs-1.0
 whitelist /usr/share/glib-2.0
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 6869ea631..c4e820078 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -16,6 +16,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.cache/0ad
 mkdir ${HOME}/.config/0ad
@@ -40,6 +41,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile
index 2686839ef..1332f4db4 100644
--- a/etc/profile-a-l/assogiate.profile
+++ b/etc/profile-a-l/assogiate.profile
@@ -51,3 +51,4 @@ dbus-user none
 dbus-system none
 
 memory-deny-write-execute
+read-write ${HOME}/.local/share/mime
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
new file mode 100644
index 000000000..a401ac592
--- /dev/null
+++ b/etc/profile-a-l/balsa.profile
@@ -0,0 +1,78 @@
+# Firejail profile for balsa
+# Description: GNOME mail client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include balsa.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.balsa
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/mail
+noblacklist /var/mail
+noblacklist /var/spool/mail
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.balsa
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/mail
+whitelist ${HOME}/.balsa
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/mail
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/balsa
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
+private-bin balsa,balsa-ab
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+writable-run-user
+writable-var
+
+dbus-user filter
+dbus-user.own org.desktop.Balsa
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
index 3937e1966..4401c9dfd 100644
--- a/etc/profile-a-l/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -30,6 +30,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index c1c338536..dbde3e4de 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/bnox.profile b/etc/profile-a-l/bnox.profile
index 031f3f4bd..6e8f0d7d1 100644
--- a/etc/profile-a-l/bnox.profile
+++ b/etc/profile-a-l/bnox.profile
@@ -5,6 +5,11 @@ include bnox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/bnox
 noblacklist ${HOME}/.config/bnox
 
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 35c59f5a3..904d3e94f 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -8,6 +8,12 @@ include globals.local
 
 # noexec /tmp is included in chromium-common.profile and breaks Brave
 ignore noexec /tmp
+# TOR is installed in ${HOME}
+ignore noexec ${HOME}
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
 
 noblacklist ${HOME}/.cache/BraveSoftware
 noblacklist ${HOME}/.config/BraveSoftware
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 54d3f742f..56709a466 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -14,6 +14,9 @@ noblacklist ${HOME}/.config/youtube-dl
 include allow-python2.inc
 include allow-python3.inc
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -28,12 +31,8 @@ mkdir ${HOME}/.config/youtube-dl
 whitelist ${HOME}/.config/celluloid
 whitelist ${HOME}/.config/gnome-mpv
 whitelist ${HOME}/.config/youtube-dl
-whitelist ${DESKTOP}
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-whitelist ${PICTURES}
-whitelist ${VIDEOS}
 include whitelist-common.inc
+include whitelist-players.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -47,6 +46,7 @@ noroot
 nou2f
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/chromium-browser-privacy.profile b/etc/profile-a-l/chromium-browser-privacy.profile
new file mode 100644
index 000000000..09eaa2d12
--- /dev/null
+++ b/etc/profile-a-l/chromium-browser-privacy.profile
@@ -0,0 +1,17 @@
+# Firejail profile for chromium-browser-privacy
+# This file is overwritten after every install/update
+# Persistent local customizations
+include chromium-browser-privacy.local
+
+noblacklist ${HOME}/.cache/ungoogled-chromium
+noblacklist ${HOME}/.config/ungoogled-chromium
+
+mkdir ${HOME}/.cache/ungoogled-chromium
+mkdir ${HOME}/.config/ungoogled-chromium
+whitelist ${HOME}/.cache/ungoogled-chromium
+whitelist ${HOME}/.config/ungoogled-chromium
+
+# private-bin basename,bash,chromium-browser-privacy,dirname,mkdir,readlink,sed,touch,which,xdg-settings
+
+# Redirect
+include chromium.profile
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 899400d25..6a9cf99b0 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -16,16 +16,25 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+# include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.pki
 mkdir ${HOME}/.local/share/pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
+whitelist /usr/share/chromium
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
+# Uncomment the next line (or add it to your chromium-common.local)
+# if your kernel allows unprivileged userns clone.
+#include chromium-common-hardened.inc
+
 apparmor
 caps.keep sys_admin,sys_chroot
 netfilter
@@ -36,8 +45,10 @@ notv
 shell none
 
 disable-mnt
+private-cache
 ?BROWSER_DISABLE_U2F: private-dev
-# private-tmp - problems with multiple browser sessions
+# problems with multiple browser sessions
+#private-tmp
 
 # prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
 # dbus-user none
diff --git a/etc/profile-a-l/chromium-freeworld.profile b/etc/profile-a-l/chromium-freeworld.profile
new file mode 100644
index 000000000..a1de85afa
--- /dev/null
+++ b/etc/profile-a-l/chromium-freeworld.profile
@@ -0,0 +1,5 @@
+# Firejail profile for chromium-freeworld
+# This file is overwritten after every install/update
+
+# Redirect
+include chromium.profile
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index 24954b2d8..69196c578 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -18,5 +18,10 @@ whitelist ${HOME}/.claws-mail
 
 whitelist /usr/share/doc/claws-mail
 
+# if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local)
+#ignore dbus-user none
+#dbus-user filter
+#dbus-user.talk org.freedesktop.Notifications
+
 # Redirect
 include email-common.profile
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
index 4d92157d0..387b5f0a7 100644
--- a/etc/profile-a-l/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
@@ -12,22 +12,29 @@ noblacklist ${MUSIC}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
 include whitelist-var-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
 
+apparmor
 caps.drop all
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 # blacklisting of ioprio_set system calls breaks clementine
 seccomp !ioprio_set
 
 private-dev
 private-tmp
+
+dbus-system none
+# dbus-user none
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile
new file mode 100644
index 000000000..e5debfd82
--- /dev/null
+++ b/etc/profile-a-l/cola.profile
@@ -0,0 +1,10 @@
+# Firejail profile for cola
+# Description: Linux native frontend for Git,alternative call for git-cola
+# This file is overwritten after every install/update
+# Persistent local customizations
+include cola.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include git-cola.profile
\ No newline at end of file
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
new file mode 100644
index 000000000..76a14d99b
--- /dev/null
+++ b/etc/profile-a-l/dbus-send.profile
@@ -0,0 +1,59 @@
+# Firejail profile for dbus-send
+# Description: Send a message to a message bus
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include dbus-send.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+# Breaks abstract sockets
+#net none
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private
+private-bin dbus-send
+private-cache
+private-dev
+private-etc alternatives,dbus-1
+private-lib libpcre2-8.so.0
+private-tmp
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index d6541850d..b41a73916 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -35,6 +35,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 74314cf92..7eb7660dd 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -14,6 +14,7 @@ include disable-common.inc
 # include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+# include disable-write-mnt.inc
 # include disable-xdg.inc
 
 # include whitelist-common.inc
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
index 52bf1c7f8..e409eb044 100644
--- a/etc/profile-a-l/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -9,16 +9,24 @@ include globals.local
 noblacklist ${HOME}/.dia
 noblacklist ${DOCUMENTS}
 
+include allow-python2.inc
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
-include allow-python2.inc
-include allow-python3.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+#mkdir ${HOME}/.dia
+#whitelist ${HOME}/.dia
+#whitelist ${DOCUMENTS}
+#include whitelist-common.inc
+whitelist /usr/share/dia
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -36,6 +44,7 @@ novideo
 protocol unix
 seccomp
 shell none
+tracelog
 
 disable-mnt
 #private-bin dia
diff --git a/etc/profile-a-l/dnox.profile b/etc/profile-a-l/dnox.profile
index e02395771..51ba6f8b7 100644
--- a/etc/profile-a-l/dnox.profile
+++ b/etc/profile-a-l/dnox.profile
@@ -5,6 +5,11 @@ include dnox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/dnox
 noblacklist ${HOME}/.config/dnox
 
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 39366470f..5957d4316 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -8,8 +8,6 @@ include globals.local
 
 noblacklist ${HOME}/.config/electron-mail
 
-whitelist ${DOWNLOADS}
-
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -21,8 +19,10 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.config/electron-mail
 whitelist ${HOME}/.config/electron-mail
+whitelist ${DOWNLOADS}
 
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -45,12 +45,12 @@ shell none
 private-bin electron-mail
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
 private-opt ElectronMail
 private-tmp
 
 # breaks tray functionality
 # dbus-user none
-# dbus-system none
+dbus-system none
 
 # memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile
index c1aa821e3..2d56369cd 100644
--- a/etc/profile-a-l/element-desktop.profile
+++ b/etc/profile-a-l/element-desktop.profile
@@ -8,12 +8,9 @@ include element-desktop.local
 #include globals.local
 
 noblacklist ${HOME}/.config/Element
-noblacklist ${HOME}/.config/Element (Riot)
 
 mkdir ${HOME}/.config/Element
-mkdir ${HOME}/.config/Element (Riot)
 whitelist ${HOME}/.config/Element
-whitelist ${HOME}/.config/Element (Riot)
 whitelist /opt/Element
 
 private-opt Element
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 67af04267..df47f478d 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -58,8 +58,10 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 # encrypting and signing email
-read-only ${HOME}/.config/mimeapps.list
 writable-run-user
 
 # If you want to read local mail stored in /var/mail, add the following to email-common.local:
diff --git a/etc/profile-a-l/enox.profile b/etc/profile-a-l/enox.profile
index d8ac8b24a..d982433e2 100644
--- a/etc/profile-a-l/enox.profile
+++ b/etc/profile-a-l/enox.profile
@@ -5,6 +5,11 @@ include enox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/Enox
 noblacklist ${HOME}/.config/Enox
 
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 80c704c6b..e059f3b74 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-write-mnt.inc
 
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -26,6 +27,7 @@ apparmor
 caps.drop all
 ipc-namespace
 machine-id
+net none
 no3d
 nodvd
 nogroups
@@ -37,6 +39,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index 0d0153fc2..aabef65fc 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -15,9 +15,12 @@ whitelist /usr/share/eog
 # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local
 private-bin eog
 
-dbus-user filter
-dbus-user.own org.gnome.eog
-dbus-user.talk ca.desrt.dconf
+
+# broken on Debian 10 (buster) running LXDE got the folowing error:
+# Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
+#dbus-user filter
+#dbus-user.own org.gnome.eog
+#dbus-user.talk ca.desrt.dconf
 dbus-system none
 
 # Redirect
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
new file mode 100644
index 000000000..58b053041
--- /dev/null
+++ b/etc/profile-a-l/equalx.profile
@@ -0,0 +1,63 @@
+# Firejail profile for equalx
+# Description: A graphical editor for writing LaTeX equations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include equalx.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/equalx
+noblacklist ${HOME}/.equalx
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/equalx
+mkdir ${HOME}/.equalx
+whitelist ${HOME}/.config/equalx
+whitelist ${HOME}/.equalx
+whitelist /usr/share/poppler
+whitelist /usr/share/ghostscript
+whitelist /usr/share/texlive
+whitelist /usr/share/equalx
+whitelist /var/lib/texmf
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin equalx,gs,pdflatex,pdftocairo
+private-cache
+private-dev
+private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 77a48f0ba..c0c16e929 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 422200ffe..1355c4337 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -6,15 +6,16 @@ include evolution.local
 # Persistent global definitions
 include globals.local
 
-noblacklist /var/mail
-noblacklist /var/spool/mail
 noblacklist ${HOME}/.bogofilter
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.cache/evolution
 noblacklist ${HOME}/.config/evolution
-noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/evolution
-noblacklist ${HOME}/.pki
 noblacklist ${HOME}/.local/share/pki
+noblacklist /var/mail
+noblacklist /var/spool/mail
 
 include disable-common.inc
 include disable-devel.inc
@@ -22,13 +23,42 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
 
+mkdir ${HOME}/.bogofilter
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.pki
+mkdir ${HOME}/.cache/evolution
+mkdir ${HOME}/.config/evolution
+mkdir ${HOME}/.local/share/evolution
+mkdir ${HOME}/.local/share/pki
+whitelist ${HOME}/.bogofilter
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.cache/evolution
+whitelist ${HOME}/.config/evolution
+whitelist ${HOME}/.local/share/evolution
+whitelist ${HOME}/.local/share/pki
+whitelist ${DOCUMENTS}
+whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/evolution
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
+apparmor
 caps.drop all
 netfilter
 # no3d breaks under wayland
-#no3d
+# no3d
 nodvd
 nogroups
 nonewprivs
@@ -40,7 +70,27 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+# To use private-bin add all evolution,gpg,pinentry binaries and follow firefox.profile for hyperlink support
+# private-bin evolution
+private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
+writable-run-user
 writable-var
+
+dbus-user filter
+dbus-user.own org.gnome.Evolution
+dbus-user.talk ca.desrt.dconf
+# Uncomment to have keyring access
+# dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.gnome.keyring.SystemPrompter
+dbus-user.talk org.gnome.OnlineAccounts
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index 179540806..31cb1776c 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -29,20 +29,20 @@ no3d
 nodvd
 nogroups
 nonewprivs
-# noroot
+noroot
 nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 #seccomp
 #shell none
 
 disable-mnt
 private
 private-bin bash,fdns,sh
-# private-cache
-private-dev
+private-cache
+#private-dev
 private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
 # private-lib
 private-tmp
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index fb5c9ee57..c6e9ba095 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -41,6 +41,7 @@ novideo
 protocol inet,inet6
 # allow set_mempolicy, which is required to encode using libx265
 seccomp !set_mempolicy
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 745b8b8e9..2a1eb2001 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -34,6 +34,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile
index 6c7ab8f0d..43e877fd0 100644
--- a/etc/profile-a-l/filezilla.profile
+++ b/etc/profile-a-l/filezilla.profile
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.config/filezilla
 noblacklist ${HOME}/.filezilla
+noblacklist ${HOME}/.ssh
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 7c343c26d..fe0a27828 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -27,6 +27,7 @@ whitelist ${DOWNLOADS}
 whitelist ${HOME}/.pki
 whitelist ${HOME}/.local/share/pki
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 337311ed8..3472ac5c4 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -24,7 +24,7 @@ include whitelist-usr-share-common.inc
 # firefox requires a shell to launch on Arch.
 #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
 # Fedora use shell scripts to launch firefox, at least this is required
-#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname
+#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
 # private-etc must first be enabled in firefox-common.profile
 #private-etc firefox
 
@@ -33,6 +33,12 @@ dbus-user.own org.mozilla.firefox.*
 dbus-user.own org.mpris.MediaPlayer2.firefox.*
 # Uncomment or put in your firefox.local to enable native notifications.
 #dbus-user.talk org.freedesktop.Notifications
+# Uncomment or put in your firefox.local to allow to inhibit screensavers
+#dbus-user.talk org.freedesktop.ScreenSaver
+# Uncomment or put in your firefox.local for plasma browser integration
+#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kuiserver
 ignore dbus-user none
 
 # Redirect
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 7c41417ec..851a7c747 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -9,6 +9,7 @@ include globals.local
 
 noblacklist ${PICTURES}
 noblacklist ${HOME}/.config/Dharkael
+noblacklist ${HOME}/.config/flameshot
 
 include disable-common.inc
 include disable-devel.inc
@@ -19,8 +20,11 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+#mkdir ${HOME}/.config/Dharkael
+#mkdir ${HOME}/.config/flameshot
 #whitelist ${PICTURES}
 #whitelist ${HOME}/.config/Dharkael
+#whitelist ${HOME}/.config/flameshot
 whitelist /usr/share/flameshot
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
@@ -41,6 +45,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
@@ -53,4 +58,5 @@ private-tmp
 
 dbus-user filter
 dbus-user.own org.dharkael.Flameshot
+dbus-user.own org.flameshot.Flameshot
 dbus-system none
diff --git a/etc/profile-a-l/flashpeak-slimjet.profile b/etc/profile-a-l/flashpeak-slimjet.profile
index b841bce75..310fb378f 100644
--- a/etc/profile-a-l/flashpeak-slimjet.profile
+++ b/etc/profile-a-l/flashpeak-slimjet.profile
@@ -5,6 +5,11 @@ include flashpeak-slimjet.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/slimjet
 noblacklist ${HOME}/.config/slimjet
 
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
new file mode 100644
index 000000000..ab907eb0d
--- /dev/null
+++ b/etc/profile-a-l/fractal.profile
@@ -0,0 +1,54 @@
+# Firejail profile for fractal
+# Description: Desktop client for Matrix 
+# This file is overwritten after every install/update
+# Persistent local customizations
+include fractal.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/fractal
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/fractal
+whitelist ${HOME}/.cache/fractal
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin fractal
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Fractal
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index 653272499..23d259337 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 74b468020..e339f6abb 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -38,6 +38,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index fa01d04b7..f4e5a392f 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -10,22 +10,20 @@ include geary.local
 # Users have Geary set to open a browser by clicking a link in an email
 # We are not allowed to blacklist browser-specific directories
 
-ignore dbus-user none
+ignore dbus-user filter
 ignore dbus-system none
 ignore private-tmp
 
-noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.cache/geary
+noblacklist ${HOME}/.config/geary
 noblacklist ${HOME}/.local/share/geary
 
-mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.cache/geary
 mkdir ${HOME}/.config/geary
 mkdir ${HOME}/.local/share/geary
-whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.cache/geary
 whitelist ${HOME}/.config/geary
 whitelist ${HOME}/.local/share/geary
-
-read-only ${HOME}/.config/mimeapps.list
-
 whitelist /usr/share/geary
 
 # allow Mozilla browsers
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index 17b7ad563..30251fbe5 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index d97ab530b..b8d1b9608 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -49,6 +49,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index 5bb410278..c15174815 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -26,6 +26,7 @@ whitelist /usr/share/texlive
 whitelist /usr/share/pandoc*
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
 
 apparmor
 caps.drop all
@@ -41,6 +42,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp !chroot
+seccomp.block-secondary
 shell none
 #tracelog -- breaks
 
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index 8093c0c39..ed27de7f5 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -6,6 +6,14 @@ include gimp.local
 # Persistent global definitions
 include globals.local
 
+# Uncomment or add to gimp.local in order to support scanning via xsane (see #3640).
+# TODO: Replace 'ignore seccomp' with a less permissive option.
+#ignore seccomp
+#ignore dbus-system
+#ignore net
+#protocol unix,inet,inet6
+
+
 # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
 # if you are not using external plugins, you can comment 'ignore noexec' statement below
 # or put 'noexec ${HOME}' in your gimp.local
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 30e80f519..4708078dd 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.subversion
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.config/git-cola
 # Put your editor,diff viewer config path below and uncomment to load settings
@@ -28,7 +29,19 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
+# Whitelist your editor, diff viewer, gnupg path below in /usr/share/
+whitelist /usr/share/git
+whitelist /usr/share/git-cola
+whitelist /usr/share/git-core
+whitelist /usr/share/git-gui
+whitelist /usr/share/gitk
+whitelist /usr/share/gitweb
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -49,18 +62,22 @@ seccomp
 shell none
 tracelog
 
-# private-bin atom,bash,colordiff,emacs,fldiff,geany,gedit,git,git gui,git-cola,git-dag,gitk,gpg,gvim,leafpad,meld,mousepad,nano,notepadqq,python*,sh,ssh,vim,vimdiff,which,xed
+# Add your own diff viewer,editor,pinentry program
+# pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
 private-cache
 private-dev
-# Comment if you sign commits with GPG
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,X11,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
 private-tmp
+writable-run-user
 
-dbus-user filter
+# Breaks meld as diff viewer
+# dbus-user filter
 # Uncomment if you need keyring access
 # dbus-user.talk org.freedesktop.secrets
 dbus-system none
 
-read-only ${HOME}/.ssh
-read-only ${HOME}/.gnupg
 read-only ${HOME}/.git-credentials
+
+# Comment if you need to allow hosts
+read-only ${HOME}/.ssh
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 71b8e9b11..3d80c1ed2 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -45,6 +45,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
index 7a684dd59..8f637902c 100644
--- a/etc/profile-a-l/gnome-builder.profile
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -6,6 +6,8 @@ include gnome-builder.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.bash_history
+
 noblacklist ${HOME}/.cache/gnome-builder
 noblacklist ${HOME}/.config/gnome-builder
 noblacklist ${HOME}/.local/share/gnome-builder
@@ -34,3 +36,5 @@ seccomp
 shell none
 
 private-dev
+
+read-write ${HOME}/.bash_history
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index ceb01f2a0..7780dfa65 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -38,6 +38,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index 3e815234c..9927fb869 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index f4f3ae2d7..4d53a67dd 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -39,6 +39,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index 7a38bdc8a..03b89e394 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -32,6 +32,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 
 disable-mnt
 private-dev
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 5ae7bbe01..bb5ef0eab 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -33,6 +33,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index ecbb74158..a0b9ef04e 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -9,8 +9,6 @@ include globals.local
 
 noblacklist ${HOME}/.gnupg
 
-whitelist ${HOME}/.gnupg
-whitelist ${DOWNLOADS}
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,9 +17,15 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.gnupg
+whitelist ${HOME}/.gnupg
+whitelist ${DOWNLOADS}
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -41,6 +45,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
@@ -52,6 +57,6 @@ private-dev
 private-tmp
 
 # dbus-user none
-# dbus-system none
+dbus-system none
 
 memory-deny-write-execute
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 11d184bc6..87376da40 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -41,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index eb0030dda..23629df95 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -54,6 +54,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index 615be7873..073de47b9 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -43,6 +43,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
@@ -52,3 +53,8 @@ private-cache
 private-dev
 private-etc dconf,fonts,gtk-3.0,passwd
 private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.PasswordSafe
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 2af406af9..65cc23b5f 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -33,6 +33,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index 82fb1b658..2534eed5a 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -35,6 +35,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index a64ec25a9..2e063ebfe 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -33,6 +33,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 2fab3dcc7..5bef96ae7 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -53,8 +53,8 @@ dbus-user filter
 dbus-user.own org.gnome.Todo
 dbus-user.talk ca.desrt.dconf
 #dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
-#dbus-user.talk org.gnome.evolution.dataserver.Calendar8
-#dbus-user.talk org.gnome.evolution.dataserver.Sources5
+dbus-user.talk org.gnome.evolution.dataserver.Calendar8
+dbus-user.talk org.gnome.evolution.dataserver.Sources5
 #dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
 #dbus-user.talk org.gnome.OnlineAccounts
 dbus-system none
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index a181f1b9e..beed92a7d 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index c46fbc1d9..56ed7a436 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -34,6 +34,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/google-chrome-beta.profile b/etc/profile-a-l/google-chrome-beta.profile
index a62e4cf74..ebe5e870b 100644
--- a/etc/profile-a-l/google-chrome-beta.profile
+++ b/etc/profile-a-l/google-chrome-beta.profile
@@ -5,6 +5,11 @@ include google-chrome-beta.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/google-chrome-beta
 noblacklist ${HOME}/.config/google-chrome-beta
 
diff --git a/etc/profile-a-l/google-chrome-unstable.profile b/etc/profile-a-l/google-chrome-unstable.profile
index 14547eab2..4d303f71b 100644
--- a/etc/profile-a-l/google-chrome-unstable.profile
+++ b/etc/profile-a-l/google-chrome-unstable.profile
@@ -5,6 +5,11 @@ include google-chrome-unstable.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/google-chrome-unstable
 noblacklist ${HOME}/.config/google-chrome-unstable
 
diff --git a/etc/profile-a-l/google-chrome.profile b/etc/profile-a-l/google-chrome.profile
index 66f76caa0..ed2595f72 100644
--- a/etc/profile-a-l/google-chrome.profile
+++ b/etc/profile-a-l/google-chrome.profile
@@ -5,6 +5,11 @@ include google-chrome.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/google-chrome
 noblacklist ${HOME}/.config/google-chrome
 
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile
new file mode 100644
index 000000000..e2721360b
--- /dev/null
+++ b/etc/profile-a-l/gtk-straw-viewer.profile
@@ -0,0 +1,14 @@
+# Firejail profile for gtk-straw-viewer
+# Description: Gtk front-end to straw-viewer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gtk-straw-viewer.local
+# added by included profile
+#include globals.local
+
+ignore quiet
+
+include whitelist-runuser-common.inc
+
+# Redirect
+include straw-viewer.profile
diff --git a/etc/profile-a-l/gtk-youtube-viewer b/etc/profile-a-l/gtk-youtube-viewer.profile
index 023f10d3d..848979b52 100644
--- a/etc/profile-a-l/gtk-youtube-viewer
+++ b/etc/profile-a-l/gtk-youtube-viewer.profile
@@ -3,16 +3,12 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
-noblacklist /tmp/.X11-unix
-noblacklist ${RUNUSER}/wayland-*
-noblacklist ${RUNUSER}
-
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk2-youtube-viewer b/etc/profile-a-l/gtk2-youtube-viewer.profile
index 331e73218..dccadcf2e 100644
--- a/etc/profile-a-l/gtk2-youtube-viewer
+++ b/etc/profile-a-l/gtk2-youtube-viewer.profile
@@ -3,8 +3,8 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk2-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
@@ -15,4 +15,4 @@ noblacklist ${RUNUSER}
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gtk3-youtube-viewer b/etc/profile-a-l/gtk3-youtube-viewer.profile
index 4c5bde55f..3d91e284d 100644
--- a/etc/profile-a-l/gtk3-youtube-viewer
+++ b/etc/profile-a-l/gtk3-youtube-viewer.profile
@@ -3,8 +3,8 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include gtk3-youtube-viewer.local
-# Persistent global definitions
-# include globals.local
+# added by included profile
+#include globals.local
 
 ignore quiet
 
@@ -15,4 +15,4 @@ noblacklist ${RUNUSER}
 include whitelist-runuser-common.inc
 
 # Redirect
-include youtube-viewer.profile
\ No newline at end of file
+include youtube-viewer.profile
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index c0254b5ec..3df42d209 100644
--- a/etc/profile-a-l/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -35,6 +35,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
index 898a07a5f..8ac07d3da 100644
--- a/etc/profile-a-l/hedgewars.profile
+++ b/etc/profile-a-l/hedgewars.profile
@@ -8,6 +8,8 @@ include globals.local
 
 noblacklist ${HOME}/.hedgewars
 
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
diff --git a/etc/profile-a-l/inox.profile b/etc/profile-a-l/inox.profile
index 1b3db73b4..a5cac12f2 100644
--- a/etc/profile-a-l/inox.profile
+++ b/etc/profile-a-l/inox.profile
@@ -5,6 +5,11 @@ include inox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/inox
 noblacklist ${HOME}/.config/inox
 
diff --git a/etc/profile-a-l/iridium.profile b/etc/profile-a-l/iridium.profile
index ebb39b0a3..3037d00e9 100644
--- a/etc/profile-a-l/iridium.profile
+++ b/etc/profile-a-l/iridium.profile
@@ -5,6 +5,11 @@ include iridium.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://github.com/netblue30/firejail/pull/3688#issuecomment-718711565
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/iridium
 noblacklist ${HOME}/.config/iridium
 
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
new file mode 100644
index 000000000..9899ff195
--- /dev/null
+++ b/etc/profile-a-l/kazam.profile
@@ -0,0 +1,54 @@
+# Firejail profile for kazam
+# Description: Screen capture tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kazam.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec ${HOME}
+
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+noblacklist ${HOME}/.config/kazam
+
+include allow-python2.inc 
+include allow-python3.inc 
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /usr/share/kazam
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+# private-bin kazam,python*
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg
+private-tmp
+
+dbus-system none
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index e8fc4e632..58db056b2 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -55,6 +55,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
@@ -72,9 +73,12 @@ dbus-user.talk org.freedesktop.login1.Session
 dbus-user.talk org.gnome.ScreenSaver
 dbus-user.talk org.gnome.SessionManager
 dbus-user.talk org.gnome.SessionManager.Presence
-# Uncomment or add to your keepassxc.local to allow Notifications.
+# Uncomment or add to your keepassxc.local to allow Notifications/Tray.
 #dbus-user.talk org.freedesktop.Notifications
 #dbus-user.talk org.kde.StatusNotifierWatcher
+# These numbers seems to be not stable, see #3713. Play around with them.
+#dbus-user.own org.kde.StatusNotifierItem-2-2
+#dbus-user.own org.kde.StatusNotifierItem-10-2
 dbus-system none
 
 # Mutex is stored in /tmp by default, which is broken by private-tmp
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index ab4ff10b9..8d99da3cf 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -9,6 +9,10 @@ include globals.local
 # kmail has problems launching akonadi in debian and ubuntu.
 # one solution is to have akonadi already running when kmail is started
 
+noblacklist ${HOME}/.gnupg
+# noblacklist ${HOME}/.kde/
+# noblacklist ${HOME}/.kde4/
+noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.cache/akonadi*
 noblacklist ${HOME}/.cache/kmail2
 noblacklist ${HOME}/.config/akonadi*
@@ -19,7 +23,6 @@ noblacklist ${HOME}/.config/kmail2rc
 noblacklist ${HOME}/.config/kmailsearchindexingrc
 noblacklist ${HOME}/.config/mailtransports
 noblacklist ${HOME}/.config/specialmailcollectionsrc
-noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/akonadi*
 noblacklist ${HOME}/.local/share/apps/korganizer
 noblacklist ${HOME}/.local/share/contacts
@@ -30,6 +33,8 @@ noblacklist ${HOME}/.local/share/kxmlgui5/kmail2
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.local/share/notes
 noblacklist /tmp/akonadi-*
+noblacklist /var/mail
+noblacklist /var/spool/mail
 
 include disable-common.inc
 include disable-devel.inc
@@ -37,10 +42,73 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
+mkdir ${HOME}/.gnupg
+# mkdir ${HOME}/.kde/
+# mkdir ${HOME}/.kde4/
+mkdir ${HOME}/.cache/akonadi*
+mkdir ${HOME}/.cache/kmail2
+mkdir ${HOME}/.config/akonadi*
+mkdir ${HOME}/.config/baloorc
+mkdir ${HOME}/.config/emaildefaults
+mkdir ${HOME}/.config/emailidentities
+mkdir ${HOME}/.config/kmail2rc
+mkdir ${HOME}/.config/kmailsearchindexingrc
+mkdir ${HOME}/.config/mailtransports
+mkdir ${HOME}/.config/specialmailcollectionsrc
+mkdir ${HOME}/.local/share/akonadi*
+mkdir ${HOME}/.local/share/apps/korganizer
+mkdir ${HOME}/.local/share/contacts
+mkdir ${HOME}/.local/share/emailidentities
+mkdir ${HOME}/.local/share/kmail2
+mkdir ${HOME}/.local/share/kxmlgui5/kmail
+mkdir ${HOME}/.local/share/kxmlgui5/kmail2
+mkdir ${HOME}/.local/share/local-mail
+mkdir ${HOME}/.local/share/notes
+mkdir /tmp/akonadi-*
+whitelist ${HOME}/.gnupg
+# whitelist ${HOME}/.kde/
+# whitelist ${HOME}/.kde4/
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.cache/akonadi*
+whitelist ${HOME}/.cache/kmail2
+whitelist ${HOME}/.config/akonadi*
+whitelist ${HOME}/.config/baloorc
+whitelist ${HOME}/.config/emaildefaults
+whitelist ${HOME}/.config/emailidentities
+whitelist ${HOME}/.config/kmail2rc
+whitelist ${HOME}/.config/kmailsearchindexingrc
+whitelist ${HOME}/.config/mailtransports
+whitelist ${HOME}/.config/specialmailcollectionsrc
+whitelist ${HOME}/.local/share/akonadi*
+whitelist ${HOME}/.local/share/apps/korganizer
+whitelist ${HOME}/.local/share/contacts
+whitelist ${HOME}/.local/share/emailidentities
+whitelist ${HOME}/.local/share/kmail2
+whitelist ${HOME}/.local/share/kxmlgui5/kmail
+whitelist ${HOME}/.local/share/kxmlgui5/kmail2
+whitelist ${HOME}/.local/share/local-mail
+whitelist ${HOME}/.local/share/notes
+whitelist ${DOWNLOADS}
+whitelist ${DOCUMENTS}
+whitelist ${RUNUSER}/gnupg
+whitelist /tmp/akonadi-*
+whitelist /usr/share/akonadi
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+whitelist /usr/share/kconf_update
+whitelist /usr/share/kf5
+whitelist /usr/share/kservices5
+whitelist /usr/share/qlogging-categories5
+whitelist /var/mail
+whitelist /var/spool/mail
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
-# apparmor
+apparmor
 caps.drop all
 netfilter
 nodvd
@@ -56,7 +124,14 @@ protocol unix,inet,inet6,netlink
 seccomp !chroot,!io_getevents,!io_setup,!io_submit,!ioprio_set
 # tracelog
 
+private-cache
 private-dev
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 # private-tmp - interrupts connection to akonadi, breaks opening of email attachments
-# writable-run-user is needed for signing and encrypting emails
 writable-run-user
+writable-var
+
+# dbus-user none
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
\ No newline at end of file
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
new file mode 100644
index 000000000..cf3a69fd7
--- /dev/null
+++ b/etc/profile-a-l/kube.profile
@@ -0,0 +1,81 @@
+# Firejail profile for kube
+# Description: Qt mail client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.cache/kube
+noblacklist ${HOME}/.config/kube
+noblacklist ${HOME}/.config/sink
+noblacklist ${HOME}/.local/share/kube
+noblacklist ${HOME}/.local/share/sink
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.cache/kube
+mkdir ${HOME}/.config/kube
+mkdir ${HOME}/.config/sink
+mkdir ${HOME}/.local/share/kube
+mkdir ${HOME}/.local/share/sink
+whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.cache/kube
+whitelist ${HOME}/.config/kube
+whitelist ${HOME}/.config/sink
+whitelist ${HOME}/.local/share/kube
+whitelist ${HOME}/.local/share/sink
+whitelist ${RUNUSER}/gnupg
+whitelist /usr/share/kube
+whitelist /usr/share/gnupg
+whitelist /usr/share/gnupg2
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg 
+# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
+private-bin kube,sink_synchronizer
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+writable-run-user
+
+dbus-user filter
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index f9c92f6f6..031f0e19f 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -43,6 +43,8 @@ shell none
 # comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile
 tracelog
 
+#private-bin libreoffice,sh,uname,dirname,grep,sed,basename,ls
+private-cache
 private-dev
 private-tmp
 
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile
index dc156b298..c509122e2 100644
--- a/etc/profile-a-l/linphone.profile
+++ b/etc/profile-a-l/linphone.profile
@@ -6,8 +6,10 @@ include linphone.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.config/linphone
 noblacklist ${HOME}/.linphone-history.db
 noblacklist ${HOME}/.linphonerc
+noblacklist ${HOME}/.local/share/linphone
 
 include disable-common.inc
 include disable-devel.inc
@@ -16,10 +18,15 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
-mkfile ${HOME}/.linphone-history.db
-mkfile ${HOME}/.linphonerc
+# linphone 4.0 (released 2017-06-26) moved config and database files to respect
+# freedesktop standards. For backward compatibility we continue to whitelist
+# ${HOME}/.linphone-history.db and ${HOME}/.linphonerc but no longer mkfile.
+mkdir ${HOME}/.config/linphone
+mkdir ${HOME}/.local/share/linphone
+whitelist ${HOME}/.config/linphone
 whitelist ${HOME}/.linphone-history.db
 whitelist ${HOME}/.linphonerc
+whitelist ${HOME}/.local/share/linphone
 whitelist ${DOWNLOADS}
 include whitelist-common.inc
 
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
new file mode 100644
index 000000000..6f74e6da3
--- /dev/null
+++ b/etc/profile-m-z/man.profile
@@ -0,0 +1,65 @@
+# Firejail profile for man
+# Description: manpage viewer
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include man.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}
+
+noblacklist ${HOME}/.local/share/man
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/man
+whitelist ${HOME}/.local/share/man
+whitelist ${HOME}/.manpath
+whitelist /usr/share/groff
+whitelist /usr/share/info
+whitelist /usr/share/lintian
+whitelist /usr/share/locale
+whitelist /usr/share/man
+whitelist /var/cache/man
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+nou2f
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
+private-cache
+private-dev
+private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index 19f9edf05..37ac9e304 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -14,6 +14,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.megaglest
@@ -37,6 +38,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index 385700648..6ceeb867f 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -62,6 +62,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
new file mode 100644
index 000000000..c70090a25
--- /dev/null
+++ b/etc/profile-m-z/menulibre.profile
@@ -0,0 +1,63 @@
+# Firejail profile for menulibre
+# Description: Create desktop and menu launchers easily
+# This file is overwritten after every install/update
+# Persistent local customizations
+include menulibre.local
+# Persistent global definitions
+include globals.local
+
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-xdg.inc
+
+# Whitelist your system icon directory,varies by distro
+whitelist /usr/share/app-info
+whitelist /usr/share/desktop-directories
+whitelist /usr/share/icons
+whitelist /usr/share/menulibre
+whitelist /var/lib/app-info/icons
+whitelist /var/lib/flatpak/exports/share/applications
+whitelist /var/lib/flatpak/exports/share/icons
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-write ${HOME}/.config/menus
+read-write ${HOME}/.gnome/apps
+read-write ${HOME}/.local/share/applications
+read-write ${HOME}/.local/share/flatpak/exports
diff --git a/etc/profile-m-z/min.profile b/etc/profile-m-z/min.profile
index 7f3aeab44..be85fdbc4 100644
--- a/etc/profile-m-z/min.profile
+++ b/etc/profile-m-z/min.profile
@@ -6,6 +6,8 @@ include min.local
 # Persistent global definitions
 include globals.local
 
+nowhitelist /usr/share/chromium
+
 noblacklist ${HOME}/.config/Min
 
 mkdir ${HOME}/.config/Min
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index 1da430ce6..e126050b7 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -12,6 +12,9 @@ include globals.local
 noblacklist ${HOME}/.cache/minetest
 noblacklist ${HOME}/.minetest
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -25,6 +28,7 @@ mkdir ${HOME}/.cache/minetest
 mkdir ${HOME}/.minetest
 whitelist ${HOME}/.cache/minetest
 whitelist ${HOME}/.minetest
+whitelist /usr/share/games/minetest
 whitelist /usr/share/minetest
 include whitelist-common.inc
 include whitelist-runuser-common.inc
@@ -43,11 +47,12 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 disable-mnt
-private-bin minetest
+private-bin minetest,rm
 private-cache
 private-dev
 # private-etc needs to be updated, see #1702
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
index 2c70978a9..39ecc7127 100644
--- a/etc/profile-m-z/minitube.profile
+++ b/etc/profile-m-z/minitube.profile
@@ -46,7 +46,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !kcmp
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
new file mode 100644
index 000000000..4a5f12aec
--- /dev/null
+++ b/etc/profile-m-z/mirage.profile
@@ -0,0 +1,59 @@
+# Firejail profile for mirage
+# Description: Desktop client for Matrix 
+# This file is overwritten after every install/update
+# Persistent local customizations
+include mirage.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/mirage
+noblacklist ${HOME}/.config/mirage
+noblacklist ${HOME}/.local/share/mirage
+
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/mirage
+mkdir ${HOME}/.config/mirage
+mkdir ${HOME}/.local/share/mirage
+whitelist ${HOME}/.cache/mirage
+whitelist ${HOME}/.config/mirage
+whitelist ${HOME}/.local/share/mirage
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin mirage
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index f4f862cb9..31a6caa9a 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -18,12 +18,8 @@ include disable-programs.inc
 read-only ${DESKTOP}
 mkdir ${HOME}/.mplayer
 whitelist ${HOME}/.mplayer
-whitelist ${DESKTOP}
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-whitelist ${PICTURES}
-whitelist ${VIDEOS}
 include whitelist-common.inc
+include whitelist-players.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index e0c6ff1c8..414eaf312 100644
--- a/etc/profile-m-z/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -13,6 +13,9 @@ noblacklist ${HOME}/.mplayer
 noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/mps
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
 include allow-python3.inc
@@ -40,10 +43,8 @@ whitelist ${HOME}/.config/youtube-dl
 whitelist ${HOME}/.mplayer
 whitelist ${HOME}/.netrc
 whitelist ${HOME}/mps
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-whitelist ${VIDEOS}
 include whitelist-common.inc
+include whitelist-players.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 5ca684eb5..ce3bfe421 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,6 +11,19 @@ include globals.local
 # edit ~/.config/mpv/foobar.conf:
 #    screenshot-directory=~/Pictures
 
+# Mpv has a powerfull lua-API, some off these lua-scripts interact
+# with external resources which are blocked by firejail. In such cases
+# you need to allow these resources by
+#  - adding additional binaries to private-bin
+#  - whitelisting additional paths
+#  - noblacklisting paths
+#  - weaking the dbus-policy
+#  - ...
+#
+# Often these scripts require a shell:
+#noblacklist ${PATH}/sh
+#private-bin sh
+
 noblacklist ${HOME}/.config/mpv
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.netrc
@@ -36,12 +49,8 @@ mkfile ${HOME}/.netrc
 whitelist ${HOME}/.config/mpv
 whitelist ${HOME}/.config/youtube-dl
 whitelist ${HOME}/.netrc
-whitelist ${DESKTOP}
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-whitelist ${PICTURES}
-whitelist ${VIDEOS}
 include whitelist-common.inc
+include whitelist-players.inc
 whitelist /usr/share/lua
 whitelist /usr/share/lua*
 whitelist /usr/share/vulkan
@@ -58,10 +67,11 @@ noroot
 nou2f
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
-private-bin env,mpv,python*,youtube-dl
+private-bin env,mpv,python*,waf,youtube-dl
 # private-cache causes slow OSD, see #2838
 #private-cache
 private-dev
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile
new file mode 100644
index 000000000..955df698d
--- /dev/null
+++ b/etc/profile-m-z/musictube.profile
@@ -0,0 +1,57 @@
+# Firejail profile for musictube
+# Description: Stream music 
+# This file is overwritten after every install/update
+# Persistent local customizations
+include musictube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Flavio Tordini
+noblacklist ${HOME}/.config/Flavio Tordini
+noblacklist ${HOME}/.local/share/Flavio Tordini
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc 
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Flavio Tordini
+mkdir ${HOME}/.config/Flavio Tordini
+mkdir ${HOME}/.local/share/Flavio Tordini
+whitelist ${HOME}/.cache/Flavio Tordini
+whitelist ${HOME}/.config/Flavio Tordini
+whitelist ${HOME}/.local/share/Flavio Tordini
+whitelist /usr/share/musictube
+include whitelist-common.inc 
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin musictube
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
new file mode 100644
index 000000000..ff292f409
--- /dev/null
+++ b/etc/profile-m-z/notify-send.profile
@@ -0,0 +1,60 @@
+# Firejail profile for notify-send
+# Description: a program to send desktop notifications
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include notify-send.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private
+private-bin notify-send
+private-cache
+private-dev
+private-etc none
+private-tmp
+
+dbus-user filter
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+
+memory-deny-write-execute
+read-only ${HOME}
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index 36723ca29..e21ac997a 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -53,7 +53,7 @@ seccomp
 shell none
 tracelog
 
-private-bin kbuildsycoca4,kdeinit4,lpr,okular
+private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
 private-dev
 private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
new file mode 100644
index 000000000..3a235a677
--- /dev/null
+++ b/etc/profile-m-z/onboard.profile
@@ -0,0 +1,55 @@
+# Firejail profile for onboard
+# Description: On-screen keyboard
+# This file is overwritten after every install/update
+# Persistent local customizations
+include onboard.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/onboard
+
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/onboard
+whitelist ${HOME}/.config/onboard
+whitelist /usr/share/onboard
+include whitelist-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc 
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-bin onboard,python*,tput
+private-dev
+private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
+private-tmp
+
+dbus-system none
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 45682fc31..88d5d0e1e 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -21,7 +21,7 @@ whitelist ${HOME}/.openarena
 whitelist /usr/share/openarena
 include whitelist-common.inc
 include whitelist-runuser-common.inc
-include whitelist-usr-share-common.in
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-m-z/opera-beta.profile b/etc/profile-m-z/opera-beta.profile
index 8658d30c6..551f1aba4 100644
--- a/etc/profile-m-z/opera-beta.profile
+++ b/etc/profile-m-z/opera-beta.profile
@@ -5,6 +5,11 @@ include opera-beta.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/opera
 noblacklist ${HOME}/.config/opera-beta
 
diff --git a/etc/profile-m-z/opera.profile b/etc/profile-m-z/opera.profile
index b342b3961..2c7c5fc35 100644
--- a/etc/profile-m-z/opera.profile
+++ b/etc/profile-m-z/opera.profile
@@ -6,6 +6,11 @@ include opera.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/opera
 noblacklist ${HOME}/.config/opera
 noblacklist ${HOME}/.opera
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 8663fb453..6cbaa66ad 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -37,6 +37,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index eee42424f..2a7d0cec1 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -13,6 +13,7 @@ noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
+include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
@@ -40,6 +41,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index 66fdd6496..710a533a9 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -17,7 +17,18 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+#mkdir ${HOME}/.cache/peek
+#whitelist ${HOME}/.cache/peek
+#whitelist ${PICTURES}
+#whitelist ${VIDEOS}
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
 caps.drop all
+machine-id
 net none
 no3d
 nodvd
@@ -30,14 +41,22 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
+tracelog
 
-# private-bin breaks gif mode, mp4 and webm mode work fine however
-# private-bin convert,ffmpeg,peek
+disable-mnt
+private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
 private-dev
+private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11
 private-tmp
 
-dbus-user none
+dbus-user filter
+dbus-user.own com.uploadedlobster.peek
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.FileManager1
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.gnome.Shell.Screencast
 dbus-system none
 
 memory-deny-write-execute
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index 2e4215744..e81e78ca7 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -21,6 +21,8 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.purple
 whitelist ${HOME}/.purple
+whitelist ${DOWNLOADS}
+whitelist ${PICTURES}
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index 3ef8ad64a..bd95cb1de 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -54,3 +54,6 @@ private-tmp
 
 # memory-deny-write-execute is built using seccomp; nonewprivs will kill it
 #memory-deny-write-execute
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 83905b108..3513e91cc 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -7,6 +7,8 @@ include pngquant.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${PICTURES}
+
 blacklist ${RUNUSER}/wayland-*
 
 include disable-common.inc
@@ -16,6 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-xdg.inc
 
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
new file mode 100644
index 000000000..d3112ae95
--- /dev/null
+++ b/etc/profile-m-z/psi.profile
@@ -0,0 +1,78 @@
+# Firejail profile for psi
+# Description: Native XMPP client with GPG support
+# This file is overwritten after every install/update
+# Persistent local customizations
+include psi.local
+# Persistent global definitions
+include globals.local
+
+# Uncomment for GPG
+# noblacklist ${HOME}/.gnupg
+noblacklist ${HOME}/.cache/psi
+noblacklist ${HOME}/.cache/Psi
+noblacklist ${HOME}/.config/psi
+noblacklist ${HOME}/.local/share/psi
+noblacklist ${HOME}/.local/share/Psi
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+# Uncomment for GPG
+# mkdir ${HOME}/.gnupg
+mkdir ${HOME}/.cache/psi
+mkdir ${HOME}/.cache/Psi
+mkdir ${HOME}/.config/psi
+mkdir ${HOME}/.local/share/psi
+mkdir ${HOME}/.local/share/Psi
+# Uncomment for GPG
+# whitelist ${HOME}/.gnupg
+whitelist ${HOME}/.cache/psi
+whitelist ${HOME}/.cache/Psi
+whitelist ${HOME}/.config/psi
+whitelist ${HOME}/.local/share/psi
+whitelist ${HOME}/.local/share/Psi
+whitelist ${DOWNLOADS}
+# Uncomment for GPG
+# whitelist /usr/share/gnupg
+# whitelist /usr/share/gnupg2
+whitelist /usr/share/psi
+# Uncomment for GPG
+# whitelist ${RUNUSER}/gnupg
+# whitelist ${RUNUSER}/keyring
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp !chroot
+shell none
+# breaks on Arch
+# tracelog
+
+disable-mnt
+# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for GPG
+private-bin getopt,psi
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index 81ec1bc6b..2fb02aefc 100644
--- a/etc/profile-m-z/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -56,6 +56,7 @@ private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl,X11,xdg
 private-tmp
 
+# See https://github.com/netblue30/firejail/issues/3707 for tray-icon
 dbus-user none
 dbus-system none
 
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
new file mode 100644
index 000000000..5e49a342a
--- /dev/null
+++ b/etc/profile-m-z/qrencode.profile
@@ -0,0 +1,58 @@
+# Firejail profile for qrencode
+# Description: Encode input data in a QR Code and save as a PNG or EPS image.
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include qrencode.local
+# Persistent global definitions
+include globals.local
+
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+x11 none
+
+disable-mnt
+private-bin qrencode
+private-cache
+private-dev
+private-etc none
+private-lib libpcre2-8.so.0
+private-tmp
+
+dbus-user none
+dbus-system none
+
+memory-deny-write-execute
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile
new file mode 100644
index 000000000..2133c74d3
--- /dev/null
+++ b/etc/profile-m-z/quaternion.profile
@@ -0,0 +1,54 @@
+# Firejail profile for quaternion
+# Description: Desktop client for Matrix 
+# This file is overwritten after every install/update
+# Persistent local customizations
+include quaternion.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/Quotient/quaternion
+noblacklist ${HOME}/.config/Quotient
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/Quotient/quaternion
+mkdir ${HOME}/.config/Quotient
+whitelist ${HOME}/.cache/Quotient/quaternion
+whitelist ${HOME}/.config/Quotient
+whitelist ${DOWNLOADS}
+whitelist /usr/share/Quotient/quaternion
+include whitelist-common.inc
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin quaternion
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile
index bb1ad56d3..a29205e14 100644
--- a/etc/profile-m-z/redeclipse.profile
+++ b/etc/profile-m-z/redeclipse.profile
@@ -14,10 +14,14 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
 mkdir ${HOME}/.redeclipse
 whitelist ${HOME}/.redeclipse
+whitelist /usr/share/redeclipse
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
@@ -32,8 +36,13 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+tracelog
 
 disable-mnt
+#private-bin redeclipse,sh,man
+private-cache
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index b76f2b947..e7f379509 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -14,6 +14,9 @@ noblacklist ${HOME}/.local/share/rhythmbox
 include allow-python2.inc
 include allow-python3.inc
 
+# Allow lua (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -26,6 +29,7 @@ include disable-xdg.inc
 whitelist /usr/share/rhythmbox
 whitelist /usr/share/lua
 whitelist /usr/share/libquvi-scripts
+whitelist /usr/share/tracker
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -41,10 +45,12 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 private-bin rhythmbox,rhythmbox-client
+private-cache
 private-dev
 private-tmp
 
@@ -54,6 +60,6 @@ dbus-user.own org.mpris.MediaPlayer2.rhythmbox
 dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox
 dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.freedesktop.Notifications
-dbus-system none
+dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
 dbus-system filter
 dbus-system.talk org.freedesktop.Avahi
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 85d86d646..8bb1f53a7 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -63,6 +63,7 @@ private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ho
 writable-run-user
 
 dbus-user filter
+dbus-user.own org.gnome.seahorse
 dbus-user.own org.gnome.seahorse.Application
 dbus-user.talk org.freedesktop.secrets
 dbus-system none
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index 6cd70c2ea..c67a88161 100644
--- a/etc/profile-m-z/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -40,6 +40,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 3fb6fc349..8ffc47ff6 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -10,7 +10,7 @@ noblacklist ${HOME}/.config/smplayer
 noblacklist ${HOME}/.config/youtube-dl
 noblacklist ${HOME}/.mplayer
 
-# Allow python (blacklisted by disable-interpreters.inc)
+include allow-lua.inc
 include allow-python2.inc
 include allow-python3.inc
 
@@ -26,7 +26,9 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+whitelist /usr/share/lua*
 whitelist /usr/share/smplayer
+whitelist /usr/share/vulkan
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -41,7 +43,7 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
-private-bin env,mplayer,mpv,python*,smplayer,smtube,youtube-dl
+private-bin env,mplayer,mpv,python*,smplayer,smtube,waf,youtube-dl
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
new file mode 100644
index 000000000..541e5a1c4
--- /dev/null
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -0,0 +1,55 @@
+# Firejail profile for smuxi-frontend-gnome
+# Description: Multi protocol chat client with Twitter support
+# This file is overwritten after every install/update
+# Persistent local customizations
+include smuxi-frontend-gnome.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/smuxi
+noblacklist ${HOME}/.config/smuxi
+noblacklist ${HOME}/.local/share/smuxi
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/smuxi
+mkdir ${HOME}/.config/smuxi
+mkdir ${HOME}/.local/share/smuxi
+whitelist ${HOME}/.cache/smuxi
+whitelist ${HOME}/.config/smuxi
+whitelist ${HOME}/.local/share/smuxi
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/snox.profile b/etc/profile-m-z/snox.profile
index 3b3fd1ae1..83493652c 100644
--- a/etc/profile-m-z/snox.profile
+++ b/etc/profile-m-z/snox.profile
@@ -5,6 +5,11 @@ include snox.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/snox
 noblacklist ${HOME}/.config/snox
 
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
new file mode 100644
index 000000000..ad39f1071
--- /dev/null
+++ b/etc/profile-m-z/spectacle.profile
@@ -0,0 +1,64 @@
+# Firejail profile for spectacle
+# Description: Spectacle is a simple application for capturing desktop screenshots.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include spectacle.local
+# Persistent global definitions
+include globals.local
+
+# Uncomment the following lines to use sharing services.
+#netfilter
+#ignore net none
+#private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
+#protocol unix,inet,inet6
+
+noblacklist ${HOME}/.config/spectaclerc
+noblacklist ${PICTURES}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkfile  ${HOME}/.config/spectaclerc
+whitelist ${HOME}/.config/spectaclerc
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin spectacle
+private-cache
+private-dev
+private-etc alternatives,fonts,ld.so.conf
+private-tmp
+
+dbus-user filter
+dbus-user.own org.kde.spectacle
+dbus-user.talk org.freedesktop.FileManager1
+#dbus-user.talk org.kde.JobViewServer
+#dbus-user.talk org.kde.kglobalaccel
+dbus-system none
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
new file mode 100644
index 000000000..d7f94e144
--- /dev/null
+++ b/etc/profile-m-z/spectral.profile
@@ -0,0 +1,53 @@
+# Firejail profile for spectral
+# Description: Desktop client for Matrix 
+# This file is overwritten after every install/update
+# Persistent local customizations
+include spectral.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/ENCOM/Spectral
+noblacklist ${HOME}/.config/ENCOM
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/ENCOM/Spectral
+mkdir ${HOME}/.config/ENCOM
+whitelist ${HOME}/.cache/ENCOM/Spectral
+whitelist ${HOME}/.config/ENCOM
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-bin spectral
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index cdb20b4e0..110434736 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -18,6 +18,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -35,6 +36,7 @@ nou2f
 novideo
 protocol unix,inet,inet6,netlink
 seccomp
+seccomp.block-secondary
 shell none
 
 private-bin sqlitebrowser
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 5d3458c29..78b12c2cb 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -34,7 +34,7 @@ nonewprivs
 # noroot - see issue #1543
 nosound
 notv
-nou2f
+# nou2f - OpenSSH >= 8.2 supports U2F 
 novideo
 protocol unix,inet,inet6
 seccomp
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
new file mode 100644
index 000000000..721ad38ee
--- /dev/null
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -0,0 +1,58 @@
+# Firejail profile for straw-viewer
+# Description: Fork of youtube-viewer acts like an invidious frontend
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include straw-viewer.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/straw-viewer
+noblacklist ${HOME}/.config/straw-viewer
+
+include allow-lua.inc
+include allow-perl.inc
+include allow-python2.inc
+include allow-python3.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/straw-viewer
+mkdir ${HOME}/.cache/straw-viewer
+whitelist ${HOME}/.cache/straw-viewer
+whitelist ${HOME}/.config/straw-viewer
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin bash,ffmpeg,ffprobe,gtk-straw-viewer,mpv,perl,python*,sh,smplayer,straw-viewer,stty,vlc,wget,which,youtube-dl
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile
index 426b2dc1c..09ada1e25 100644
--- a/etc/profile-m-z/strings.profile
+++ b/etc/profile-m-z/strings.profile
@@ -38,6 +38,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index ceaae8fbf..9cc023765 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix,netlink
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index ce69c8b4b..ff99c234e 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -27,6 +27,7 @@ whitelist ${HOME}/.cache/supertuxkart
 whitelist ${HOME}/.local/share/supertuxkart
 whitelist /usr/share/supertuxkart
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
@@ -42,6 +43,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
index 881fbf49e..7984702f3 100644
--- a/etc/profile-m-z/tcpdump.profile
+++ b/etc/profile-m-z/tcpdump.profile
@@ -33,7 +33,7 @@ nosound
 notv
 nou2f
 novideo
-protocol unix,inet,inet6,netlink,packet
+protocol unix,inet,inet6,netlink,packet,bluetooth
 seccomp
 
 disable-mnt
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 8e0741458..5be834fb0 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -20,10 +20,10 @@ nodvd
 nonewprivs
 noroot
 notv
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 
 disable-mnt
 private-cache
-private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 6e4bb50d4..2e7b69cec 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -6,6 +6,8 @@ include thunderbird.local
 # Persistent global definitions
 include globals.local
 
+ignore whitelist-runuser-common.inc
+
 # writable-run-user and dbus are needed by enigmail
 ignore dbus-user none
 ignore dbus-system none
@@ -58,7 +60,5 @@ novideo
 # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE
 ignore private-tmp
 
-read-only ${HOME}/.config/mimeapps.list
-
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index abbbba6c3..7bb2f3e2d 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -28,12 +28,11 @@ mkdir ${HOME}/.config/totem
 mkdir ${HOME}/.local/share/totem
 whitelist ${HOME}/.config/totem
 whitelist ${HOME}/.local/share/totem
-whitelist ${DESKTOP}
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-whitelist ${PICTURES}
-whitelist ${VIDEOS}
+whitelist /usr/share/totem
 include whitelist-common.inc
+include whitelist-players.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 # apparmor - makes settings immutable
@@ -57,4 +56,4 @@ private-tmp
 
 # makes settings immutable
 # dbus-user none
-# dbus-system none
+dbus-system none
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index 9d2e8e990..d601f0f15 100644
--- a/etc/profile-m-z/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -39,6 +39,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 363c685e0..8dbbfcc62 100644
--- a/etc/profile-m-z/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -14,6 +14,7 @@ whitelist ${HOME}/.config/transmission-daemon
 whitelist /var/lib/transmission
 
 caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
+protocol unix,inet,inet6,packet
 
 private-bin transmission-daemon
 private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
new file mode 100644
index 000000000..a8641af85
--- /dev/null
+++ b/etc/profile-m-z/trojita.profile
@@ -0,0 +1,63 @@
+# Firejail profile for trojita
+# Description: Qt mail client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include trojita.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.abook
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.cache/flaska.net/trojita
+noblacklist ${HOME}/.config/flaska.net
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.abook
+mkdir ${HOME}/.cache/flaska.net/trojita
+mkdir ${HOME}/.config/flaska.net
+whitelist ${HOME}/.abook
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+whitelist ${HOME}/.cache/flaska.net/trojita
+whitelist ${HOME}/.config/flaska.net
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+
+# disable-mnt
+# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
+private-bin trojita
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-m-z/tshark.profile b/etc/profile-m-z/tshark.profile
index 684a9491d..a5cefb47a 100644
--- a/etc/profile-m-z/tshark.profile
+++ b/etc/profile-m-z/tshark.profile
@@ -1,46 +1,6 @@
 # Firejail profile for tshark
 # This file is overwritten after every install/update
 quiet
-# Persistent local customizations
-include tshark.local
-# Persistent global definitions
-include globals.local
 
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-whitelist /usr/share/wireshark
-include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-apparmor
-#caps.keep net_raw
-caps.keep dac_override,net_admin,net_raw
-ipc-namespace
-#net tun0
-netfilter
-no3d
-nodvd
-# nogroups - breaks network traffic capture for unprivileged users
-# nonewprivs - breaks network traffic capture for unprivileged users
-# noroot
-nosound
-notv
-nou2f
-novideo
-#protocol unix,inet,inet6,netlink,packet
-#seccomp
-
-disable-mnt
-#private
-private-cache
-#private-bin tshark
-private-dev
-private-tmp
+# Redirect
+include wireshark.profile
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
new file mode 100644
index 000000000..3c50344f1
--- /dev/null
+++ b/etc/profile-m-z/twitch.profile
@@ -0,0 +1,36 @@
+# Firejail profile for twitch
+# Description: Unofficial electron based desktop warpper for Twitch
+# This file is overwritten after every install/update
+# Persistent local customizations
+include twitch.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Twitch
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-shell.inc 
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/Twitch
+whitelist ${HOME}/.config/Twitch
+include whitelist-common.inc 
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+seccomp !chroot
+shell none
+
+disable-mnt
+private-bin twitch
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-opt Twitch
+private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index 12bef5d1f..7a49ad88a 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -26,6 +26,7 @@ mkdir ${HOME}/VirtualBox VMs
 whitelist ${HOME}/.config/VirtualBox
 whitelist ${HOME}/VirtualBox VMs
 whitelist ${DOWNLOADS}
+whitelist /usr/share/virtualbox
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/vivaldi-beta.profile b/etc/profile-m-z/vivaldi-beta.profile
index 5de5682a3..0d80167f3 100644
--- a/etc/profile-m-z/vivaldi-beta.profile
+++ b/etc/profile-m-z/vivaldi-beta.profile
@@ -1,5 +1,7 @@
-# Firejail profile alias for vivaldi
+# Firejail profile for vivaldi-beta
 # This file is overwritten after every install/update
+# Persistent local customizations
+include vivaldi-beta.local
 
 # Redirect
 include vivaldi.profile
diff --git a/etc/profile-m-z/vivaldi-snapshot.profile b/etc/profile-m-z/vivaldi-snapshot.profile
index ea4a4009f..543f206af 100644
--- a/etc/profile-m-z/vivaldi-snapshot.profile
+++ b/etc/profile-m-z/vivaldi-snapshot.profile
@@ -2,16 +2,6 @@
 # This file is overwritten after every install/update
 # Persistent local customizations
 include vivaldi-snapshot.local
-# Persistent global definitions
-include globals.local
-
-noblacklist ${HOME}/.cache/vivaldi-snapshot
-noblacklist ${HOME}/.config/vivaldi-snapshot
-
-mkdir ${HOME}/.cache/vivaldi-snapshot
-mkdir ${HOME}/.config/vivaldi-snapshot
-whitelist ${HOME}/.cache/vivaldi-snapshot
-whitelist ${HOME}/.config/vivaldi-snapshot
 
 # Redirect
-include chromium-common.profile
+include vivaldi.profile
diff --git a/etc/profile-m-z/vivaldi-stable.profile b/etc/profile-m-z/vivaldi-stable.profile
index 5de5682a3..94b2cd76c 100644
--- a/etc/profile-m-z/vivaldi-stable.profile
+++ b/etc/profile-m-z/vivaldi-stable.profile
@@ -1,5 +1,7 @@
-# Firejail profile alias for vivaldi
+# Firejail profile for vivaldi-stable
 # This file is overwritten after every install/update
+# Persistent local customizations
+include vivaldi-stable.local
 
 # Redirect
 include vivaldi.profile
diff --git a/etc/profile-m-z/vivaldi.profile b/etc/profile-m-z/vivaldi.profile
index 096ce8a72..cd06b7f4c 100644
--- a/etc/profile-m-z/vivaldi.profile
+++ b/etc/profile-m-z/vivaldi.profile
@@ -13,16 +13,24 @@ whitelist /var/opt/vivaldi
 writable-var
 
 noblacklist ${HOME}/.cache/vivaldi
+noblacklist ${HOME}/.cache/vivaldi-snapshot
 noblacklist ${HOME}/.config/vivaldi
+noblacklist ${HOME}/.config/vivaldi-snapshot
 noblacklist ${HOME}/.local/lib/vivaldi
 
 mkdir ${HOME}/.cache/vivaldi
+mkdir ${HOME}/.cache/vivaldi-snapshot
 mkdir ${HOME}/.config/vivaldi
+mkdir ${HOME}/.config/vivaldi-snapshot
 mkdir ${HOME}/.local/lib/vivaldi
 whitelist ${HOME}/.cache/vivaldi
+whitelist ${HOME}/.cache/vivaldi-snapshot
 whitelist ${HOME}/.config/vivaldi
+whitelist ${HOME}/.config/vivaldi-snapshot
 whitelist ${HOME}/.local/lib/vivaldi
 
+#private-bin bash,cat,dirname,readlink,rm,vivaldi,vivaldi-stable,vivaldi-snapshot
+
 # breaks vivaldi sync
 ignore dbus-user none
 ignore dbus-system none
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index 07a1b5fc0..fc8efe089 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist ${HOME}/.cache/vlc
 noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/aacs
 noblacklist ${HOME}/.local/share/vlc
 
 include disable-common.inc
@@ -23,13 +24,10 @@ mkdir ${HOME}/.config/vlc
 mkdir ${HOME}/.local/share/vlc
 whitelist ${HOME}/.cache/vlc
 whitelist ${HOME}/.config/vlc
+whitelist ${HOME}/.config/aacs
 whitelist ${HOME}/.local/share/vlc
-whitelist ${DESKTOP}
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-whitelist ${PICTURES}
-whitelist ${VIDEOS}
 include whitelist-common.inc
+include whitelist-players.inc
 include whitelist-var-common.inc
 
 #apparmor - on Ubuntu 18.04 it refuses to start without dbus access
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 720b69773..493c53936 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -34,6 +34,6 @@ shell none
 tracelog
 
 #disable-mnt
-private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+#private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index bd33edd6a..0e172333a 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -7,6 +7,11 @@ include w3m.local
 # Persistent global definitions
 include globals.local
 
+# Uncomment or add to your w3m.local if you want to use w3m-img on a vconsole
+#ignore nogroups
+#ignore private-dev
+#ignore private-etc
+
 noblacklist ${HOME}/.w3m
 
 blacklist /tmp/.X11-unix
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index d8cd5557e..178e0c7b1 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -24,7 +24,10 @@ mkdir ${HOME}/.cache/warsow-2.1
 mkdir ${HOME}/.local/share/warsow-2.1
 whitelist ${HOME}/.cache/warsow-2.1
 whitelist ${HOME}/.local/share/warsow-2.1
+whitelist /usr/share/warsow
 include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index cdb8f0b93..8a64d2d73 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -44,6 +44,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 2af1379e0..a9cecb18d 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -39,6 +39,7 @@ nou2f
 novideo
 protocol inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index 8f6014dc3..d265c6bae 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -27,7 +27,7 @@ seccomp !chroot
 shell none
 
 disable-mnt
-private-bin bash,electron,electron4,electron6,env,sh,wire-desktop
+private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index a30cb43d5..6a84246e1 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -38,8 +38,8 @@ nosound
 notv
 nou2f
 novideo
-# protocol unix,inet,inet6,netlink
-# seccomp - breaks network traffic capture for unprivileged users
+# protocol unix,inet,inet6,netlink,packet,bluetooth - commented out in case they bring in new protocols
+seccomp
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index b842b5307..0c6969e09 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -36,6 +36,7 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile
new file mode 100644
index 000000000..a52858870
--- /dev/null
+++ b/etc/profile-m-z/xournalpp.profile
@@ -0,0 +1,29 @@
+# Firejail profile for xournalpp
+# Description: Handwriting note-taking software with PDF annotation support
+# This file is overwritten after every install/update
+# Persistent local customizations
+include xournalpp.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.xournalpp
+
+include allow-lua.inc
+
+whitelist /usr/share/texlive
+whitelist /usr/share/xournalpp
+whitelist /var/lib/texmf
+include whitelist-runuser-common.inc
+
+#mkdir ${HOME}/.xournalpp
+#whitelist ${HOME}/.xournalpp
+#whitelist ${HOME}/.texlive2019
+#whitelist ${DOCUMENTS}
+#include whitelist-common.inc
+
+private-bin kpsewhich,pdflatex,xournalpp
+private-etc latexmk.conf,texlive
+
+# Redirect
+include xournal.profile
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index 555d8e9a4..d22d04818 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -24,12 +24,8 @@ mkdir ${HOME}/.config/xplayer
 mkdir ${HOME}/.local/share/xplayer
 whitelist ${HOME}/.config/xplayer
 whitelist ${HOME}/.local/share/xplayer
-whitelist ${DESKTOP}
-whitelist ${DOWNLOADS}
-whitelist ${MUSIC}
-whitelist ${PICTURES}
-whitelist ${VIDEOS}
 include whitelist-common.inc
+include whitelist-players.inc
 include whitelist-var-common.inc
 
 # apparmor - makes settings immutable
diff --git a/etc/profile-m-z/yandex-browser.profile b/etc/profile-m-z/yandex-browser.profile
index 680bef677..81cd021f7 100644
--- a/etc/profile-m-z/yandex-browser.profile
+++ b/etc/profile-m-z/yandex-browser.profile
@@ -5,6 +5,11 @@ include yandex-browser.local
 # Persistent global definitions
 include globals.local
 
+# Disable for now, see https://www.tutorialspoint.com/difference-between-void-main-and-int-main-in-c-cplusplus
+ignore whitelist /usr/share/chromium
+ignore include whitelist-runuser-common.inc
+ignore include whitelist-usr-share-common.inc
+
 noblacklist ${HOME}/.cache/yandex-browser
 noblacklist ${HOME}/.cache/yandex-browser-beta
 noblacklist ${HOME}/.config/yandex-browser
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index fd95ceb04..3ba1dca1a 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -20,7 +20,9 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/yelp
 whitelist ${HOME}/.config/yelp
 whitelist /usr/share/doc
+whitelist /usr/share/groff
 whitelist /usr/share/help
+whitelist /usr/share/man
 whitelist /usr/share/yelp
 whitelist /usr/share/yelp-tools
 whitelist /usr/share/yelp-xsl
@@ -41,14 +43,15 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 disable-mnt
-private-bin yelp
+private-bin groff,man,tbl,troff,yelp
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
 private-tmp
 
 dbus-system none
@@ -59,3 +62,4 @@ dbus-system none
 #  1. yelp --editor-mode
 #  2. saving the window geometry
 read-only ${HOME}
+read-write ${HOME}/.cache
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index db3535f78..d9dee6891 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -52,6 +52,7 @@ nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index 513cb0f6e..a3a2afa29 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -7,10 +7,6 @@ include youtube-viewer.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}/wayland-*
-blacklist ${RUNUSER}
-
 noblacklist ${HOME}/.config/youtube-viewer
 
 include allow-perl.inc
@@ -47,11 +43,11 @@ shell none
 tracelog
 
 disable-mnt
-# private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,smplayer,sh,which,vlc,youtube-dl,youtube-viewer
+private-bin ffmpeg,ffprobe,firefox,gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,mpv,python*,sh,smplayer,stty,vlc,which,youtube-dl,youtube-viewer
 private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 
 dbus-user none
-dbus-system none
\ No newline at end of file
+dbus-system none
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
new file mode 100644
index 000000000..a6c7750a9
--- /dev/null
+++ b/etc/profile-m-z/youtube.profile
@@ -0,0 +1,37 @@
+# Firejail profile for youtube
+# Description: Unofficial electron based desktop warpper for YouTube
+# This file is overwritten after every install/update
+# Persistent local customizations
+include youtube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/Youtube
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-shell.inc 
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/Youtube
+whitelist ${HOME}/.config/Youtube
+include whitelist-common.inc 
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+novideo
+seccomp !chroot
+shell none
+
+disable-mnt
+private-bin youtube
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-opt Youtube
+private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
new file mode 100644
index 000000000..3a94a5707
--- /dev/null
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -0,0 +1,38 @@
+# Firejail profile for youtubemusic-nativefier
+# Description: Unofficial electron based desktop warpper for YouTube Music
+# This file is overwritten after every install/update
+# Persistent local customizations
+include youtube.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/youtubemusic-nativefier-040164
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-shell.inc 
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/youtubemusic-nativefier-040164
+whitelist ${HOME}/.config/youtubemusic-nativefier-040164
+include whitelist-common.inc 
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+nou2f
+novideo
+seccomp !chroot
+shell none
+
+disable-mnt
+private-bin youtubemusic-nativefier
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-opt youtubemusic-nativefier
+private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
new file mode 100644
index 000000000..5c37b838b
--- /dev/null
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -0,0 +1,39 @@
+# Firejail profile for ytmdesktop
+# Description: Unofficial electron based desktop warpper for YouTube Music
+# This file is overwritten after every install/update
+# Persistent local customizations
+include youtube.local
+# Persistent global definitions
+include globals.local
+
+ignore dbus-user none
+
+noblacklist ${HOME}/.config/youtube-music-desktop-app
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/youtube-music-desktop-app
+whitelist ${HOME}/.config/youtube-music-desktop-app
+include whitelist-common.inc 
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+nou2f
+novideo
+seccomp !chroot
+shell none
+
+disable-mnt
+# private-bin env,ytmdesktop
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+# private-opt 
+private-tmp
+
+# Redirect
+include electron.profile
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
index b3125ee50..f175e5e21 100644
--- a/etc/profile-m-z/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -1,4 +1,5 @@
 # Firejail profile for zoom
+# Description: Video Conferencing and Web Conferencing Service
 # This file is overwritten after every install/update
 # Persistent local customizations
 include zoom.local
@@ -30,7 +31,7 @@ include whitelist-var-common.inc
 caps.drop all
 netfilter
 nodvd
-nogroups
+#nogroups - breaks webcam access (see #3711)
 nonewprivs
 noroot
 notv
@@ -43,5 +44,6 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+# Disable for now, see https://github.com/netblue30/firejail/issues/3726
+#private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 02d9fa076..3d37fc827 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -110,6 +110,7 @@ include globals.local
 #include disable-passwdmgr.inc
 #include disable-programs.inc
 #include disable-shell.inc
+#include disable-write-mnt.inc
 #include disable-xdg.inc
 
 # This section often mirrors noblacklist section above. The idea is
@@ -156,6 +157,7 @@ include globals.local
 #seccomp
 ##seccomp !chroot
 ##seccomp.drop SYSCALLS (see syscalls.txt)
+#seccomp.block-secondary
 #shell none
 #tracelog
 # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index ea3b5a6b0..c454887dd 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -33,7 +33,7 @@ Definition of groups
 @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
-@default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
+@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
 @default-nodebuggers=@default,ptrace,personality,process_vm_readv
 @default-keep=execve,prctl
 @file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
@@ -62,15 +62,14 @@ Inheritance of groups
 
 +---------------+
 | @default-keep |
-| @mount        |
 +---------------+
 
 +----------------+  +---------+  +--------+  +--------------+
 | @cpu-emulation |  | @clock  |  | @chown |  | @aio         |
 | @debug         |  | @module |  +--------+  | @basic-io    |
 | @obsolete      |  | @raw-io |     :  :     | @file-system |
-+----------------+  | @reboot |     :  :     | @io-event    |
-   :                | @swap   |     :  :     | @ipc         |
+| @mount         |  | @reboot |     :  :     | @io-event    |
++----------------+  | @swap   |     :  :     | @ipc         |
    :                +---------+     :  :     | @keyring     |
    :                  :  :          :  :     | @memlock     |
    :    ..............:  :          :  :     | @network-io  |
diff --git a/mkman.sh b/mkman.sh
index b8e7e58eb..6ca96d331 100755
--- a/mkman.sh
+++ b/mkman.sh
@@ -3,6 +3,8 @@
 # Copyright (C) 2014-2020 Firejail Authors
 # License GPL v2
 
+set -e
+
 sed "s/VERSION/$1/g" $2 > $3
 MONTH=`LC_ALL=C date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%b`
 sed -i "s/MONTH/$MONTH/g" $3
diff --git a/platform/debian/control.amd64 b/platform/debian/control.amd64
index 3d654acd0..f666200d5 100644
--- a/platform/debian/control.amd64
+++ b/platform/debian/control.amd64
@@ -1,7 +1,7 @@
 Package: firejail
 Version: FIREJAILVER-1
 Architecture: amd64
-Maintainer: netblue30 <netblue30@yahoo.com>
+Maintainer: netblue30 <netblue30@protonmail.com>
 Installed-Size: 2024
 Depends: libc6
 Suggests: python, python3
diff --git a/platform/debian/control.i386 b/platform/debian/control.i386
index 300c20db9..ab9e0fc52 100644
--- a/platform/debian/control.i386
+++ b/platform/debian/control.i386
@@ -1,7 +1,7 @@
 Package: firejail
 Version: FIREJAILVER-1
 Architecture: i386
-Maintainer: netblue30 <netblue30@yahoo.com>
+Maintainer: netblue30 <netblue30@protonmail.com>
 Installed-Size: 2024
 Depends: libc6
 Suggests: python, python3
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh
index 2bdead7a8..c9b90dbe3 100755
--- a/platform/rpm/mkrpm.sh
+++ b/platform/rpm/mkrpm.sh
@@ -44,7 +44,7 @@ sed -e "s/__NAME__/${name}/g" \
 # FIXME: We could parse RELNOTES and create a %changelog section here
 
 # Copy the source to build into a tarball
-tar --exclude='./.git*' --exclude='./test' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz .
+tar --exclude='./.git*' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz .
 
 # Build the files (rpm, debug rpm and source rpm)
 rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file}
diff --git a/src/common.mk.in b/src/common.mk.in
index 8104bc258..b8a13cd1b 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -9,8 +9,6 @@ sysconfdir=@sysconfdir@
 
 VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
-HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
-HAVE_SECCOMP=@HAVE_SECCOMP@
 HAVE_CHROOT=@HAVE_CHROOT@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
 HAVE_NETWORK=@HAVE_NETWORK@
@@ -25,6 +23,8 @@ HAVE_FIRETUNNEL=@HAVE_FIRETUNNEL@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_GCOV=@HAVE_GCOV@
 HAVE_SELINUX=@HAVE_SELINUX@
+HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
+HAVE_USERTMPFS=@HAVE_USERTMPFS@
 
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
@@ -34,9 +34,10 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
-CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+CFLAGS += $(MANFLAGS)
+CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 
 ifdef NO_EXTRA_CFLAGS
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
index beaa5ac46..2a3c282d7 100644
--- a/src/faudit/dbus.c
+++ b/src/faudit/dbus.c
@@ -91,7 +91,7 @@ static char *test_dbus_env(char *env_var_name) {
                         if (!found)
                                 errExit("strdup");
                 }
-                else if ((sockfile = strstr(bus, "tcp:host=")) != NULL)
+                else if (strstr(bus, "tcp:host=") != NULL)
                         printf("UGLY: %s bus configured for TCP communication.\n", env_var_name);
                 else
                         printf("GOOD: cannot find a %s D-Bus socket\n", env_var_name);
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 0574daae6..8794076c6 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -70,6 +70,7 @@ autokey-shell
 aweather
 baloo_file
 baloo_filemetadata_temp_extractor
+balsa
 baobab
 barrier
 basilisk
@@ -118,6 +119,8 @@ cheese
 cherrytree
 chromium
 chromium-browser
+chromium-browser-privacy
+chromium-freeworld
 cin
 cinelerra
 clamdscan
@@ -135,6 +138,7 @@ clocks
 cmus
 code
 code-oss
+cola
 com.github.dahenson.agenda
 com.github.johnfactotum.Foliate
 com.gitlab.newsflash
@@ -194,6 +198,7 @@ eog
 eom
 ephemeral
 #epiphany
+equalx
 et
 etr
 evince
@@ -229,6 +234,7 @@ font-manager
 fontforge
 fossamail
 four-in-a-row
+fractal
 franz
 freecad
 freecadcmd
@@ -302,6 +308,7 @@ gnome-recipes
 gnome-robots
 gnome-schedule
 gnome-screenshot
+gnome-sound-recorder
 gnome-sudoku
 gnome-system-log
 gnome-taquin
@@ -327,6 +334,7 @@ gradio
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
+gtk-straw-viewer
 gtk-youtube-viewer
 gtk2-youtube-viewer
 gtk3-youtube-viewer
@@ -373,6 +381,7 @@ kalgebra
 kalgebramobile
 karbon
 kate
+kazam
 kcalc
 # kdeinit4
 kdenlive
@@ -403,6 +412,7 @@ krita
 # krunner
 ktorrent
 ktouch
+kube
 # kwin_x11
 kwrite
 leafpad
@@ -437,6 +447,7 @@ lynx
 lyx
 macrofusion
 magicor
+# man
 manaplus
 masterpdfeditor
 masterpdfeditor4
@@ -455,6 +466,7 @@ megaglest_editor
 meld
 mencoder
 mendeleydesktop
+menulibre
 meteo-qt
 midori
 min
@@ -462,6 +474,7 @@ mindless
 minecraft-launcher
 minetest
 minitube
+mirage
 mirrormagic
 mocp
 mousepad
@@ -502,6 +515,7 @@ mupdf-x11-curl
 mupen64plus
 muraster
 musescore
+musictube
 musixmatch
 mutool
 mutt
@@ -534,6 +548,7 @@ ocenaudio
 odt2txt
 oggsplt
 okular
+onboard
 onionshare-gui
 ooffice
 ooviewdoc
@@ -585,6 +600,7 @@ pragha
 presentations18
 presentations18free
 profanity
+psi
 psi-plus
 pybitmessage
 # pycharm-community - FB note: may enable later
@@ -600,6 +616,7 @@ qt-faststart
 qtox
 quadrapassel
 quassel
+quaternion
 quiterss
 qupzilla
 qutebrowser
@@ -647,11 +664,14 @@ slack
 slashem
 smplayer
 smtube
+smuxi-frontend-gnome
 snox
 soffice
 sol
 sound-juicer
 soundconverter
+spectacle
+spectral
 spotify
 sqlitebrowser
 ssh
@@ -663,6 +683,7 @@ steam-native
 steam-runtime
 stellarium
 strawberry
+straw-viewer
 strings
 studio.sh
 subdownloader
@@ -737,10 +758,12 @@ transmission-remote-cli
 transmission-remote-gtk
 transmission-show
 tremulous
+trojita
 truecraft
 tshark
 tuxguitar
 tvbrowser
+twitch
 udiskie
 uefitool
 uget-gtk
@@ -807,6 +830,7 @@ xonotic-glx
 xonotic-sdl
 xonotic-sdl-wrapper
 xournal
+xournalpp
 xpdf
 xplayer
 xplayer-audio-preview
@@ -818,8 +842,11 @@ xreader-thumbnailer
 xviewer
 yandex-browser
 yelp
+youtube
 youtube-dl
 youtube-viewer
+youtubemusic-nativefier
+ytmdesktop
 zaproxy
 zart
 zathura
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index f88d0a1dd..69d872110 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -105,8 +105,7 @@ void arp_announce(const char *dev, Bridge *br) {
         if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0)
                 errExit("socket");
 
-        int len;
-        if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
+        if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0)
                 errExit("send");
         fflush(0);
         close(sock);
@@ -177,8 +176,7 @@ int arp_check(const char *dev, uint32_t destaddr) {
         if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0)
                 errExit("socket");
 
-        int len;
-        if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
+        if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0)
                 errExit("send");
         fflush(0);
 
@@ -201,7 +199,7 @@ int arp_check(const char *dev, uint32_t destaddr) {
                                 close(sock);
                                 return 0;
                         }
-                        if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
+                        if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0)
                                 errExit("send");
                         ts.tv_sec = 0; // 0.5 seconds wait time
                         ts.tv_usec = 500000;
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index f6b3b3252..085221464 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -226,7 +226,6 @@ int checkcfg(int val) {
 
                         // seccomp error action
                         else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
-#ifdef HAVE_SECCOMP
                                 if (strcmp(ptr + 21, "kill") == 0)
                                         cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL;
                                 else if (strcmp(ptr + 21, "log") == 0)
@@ -239,9 +238,6 @@ int checkcfg(int val) {
                                 config_seccomp_error_action_str = strdup(ptr + 21);
                                 if (!config_seccomp_error_action_str)
                                         errExit("strdup");
-#else
-                                warning_feature_disabled("seccomp");
-#endif
                         }
 
                         else
@@ -299,6 +295,14 @@ void print_compiletime_support(void) {
 #endif
                 );
 
+        printf("\t- D-BUS proxy support is %s\n",
+#ifdef HAVE_DBUSPROXY
+                "enabled"
+#else
+                "disabled"
+#endif
+                );
+
         printf("\t- file and directory whitelisting support is %s\n",
 #ifdef HAVE_WHITELIST
                 "enabled"
@@ -347,8 +351,8 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-        printf("\t- seccomp-bpf support is %s\n",
-#ifdef HAVE_SECCOMP
+        printf("\t- private-cache and tmpfs as user %s\n",
+#ifdef HAVE_USERTMPFS
                 "enabled"
 #else
                 "disabled"
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index 5fc6c8298..cfa32d1d3 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -26,7 +26,7 @@
 
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 
 
@@ -35,13 +35,12 @@ void fs_check_chroot_dir(void) {
         EUID_ASSERT();
         assert(cfg.chrootdir);
         if (strstr(cfg.chrootdir, "..") ||
-            is_link(cfg.chrootdir) ||
-            !is_dir(cfg.chrootdir))
+            is_link(cfg.chrootdir))
                 goto errout;
 
         // check chroot dirname exists, chrooting into the root directory is not allowed
         char *rpath = realpath(cfg.chrootdir, NULL);
-        if (rpath == NULL || strcmp(rpath, "/") == 0)
+        if (rpath == NULL || !is_dir(rpath) || strcmp(rpath, "/") == 0)
                 goto errout;
 
         char *overlay;
@@ -52,6 +51,7 @@ void fs_check_chroot_dir(void) {
                 exit(1);
         }
         free(overlay);
+
         cfg.chrootdir = rpath;
         return;
 
@@ -60,27 +60,33 @@ errout:
         exit(1);
 }
 
-// copy /etc/resolv.conf in chroot directory
-static void copy_resolvconf(int parentfd) {
-        int in = open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC);
+// copy /etc/resolv.conf or /etc/machine-id in chroot directory
+static void update_file(int parentfd, const char *relpath) {
+        assert(relpath && relpath[0] && relpath[0] != '/');
+
+        char *abspath;
+        if (asprintf(&abspath, "/%s", relpath) == -1)
+                errExit("asprintf");
+        int in = open(abspath, O_RDONLY|O_CLOEXEC);
+        free(abspath);
         if (in == -1)
                 goto errout;
+
         struct stat src;
         if (fstat(in, &src) == -1)
                 errExit("fstat");
-        // try to detect if resolv.conf has been bind mounted into the chroot
-        // do nothing in this case in order to not unlink the real file
+        // try to detect if file has been bind mounted into the chroot
         struct stat dst;
-        if (fstatat(parentfd, "etc/resolv.conf", &dst, 0) == 0) {
+        if (fstatat(parentfd, relpath, &dst, 0) == 0) {
                 if (src.st_dev == dst.st_dev && src.st_ino == dst.st_ino) {
                         close(in);
                         return;
                 }
         }
         if (arg_debug)
-                printf("Updating /etc/resolv.conf in chroot\n");
-        unlinkat(parentfd, "etc/resolv.conf", 0);
-        int out = openat(parentfd, "etc/resolv.conf", O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+                printf("Updating chroot /%s\n", relpath);
+        unlinkat(parentfd, relpath, 0);
+        int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
         if (out == -1) {
                 close(in);
                 goto errout;
@@ -92,12 +98,12 @@ static void copy_resolvconf(int parentfd) {
         return;
 
 errout:
-        fwarning("/etc/resolv.conf not initialized\n");
+        fwarning("chroot /%s not initialized\n", relpath);
 }
 
 // exit if error
 static void check_subdir(int parentfd, const char *subdir, int check_writable) {
-        assert(subdir);
+        assert(subdir && subdir[0] && subdir[0] != '/');
         struct stat s;
         if (fstatat(parentfd, subdir, &s, AT_SYMLINK_NOFOLLOW) != 0) {
                 fprintf(stderr, "Error: cannot find /%s in chroot directory\n", subdir);
@@ -146,6 +152,7 @@ void fs_chroot(const char *rootdir) {
         check_subdir(parentfd, "etc", 1);
         check_subdir(parentfd, "proc", 0);
         check_subdir(parentfd, "tmp", 0);
+        check_subdir(parentfd, "var", 1);
         check_subdir(parentfd, "var/tmp", 0);
 
         // mount-bind a /dev in rootdir
@@ -186,17 +193,54 @@ void fs_chroot(const char *rootdir) {
                 errExit("mkdir");
         check_subdir(parentfd, "run", 1);
 
+        // pulseaudio; only support for default directory /run/user/$UID/pulse
+        if (getenv("FIREJAIL_CHROOT_PULSE")) {
+                char *pulse;
+                if (asprintf(&pulse, "%s/run/user/%d/pulse", cfg.chrootdir, getuid()) == -1)
+                        errExit("asprintf");
+                char *orig_pulse = pulse + strlen(cfg.chrootdir);
+
+                if (arg_debug)
+                        printf("Mounting %s on chroot %s\n", orig_pulse, orig_pulse);
+                int src = safe_fd(orig_pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                if (src == -1) {
+                        fprintf(stderr, "Error: cannot open %s\n", orig_pulse);
+                        exit(1);
+                }
+                int dst = safe_fd(pulse, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                if (dst == -1) {
+                        fprintf(stderr, "Error: cannot open %s\n", pulse);
+                        exit(1);
+                }
+                free(pulse);
+
+                char *proc_src, *proc_dst;
+                if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1)
+                        errExit("asprintf");
+                if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1)
+                        errExit("asprintf");
+                if (mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mount bind");
+                free(proc_src);
+                free(proc_dst);
+                close(src);
+                close(dst);
+
+                // update /etc/machine-id in chroot
+                update_file(parentfd, "etc/machine-id");
+        }
+
         // create /run/firejail directory in chroot
-        if (mkdirat(parentfd, RUN_FIREJAIL_DIR+1, 0755) == -1 && errno != EEXIST)
+        if (mkdirat(parentfd, &RUN_FIREJAIL_DIR[1], 0755) == -1 && errno != EEXIST)
                 errExit("mkdir");
-        check_subdir(parentfd, RUN_FIREJAIL_DIR+1, 1);
+        check_subdir(parentfd, &RUN_FIREJAIL_DIR[1], 1);
 
         // create /run/firejail/lib directory in chroot
-        if (mkdirat(parentfd, RUN_FIREJAIL_LIB_DIR+1, 0755) == -1 && errno != EEXIST)
+        if (mkdirat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], 0755) == -1 && errno != EEXIST)
                 errExit("mkdir");
-        check_subdir(parentfd, RUN_FIREJAIL_LIB_DIR+1, 1);
+        check_subdir(parentfd, &RUN_FIREJAIL_LIB_DIR[1], 1);
         // mount lib directory into the chroot
-        fd = openat(parentfd, RUN_FIREJAIL_LIB_DIR+1, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        fd = openat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 errExit("open");
         if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
@@ -207,11 +251,11 @@ void fs_chroot(const char *rootdir) {
         close(fd);
 
         // create /run/firejail/mnt directory in chroot
-        if (mkdirat(parentfd, RUN_MNT_DIR+1, 0755) == -1 && errno != EEXIST)
+        if (mkdirat(parentfd, &RUN_MNT_DIR[1], 0755) == -1 && errno != EEXIST)
                 errExit("mkdir");
-        check_subdir(parentfd, RUN_MNT_DIR+1, 1);
+        check_subdir(parentfd, &RUN_MNT_DIR[1], 1);
         // mount the current mnt directory into the chroot
-        fd = openat(parentfd, RUN_MNT_DIR+1, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        fd = openat(parentfd, &RUN_MNT_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
                 errExit("open");
         if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
@@ -222,7 +266,7 @@ void fs_chroot(const char *rootdir) {
         close(fd);
 
         // update chroot resolv.conf
-        copy_resolvconf(parentfd);
+        update_file(parentfd, "etc/resolv.conf");
 
 #ifdef HAVE_GCOV
         __gcov_flush();
@@ -244,15 +288,15 @@ void fs_chroot(const char *rootdir) {
         if (chroot(oroot) < 0)
                 errExit("chroot");
 
-        // create all other /run/firejail files and directories
-        preproc_build_firejail_dir();
-
         // mount a new proc filesystem
         if (arg_debug)
                 printf("Mounting /proc filesystem representing the PID namespace\n");
         if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                 errExit("mounting /proc");
 
+        // create all other /run/firejail files and directories
+        preproc_build_firejail_dir();
+
         // update /var directory in order to support multiple sandboxes running on the same root directory
         //      if (!arg_private_dev)
         //              fs_dev_shm();
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index 36d110ac7..3cf75ed84 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -17,6 +17,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
+#ifdef HAVE_DBUSPROXY
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
@@ -555,10 +556,9 @@ void dbus_apply_policy(void) {
                 return;
 
         // --protocol=unix
-#ifdef HAVE_SECCOMP
         if (cfg.protocol && !strstr(cfg.protocol, "unix"))
                 return;
-#endif
 
         fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");
 }
+#endif // HAVE_DBUSPROXY
\ No newline at end of file
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c
index 37547a985..456bba91b 100644
--- a/src/firejail/dhcp.c
+++ b/src/firejail/dhcp.c
@@ -130,7 +130,9 @@ static void dhcp_waitll_all() {
                 dhcp_waitll(cfg.bridge3.devsandbox);
 }
 
-void dhcp_start(void) {
+// Temporarily copy dhclient executable under /run/firejail/mnt and start it from there
+// in order to recognize it later in firemon and firetools
+void dhcp_store_exec(void) {
         if (!any_dhcp())
                 return;
 
@@ -144,6 +146,26 @@ void dhcp_start(void) {
                 }
         }
 
+        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR);
+}
+
+void dhcp_start(void) {
+        if (!any_dhcp())
+                return;
+
+        char *dhclient_path = RUN_MNT_DIR "/dhclient";;
+        struct stat s;
+        if (stat(dhclient_path, &s) == -1) {
+                dhclient_path = "/usr/sbin/dhclient";
+                if (stat(dhclient_path, &s) == -1) {
+                        fprintf(stderr, "Error: dhclient was not found.\n");
+                        exit(1);
+                }
+        }
+
+        sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", dhclient_path, RUN_MNT_DIR);
+        dhclient_path = RUN_MNT_DIR "/dhclient";
+
         EUID_ROOT();
         if (mkdir(RUN_DHCLIENT_DIR, 0700))
                 errExit("mkdir");
@@ -163,4 +185,6 @@ void dhcp_start(void) {
                         exit(1);
                 }
         }
+
+        unlink(dhclient_path);
 }
diff --git a/src/firejail/env.c b/src/firejail/env.c
index a8b344544..d74cebb39 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -158,7 +158,7 @@ void env_defaults(void) {
         }
 
         // set the window title
-        if (!arg_quiet)
+        if (!arg_quiet && isatty(STDOUT_FILENO))
                 printf("\033]0;firejail %s\007", cfg.window_title);
 
         // pass --quiet as an environment variable, in case the command calls further firejailed commands
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 85139d75f..6c0ebcd43 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -370,8 +370,9 @@ void check_user_namespace(void);
 char *guess_shell(void);
 
 // sandbox.c
+#define SANDBOX_DONE '1'
 int sandbox(void* sandbox_arg);
-void start_application(int no_sandbox, FILE *fp) __attribute__((noreturn));
+void start_application(int no_sandbox, char *set_sandbox_status) __attribute__((noreturn));
 void set_apparmor(void);
 
 // network_main.c
@@ -866,6 +867,7 @@ void dbus_apply_policy(void);
 // dhcp.c
 extern pid_t dhclient4_pid;
 extern pid_t dhclient6_pid;
+void dhcp_store_exec(void);
 void dhcp_start(void);
 
 // selinux.c
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 2000ffc62..65f53bf76 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -162,7 +162,13 @@ static void disable_file(OPERATION op, const char *filename) {
         }
         else if (op == MOUNT_TMPFS) {
                 if (S_ISDIR(s.st_mode)) {
-                        fs_tmpfs(fname, 0);
+                        if (getuid() &&
+                           (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 ||
+                            fname[strlen(cfg.homedir)] != '/')) {
+                                fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n");
+                                exit(1);
+                        }
+                        fs_tmpfs(fname, getuid());
                         last_disable = SUCCESSFUL;
                 }
                 else
@@ -443,7 +449,7 @@ void fs_blacklist(void) {
 void fs_tmpfs(const char *dir, unsigned check_owner) {
         assert(dir);
         if (arg_debug)
-                printf("Mounting tmpfs on %s\n", dir);
+                printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
         // get a file descriptor for dir, fails if there is any symlink
         int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
         if (fd == -1)
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 00edc5f88..3950ea2fd 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -244,6 +244,8 @@ void fs_private_dev(void){
                                 errExit("mounting /dev/log");
                         fs_logger("clone /dev/log");
                 }
+                if (mount(RUN_RO_FILE, RUN_DEVLOG_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                        errExit("blacklisting " RUN_DEVLOG_FILE);
         }
 
         // bring forward the current /dev/shm directory if necessary
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 64444bba2..5cfd33b42 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -378,6 +378,9 @@ void fs_private_lib(void) {
         // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail
         fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable
 
+        // install libraries needed by fcopy
+        fslib_install_list(PATH_FCOPY);
+
         fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries",
                 dir_cnt, (dir_cnt == 1)? "directory": "directories");
 
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 14eea4612..ca8b8c4bf 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -292,7 +292,7 @@ static void extract_umask(pid_t pid) {
                 fprintf(stderr, "Error: cannot open umask file\n");
                 exit(1);
         }
-        if (fscanf(fp, "%3o", &orig_umask) < 1) {
+        if (fscanf(fp, "%o", &orig_umask) != 1) {
                 fprintf(stderr, "Error: cannot read umask\n");
                 exit(1);
         }
@@ -303,66 +303,33 @@ static void extract_umask(pid_t pid) {
 // it is no firejail sandbox at all, return true if the sandbox is complete
 bool is_ready_for_join(const pid_t pid) {
         EUID_ASSERT();
-        // check if a file "ready-for-join" exists
+        // check if a file /run/firejail/mnt/join exists
         char *fname;
-        if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_READY_FOR_JOIN) == -1)
+        if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_JOIN_FILE) == -1)
                 errExit("asprintf");
         EUID_ROOT();
-        FILE *fp = fopen(fname, "re");
+        int fd = open(fname, O_RDONLY|O_CLOEXEC);
         EUID_USER();
         free(fname);
-        if (!fp)
-                return false;
-        // regular file owned by root
-        int fd = fileno(fp);
         if (fd == -1)
-                errExit("fileno");
+                return false;
         struct stat s;
         if (fstat(fd, &s) == -1)
                 errExit("fstat");
         if (!S_ISREG(s.st_mode) || s.st_uid != 0) {
-                fclose(fp);
+                close(fd);
                 return false;
         }
-        // check if it is non-empty
-        char buf[BUFLEN];
-        if (fgets(buf, BUFLEN, fp) == NULL) {
-                fclose(fp);
-                return false;
+        char status;
+        if (read(fd, &status, 1) == 1 && status == SANDBOX_DONE) {
+                close(fd);
+                return true;
         }
-        fclose(fp);
-        // confirm "ready" string was written
-        if (strcmp(buf, "ready\n") != 0)
-                return false;
-
-        // walk down the process tree a few nodes, there should be no firejail leaf
-#define MAXNODES 5
-        pid_t current = pid, next;
-        int i;
-        for (i = 0; i < MAXNODES; i++) {
-                if (find_child(current, &next) == 1) {
-                        // found a leaf
-                        EUID_ROOT();
-                        char *comm = pid_proc_comm(current);
-                        EUID_USER();
-                        if (!comm) {
-                                fprintf(stderr, "Error: cannot read /proc file\n");
-                                exit(1);
-                        }
-                        if (strcmp(comm, "firejail") == 0) {
-                                free(comm);
-                                return false;
-                        }
-                        free(comm);
-                        break;
-                }
-                current = next;
-        }
-
-        return true;
+        close(fd);
+        return false;
 }
 
-#define SNOOZE 100000 // sleep interval in microseconds
+#define SNOOZE 10000 // sleep interval in microseconds
 void check_join_permission(pid_t pid) {
         // check if pid belongs to a fully set up firejail sandbox
         unsigned long i;
@@ -498,10 +465,8 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 EUID_ROOT();
                 if (apply_caps == 1)    // not available for uid 0
                         caps_set(caps);
-#ifdef HAVE_SECCOMP
                 if (getuid() != 0)
                         seccomp_load_file_list();
-#endif
 
                 // mount user namespace or drop privileges
                 if (arg_noroot) {       // not available for uid 0
@@ -580,12 +545,14 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         free(display_str);
                 }
 
+#ifdef HAVE_DBUSPROXY
                 // set D-Bus environment variables
                 struct stat s;
                 if (stat(RUN_DBUS_USER_SOCKET, &s) == 0)
                         dbus_set_session_bus_env();
                 if (stat(RUN_DBUS_SYSTEM_SOCKET, &s) == 0)
                         dbus_set_system_bus_env();
+#endif
 
                 start_application(0, NULL);
 
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index ebd65cdd3..e61edf427 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -49,6 +49,7 @@ static void print_file_or_dir(const char *path, const char *fname) {
                         return;
                 }
         }
+        free(name);
 
         // permissions
         if (S_ISLNK(s.st_mode))
@@ -172,10 +173,11 @@ static void print_directory(const char *path) {
         if (n < 0)
                         errExit("scandir");
         else {
-                for (i = 0; i < n; i++) {
+                for (i = 0; i < n; i++)
                         print_file_or_dir(path, namelist[i]->d_name);
+                // get rid of false psitive reported by GCC -fanalyze
+                for (i = 0; i < n; i++)
                         free(namelist[i]);
-                }
         }
         free(namelist);
 }
@@ -333,35 +335,23 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                 errExit("asprintf");
 
         if (op == SANDBOX_FS_LS || op == SANDBOX_FS_CAT) {
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        EUID_ROOT();
-                        // chroot
-                        if (chroot(rootdir) < 0)
-                                errExit("chroot");
-                        if (chdir("/") < 0)
-                                errExit("chdir");
+                EUID_ROOT();
+                // chroot
+                if (chroot(rootdir) < 0)
+                        errExit("chroot");
+                if (chdir("/") < 0)
+                        errExit("chdir");
 
-                        // drop privileges
-                        drop_privs(0);
+                // drop privileges
+                drop_privs(0);
 
-                        if (op == SANDBOX_FS_LS)
-                                ls(fname1);
-                        else
-                                cat(fname1);
+                if (op == SANDBOX_FS_LS)
+                        ls(fname1);
+                else
+                        cat(fname1);
 #ifdef HAVE_GCOV
-                        __gcov_flush();
+                __gcov_flush();
 #endif
-                        _exit(0);
-                }
-                // wait for the child to finish
-                int status = 0;
-                waitpid(child, &status, 0);
-                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
-                else
-                        exit(1);
         }
         // get file from host and store it in the sandbox
         else if (op == SANDBOX_FS_PUT && path2) {
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
index e52a7a430..2623d794f 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
@@ -208,7 +208,11 @@ char *expand_macros(const char *path) {
 
         // Replace home macro
         char *new_name = NULL;
-        if (strncmp(path, "${HOME}", 7) == 0) {
+        if (strncmp(path, "$HOME", 5) == 0) {
+                fprintf(stderr, "Error: $HOME is not allowed in profile files, please replace it with ${HOME}\n");
+                exit(1);
+        }
+        else if (strncmp(path, "${HOME}", 7) == 0) {
                 if (asprintf(&new_name, "%s%s", cfg.homedir, path + 7) == -1)
                         errExit("asprintf");
                 if(called_as_root)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index df890ecea..676d04895 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -175,7 +175,9 @@ static void myexit(int rv) {
 
 
         // delete sandbox files in shared memory
+#ifdef HAVE_DBUSPROXY
         dbus_proxy_stop();
+#endif
         EUID_ROOT();
         delete_run_files(sandbox_pid);
         appimage_clear();
@@ -479,7 +481,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         //*************************************
         // independent commands - the program will exit!
         //*************************************
-#ifdef HAVE_SECCOMP
         else if (strcmp(argv[i], "--debug-syscalls") == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls");
@@ -529,7 +530,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         exit_err_feature("seccomp");
                 exit(0);
         }
-#endif
         else if (strncmp(argv[i], "--profile.print=", 16) == 0) {
                 pid_t pid = require_pid(argv[i] + 16);
 
@@ -888,19 +888,20 @@ char *guess_shell(void) {
         return shell;
 }
 
+// return argument index
 static int check_arg(int argc, char **argv, const char *argument, int strict) {
         int i;
         int found = 0;
         for (i = 1; i < argc; i++) {
                 if (strict) {
                         if (strcmp(argv[i], argument) == 0) {
-                                found = 1;
+                                found = i;
                                 break;
                         }
                 }
                 else {
                         if (strncmp(argv[i], argument, strlen(argument)) == 0) {
-                                found = 1;
+                                found = i;
                                 break;
                         }
                 }
@@ -950,7 +951,6 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b
         (void) native;
 }
 
-#ifdef HAVE_SECCOMP
 static int check_postexec(const char *list) {
         char *prelist, *postlist;
 
@@ -961,7 +961,6 @@ static int check_postexec(const char *list) {
         }
         return 0;
 }
-#endif
 
 //*******************************************
 // Main program
@@ -1005,17 +1004,21 @@ int main(int argc, char **argv, char **envp) {
                         fprintf(stderr, "Error: too long arguments\n");
                         exit(1);
                 }
+                // Also remove requested environment variables
+                // entirely to avoid tripping the length check below
+                if (strncmp(argv[i], "--rmenv=", 8) == 0)
+                        unsetenv(argv[i] + 8);
         }
 
         // sanity check for environment variables
         for (i = 0, ptr = envp; ptr && *ptr && i < MAX_ENVS; i++, ptr++) {
                 if (strlen(*ptr) >= MAX_ENV_LEN) {
-                        fprintf(stderr, "Error: too long environment variables\n");
+                        fprintf(stderr, "Error: too long environment variables, please use --rmenv\n");
                         exit(1);
                 }
         }
         if (i >= MAX_ENVS) {
-                fprintf(stderr, "Error: too many environment variables\n");
+                fprintf(stderr, "Error: too many environment variables, please use --rmenv\n");
                 exit(1);
         }
 
@@ -1048,6 +1051,19 @@ int main(int argc, char **argv, char **envp) {
         }
         EUID_USER();
 
+        // --ip=dhcp - we need access to /sbin and /usr/sbin directories in order to run ISC DHCP client (dhclient)
+        // these paths are disabled in disable-common.inc
+        if ((i = check_arg(argc, argv, "--ip", 0)) != 0) {
+                if (strncmp(argv[i] + 4, "=dhcp", 5) == 0) {
+                        profile_add("noblacklist /sbin");
+                        profile_add("noblacklist /usr/sbin");
+                }
+        }
+
+        // for appimages we need to remove "include disable-shell.inc from the profile
+        // a --profile command can show up before --appimage
+        if (check_arg(argc, argv, "--appimage", 1))
+                arg_appimage = 1;
 
         // process allow-debuggers
         if (check_arg(argc, argv, "--allow-debuggers", 1)) {
@@ -1264,11 +1280,10 @@ int main(int argc, char **argv, char **envp) {
                 else if (strcmp(argv[i], "--apparmor") == 0)
                         arg_apparmor = 1;
 #endif
-#ifdef HAVE_SECCOMP
                 else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                         if (checkcfg(CFG_SECCOMP)) {
                                 if (cfg.protocol) {
-                                        fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
+                                        fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol);
                                 }
                                 else {
                                         // store list
@@ -1402,7 +1417,6 @@ int main(int argc, char **argv, char **envp) {
                         } else
                                 exit_err_feature("seccomp");
                 }
-#endif
                 else if (strcmp(argv[i], "--caps") == 0) {
                         arg_caps_default_filter = 1;
                         arg_caps_cmdline = 1;
@@ -1713,6 +1727,34 @@ int main(int argc, char **argv, char **envp) {
                         }
                 }
 #endif
+                else if (strncmp(argv[i], "--include=", 10) == 0) {
+                        char *ppath = expand_macros(argv[i] + 10);
+                        if (!ppath)
+                                errExit("strdup");
+
+                        char *ptr = ppath;
+                        while (*ptr != '/' && *ptr != '\0')
+                                ptr++;
+                        if (*ptr == '\0') {
+                                if (access(ppath, R_OK)) {
+                                        profile_read(ppath);
+                                }
+                                else {
+                                        // ppath contains no '/' and is not a local file, assume it's a name
+                                        int rv = profile_find_firejail(ppath, 0);
+                                        if (!rv) {
+                                                fprintf(stderr, "Error: no profile with name \"%s\" found.\n", ppath);
+                                                exit(1);
+                                        }
+                                }
+                        }
+                        else {
+                                // ppath contains a '/', assume it's a path
+                                profile_read(ppath);
+                        }
+
+                        free(ppath);
+                }
                 else if (strncmp(argv[i], "--profile=", 10) == 0) {
                         // multiple profile files are allowed!
 
@@ -1958,12 +2000,14 @@ int main(int argc, char **argv, char **envp) {
                 else if (strcmp(argv[i], "--private-tmp") == 0) {
                         arg_private_tmp = 1;
                 }
+#ifdef HAVE_USERTMPFS
                 else if (strcmp(argv[i], "--private-cache") == 0) {
                         if (checkcfg(CFG_PRIVATE_CACHE))
                                 arg_private_cache = 1;
                         else
                                 exit_err_feature("private-cache");
                 }
+#endif
                 else if (strcmp(argv[i], "--private-cwd") == 0) {
                         cfg.cwd = NULL;
                         arg_private_cwd = 1;
@@ -2029,6 +2073,11 @@ int main(int argc, char **argv, char **envp) {
                         arg_dbus_user = DBUS_POLICY_BLOCK;
                         arg_dbus_system = DBUS_POLICY_BLOCK;
                 }
+
+                //*************************************
+                // D-BUS proxy
+                //*************************************
+#ifdef HAVE_DBUSPROXY
                 else if (strncmp("--dbus-user=", argv[i], 12) == 0) {
                         if (strcmp("filter", argv[i] + 12) == 0) {
                                 if (arg_dbus_user == DBUS_POLICY_BLOCK) {
@@ -2166,6 +2215,7 @@ int main(int argc, char **argv, char **envp) {
                         }
                         arg_dbus_log_system = 1;
                 }
+#endif
 
                 //*************************************
                 // network
@@ -2534,6 +2584,7 @@ int main(int argc, char **argv, char **envp) {
                         cfg.timeout = extract_timeout(argv[i] + 10);
                 else if (strcmp(argv[i], "--audit") == 0) {
                         arg_audit_prog = LIBDIR "/firejail/faudit";
+                        profile_add_ignore("shell none");
                         arg_audit = 1;
                 }
                 else if (strncmp(argv[i], "--audit=", 8) == 0) {
@@ -2550,6 +2601,7 @@ int main(int argc, char **argv, char **envp) {
                                 fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog);
                                 exit(1);
                         }
+                        profile_add_ignore("shell none");
                         arg_audit = 1;
                 }
                 else if (strcmp(argv[i], "--appimage") == 0)
@@ -2783,10 +2835,9 @@ int main(int argc, char **argv, char **envp) {
         // check network configuration options - it will exit if anything went wrong
         net_check_cfg();
 
-#ifdef HAVE_SECCOMP
         if (arg_seccomp)
                 arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop);
-#endif
+
         bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
         if (need_preload && (cfg.seccomp_list32 || cfg.seccomp_list_drop32 || cfg.seccomp_list_keep32))
                 fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n");
@@ -2851,6 +2902,7 @@ int main(int argc, char **argv, char **envp) {
         }
         EUID_USER();
 
+#ifdef HAVE_DBUSPROXY
         if (checkcfg(CFG_DBUS)) {
                 dbus_check_profile();
                 if (arg_dbus_user == DBUS_POLICY_FILTER ||
@@ -2860,6 +2912,7 @@ int main(int argc, char **argv, char **envp) {
                         EUID_USER();
                 }
         }
+#endif
 
         // clone environment
         int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD;
@@ -3033,17 +3086,27 @@ int main(int argc, char **argv, char **envp) {
         // end of signal-safe code
         //*****************************
 
+#if 0
+// at this point the sandbox was closed and we are on our way out
+// it would make sense to move this before waitpid above to free some memory
+// crash for now as of issue #3662 from dhcp code
         // free globals
         if (cfg.profile) {
                 ProfileEntry *prf = cfg.profile;
                 while (prf != NULL) {
                         ProfileEntry *next = prf->next;
-                        free(prf->data);
-                        free(prf->link);
+printf("data #%s#\n", prf->data);
+                        if (prf->data)
+                                free(prf->data);
+printf("link #%s#\n", prf->link);
+                        if (prf->link)
+                                free(prf->link);
                         free(prf);
                         prf = next;
                 }
         }
+#endif
+
 
         if (WIFEXITED(status)){
                 myexit(WEXITSTATUS(status));
diff --git a/src/firejail/netns.c b/src/firejail/netns.c
index 104453376..7ccff3265 100644
--- a/src/firejail/netns.c
+++ b/src/firejail/netns.c
@@ -60,7 +60,7 @@ void check_netns(const char *nsname) {
                         nsname, control_file, strerror(errno));
                 exit(1);
         }
-        if (!S_ISREG(st.st_mode)) {
+        if (!S_ISREG(st.st_mode) && !S_ISLNK(st.st_mode)) {
                 fprintf(stderr, "Error: invalid netns '%s' (%s: not a regular file)\n",
                         nsname, control_file);
                 exit(1);
diff --git a/src/firejail/network.c b/src/firejail/network.c
index aa05e3bd0..8cdf04947 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -183,7 +183,6 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) {
         int sock;
         struct rtentry route;
         struct sockaddr_in *addr;
-        int err = 0;
 
         // create the socket
         if((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
@@ -205,7 +204,7 @@ int net_add_route(uint32_t ip, uint32_t mask, uint32_t gw) {
 
         route.rt_flags = RTF_UP | RTF_GATEWAY;
         route.rt_metric = 0;
-        if ((err = ioctl(sock, SIOCADDRT, &route)) != 0) {
+        if (ioctl(sock, SIOCADDRT, &route) != 0) {
                 close(sock);
                 return -1;
         }
diff --git a/src/firejail/paths.c b/src/firejail/paths.c
index f03d98e29..5de704bef 100644
--- a/src/firejail/paths.c
+++ b/src/firejail/paths.c
@@ -45,6 +45,7 @@ static void init_paths(void) {
         paths = calloc(path_cnt, sizeof(char *));
         if (!paths)
                 errExit("calloc");
+        memset(paths, 0, path_cnt * sizeof(char *)); // get rid of false positive error from GCC static analyzer
 
         // fill in 'paths' with pointers to elements of 'path'
         unsigned int i = 0, j;
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index c0b09e945..836526593 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -103,7 +103,6 @@ void preproc_mount_mnt_dir(void) {
                 if (arg_tracefile)
                         fs_tracefile();
 
-#ifdef HAVE_SECCOMP
                 create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);
 
                 if (arg_seccomp_block_secondary)
@@ -132,7 +131,6 @@ void preproc_mount_mnt_dir(void) {
                 create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644);
                 if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644))
                         errExit("set_perms");
-#endif
         }
 }
 
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 970033899..5ddf6fdbb 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -327,12 +327,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "seccomp") == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP))
                         arg_seccomp = 1;
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         else if (strcmp(ptr, "caps") == 0) {
@@ -385,10 +383,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "private-cache") == 0) {
+#ifdef HAVE_USERTMPFS
                 if (checkcfg(CFG_PRIVATE_CACHE))
                         arg_private_cache = 1;
                 else
                         warning_feature_disabled("private-cache");
+#endif
                 return 0;
         }
         else if (strcmp(ptr, "private-dev") == 0) {
@@ -404,7 +404,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "nogroups") == 0) {
-                arg_nogroups = 1;
+                // nvidia cards require video group; disable nogroups
+                if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) {
+                        fwarning("Warning: NVIDIA card detected, nogroups command disabled\n");
+                        arg_nogroups = 0;
+                }
+                else
+                        arg_nogroups = 1;
                 return 0;
         }
         else if (strcmp(ptr, "nosound") == 0) {
@@ -432,11 +438,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "nodbus") == 0) {
+#ifdef HAVE_DBUSPROXY
                 arg_dbus_user = DBUS_POLICY_BLOCK;
                 arg_dbus_system = DBUS_POLICY_BLOCK;
+#endif
                 return 0;
         }
         else if (strncmp("dbus-user ", ptr, 10) == 0) {
+#ifdef HAVE_DBUSPROXY
                 ptr += 10;
                 if (strcmp("filter", ptr) == 0) {
                         if (arg_dbus_user == DBUS_POLICY_BLOCK) {
@@ -454,44 +463,56 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         fprintf(stderr, "Unknown dbus-user policy: %s\n", ptr);
                         exit(1);
                 }
+#endif
                 return 0;
         }
         else if (strncmp(ptr, "dbus-user.see ", 14) == 0) {
+#ifdef HAVE_DBUSPROXY
                 if (!dbus_check_name(ptr + 14)) {
-                        printf("Invalid dbus-user.see name: %s\n", ptr + 15);
+                        fprintf(stderr, "Invalid dbus-user.see name: %s\n", ptr + 15);
                         exit(1);
                 }
+#endif
                 return 1;
         }
         else if (strncmp(ptr, "dbus-user.talk ", 15) == 0) {
+#ifdef HAVE_DBUSPROXY
                 if (!dbus_check_name(ptr + 15)) {
-                        printf("Invalid dbus-user.talk name: %s\n", ptr + 15);
+                        fprintf(stderr, "Error: Invalid dbus-user.talk name: %s\n", ptr + 15);
                         exit(1);
                 }
+#endif
                 return 1;
         }
         else if (strncmp(ptr, "dbus-user.own ", 14) == 0) {
+#ifdef HAVE_DBUSPROXY
                 if (!dbus_check_name(ptr + 14)) {
-                        fprintf(stderr, "Invalid dbus-user.own name: %s\n", ptr + 14);
+                        fprintf(stderr, "Error: Invalid dbus-user.own name: %s\n", ptr + 14);
                         exit(1);
                 }
+#endif
                 return 1;
         }
         else if (strncmp(ptr, "dbus-user.call ", 15) == 0) {
+#ifdef HAVE_DBUSPROXY
                 if (!dbus_check_call_rule(ptr + 15)) {
-                        fprintf(stderr, "Invalid dbus-user.call rule: %s\n", ptr + 15);
+                        fprintf(stderr, "Error: Invalid dbus-user.call rule: %s\n", ptr + 15);
                         exit(1);
                 }
+#endif
                 return 1;
         }
         else if (strncmp(ptr, "dbus-user.broadcast ", 20) == 0) {
+#ifdef HAVE_DBUSPROXY
                 if (!dbus_check_call_rule(ptr + 20)) {
-                        fprintf(stderr, "Invalid dbus-user.broadcast rule: %s\n", ptr + 20);
+                        fprintf(stderr, "Error: Invalid dbus-user.broadcast rule: %s\n", ptr + 20);
                         exit(1);
                 }
+#endif
                 return 1;
         }
         else if (strncmp("dbus-system ", ptr, 12) == 0) {
+#ifdef HAVE_DBUSPROXY
                 ptr += 12;
                 if (strcmp("filter", ptr) == 0) {
                         if (arg_dbus_system == DBUS_POLICY_BLOCK) {
@@ -506,44 +527,55 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         }
                         arg_dbus_system = DBUS_POLICY_BLOCK;
                 } else {
-                        fprintf(stderr, "Unknown dbus-system policy: %s\n", ptr);
+                        fprintf(stderr, "Error: Unknown dbus-system policy: %s\n", ptr);
                         exit(1);
                 }
+#endif
                 return 0;
         }
         else if (strncmp(ptr, "dbus-system.see ", 16) == 0) {
+#ifdef HAVE_DBUSPROXY
                 if (!dbus_check_name(ptr + 16)) {
-                        fprintf(stderr, "Invalid dbus-system.see name: %s\n", ptr + 17);
+                        fprintf(stderr, "Error: Invalid dbus-system.see name: %s\n", ptr + 17);
                         exit(1);
                 }
+#endif
                 return 1;
         }
         else if (strncmp(ptr, "dbus-system.talk ", 17) == 0) {
+#ifdef HAVE_DBUSPROXY
                 if (!dbus_check_name(ptr + 17)) {
-                        fprintf(stderr, "Invalid dbus-system.talk name: %s\n", ptr + 17);
+                        fprintf(stderr, "Error: Invalid dbus-system.talk name: %s\n", ptr + 17);
                         exit(1);
                 }
+#endif
                 return 1;
         }
         else if (strncmp(ptr, "dbus-system.own ", 16) == 0) {
+#ifdef HAVE_DBUSPROXY
                 if (!dbus_check_name(ptr + 16)) {
-                        fprintf(stderr, "Invalid dbus-system.own name: %s\n", ptr + 16);
+                        fprintf(stderr, "Error: Invalid dbus-system.own name: %s\n", ptr + 16);
                         exit(1);
                 }
+#endif
                 return 1;
         }
         else if (strncmp(ptr, "dbus-system.call ", 17) == 0) {
+#ifdef HAVE_DBUSPROXY
                 if (!dbus_check_call_rule(ptr + 17)) {
-                        fprintf(stderr, "Invalid dbus-system.call rule: %s\n", ptr + 17);
+                        fprintf(stderr, "Error: Invalid dbus-system.call rule: %s\n", ptr + 17);
                         exit(1);
                 }
+#endif
                 return 1;
         }
         else if (strncmp(ptr, "dbus-system.broadcast ", 22) == 0) {
+#ifdef HAVE_DBUSPROXY
                 if (!dbus_check_call_rule(ptr + 22)) {
-                        fprintf(stderr, "Invalid dbus-system.broadcast rule: %s\n", ptr + 22);
+                        fprintf(stderr, "Error: Invalid dbus-system.broadcast rule: %s\n", ptr + 22);
                         exit(1);
                 }
+#endif
                 return 1;
         }
         else if (strcmp(ptr, "nou2f") == 0) {
@@ -861,10 +893,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
 
         if (strncmp(ptr, "protocol ", 9) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         if (cfg.protocol) {
-                                fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
+                                fwarning("more than one protocol list is present, \"%s\" will be installed\n", cfg.protocol);
                                 return 0;
                         }
 
@@ -875,7 +906,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
@@ -884,108 +914,92 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         if (strncmp(ptr, "rmenv ", 6) == 0) {
+                unsetenv(ptr + 6); // Remove also immediately from Firejail itself
                 env_store(ptr + 6, RMENV);
                 return 0;
         }
 
         // seccomp drop list on top of default list
         if (strncmp(ptr, "seccomp ", 8) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp = 1;
                         cfg.seccomp_list = seccomp_check_list(ptr + 8);
                 }
                 else if (!arg_quiet)
                         warning_feature_disabled("seccomp");
-#endif
 
                 return 0;
         }
         if (strncmp(ptr, "seccomp.32 ", 11) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
                         cfg.seccomp_list32 = seccomp_check_list(ptr + 11);
                 }
                 else if (!arg_quiet)
                         warning_feature_disabled("seccomp");
-#endif
 
                 return 0;
         }
 
         if (strcmp(ptr, "seccomp.block-secondary") == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp_block_secondary = 1;
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         // seccomp drop list without default list
         if (strncmp(ptr, "seccomp.drop ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp = 1;
                         cfg.seccomp_list_drop = seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
                         cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
         // seccomp keep list
         if (strncmp(ptr, "seccomp.keep ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp = 1;
                         cfg.seccomp_list_keep= seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
                         cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
         // memory deny write&execute
         if (strcmp(ptr, "memory-deny-write-execute") == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP))
                         arg_memory_deny_write_execute = 1;
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
         // seccomp error action
         if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION);
                         if (config_seccomp_error_action == -1) {
@@ -1008,7 +1022,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         }
                 } else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
@@ -1401,12 +1414,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         // filesystem bind
         if (strncmp(ptr, "bind ", 5) == 0) {
                 if (checkcfg(CFG_BIND)) {
+                        // extract two directories
                         if (getuid() != 0) {
                                 fprintf(stderr, "Error: --bind option is available only if running as root\n");
                                 exit(1);
                         }
 
-                        // extract two directories
                         char *dname1 = ptr + 5;
                         char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
                         if (dname2 == NULL) {
@@ -1468,7 +1481,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         arg_rlimit_as = 1;
                 }
                 else {
-                        fprintf(stderr, "Invalid rlimit option on line %d\n", lineno);
+                        fprintf(stderr, "Error: Invalid rlimit option on line %d\n", lineno);
                         exit(1);
                 }
 
@@ -1552,10 +1565,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         else if (strncmp(ptr, "noexec ", 7) == 0)
                 ptr += 7;
         else if (strncmp(ptr, "tmpfs ", 6) == 0) {
+#ifndef HAVE_USERTMPFS
                 if (getuid() != 0) {
                         fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n");
                         exit(1);
                 }
+#endif
                 ptr += 6;
         }
         else {
@@ -1622,17 +1637,18 @@ void profile_read(const char *fname) {
                 exit(1);
         }
         if (access(fname, R_OK)) {
+                int errsv = errno;
                 // if the file ends in ".local", do not exit
                 const char *base = gnu_basename(fname);
                 char *ptr = strstr(base, ".local");
-                if (ptr && strlen(ptr) == 6)
+                if (ptr && strlen(ptr) == 6 && errsv != EACCES)
                         return;
 
                 fprintf(stderr, "Error: cannot access profile file: %s\n", fname);
                 exit(1);
         }
 
-        // allow debuggers
+        // --allow-debuggers - skip disable-devel.inc file
         if (arg_allow_debuggers) {
                 char *tmp = strrchr(fname, '/');
                 if (tmp && *(tmp + 1) != '\0') {
@@ -1641,6 +1657,15 @@ void profile_read(const char *fname) {
                                 return;
                 }
         }
+        // --appimage - skip disable-shell.inc file
+        if (arg_appimage) {
+                char *tmp = strrchr(fname, '/');
+                if (tmp && *(tmp + 1) != '\0') {
+                        tmp++;
+                        if (strcmp(tmp, "disable-shell.inc") == 0)
+                                return;
+                }
+        }
 
         // open profile file:
         FILE *fp = fopen(fname, "r");
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index a1594d6b9..cd54eb72d 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -18,7 +18,6 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
-#ifdef HAVE_SECCOMP
 #include "firejail.h"
 #include "../include/seccomp.h"
 
@@ -93,6 +92,3 @@ void protocol_print_filter(pid_t pid) {
         exit(1);
 #endif
 }
-
-
-#endif // HAVE_SECCOMP
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index b4df78dda..84cbb1977 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -23,6 +23,7 @@
 #include <sys/statvfs.h>
 #include <sys/mount.h>
 #include <dirent.h>
+#include <errno.h>
 #include <sys/wait.h>
 
 #include <fcntl.h>
@@ -47,7 +48,7 @@ void pulseaudio_disable(void) {
         char *path;
         if (asprintf(&path, "/run/user/%d", getuid()) == -1)
                 errExit("asprintf");
-        disable_file_path(path, "pulse/native");
+        disable_file_path(path, "pulse");
         free(path);
 
 
@@ -133,8 +134,13 @@ void pulseaudio_init(void) {
                 goto out;
         }
         // confirm the actual mount destination is owned by the user
-        if (fstat(fd, &s) == -1)
-                errExit("fstat");
+        if (fstat(fd, &s) == -1) { // FUSE
+                if (errno != EACCES)
+                        errExit("fstat");
+                close(fd);
+                pulseaudio_set_environment(pulsecfg);
+                goto out;
+        }
         if (s.st_uid != getuid()) {
                 close(fd);
                 pulseaudio_set_environment(pulsecfg);
@@ -169,6 +175,11 @@ void pulseaudio_init(void) {
         pulseaudio_set_environment(p);
         free(p);
 
+        // RUN_PULSE_DIR not needed anymore, mask it
+        if (mount("tmpfs", RUN_PULSE_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mount pulseaudio");
+        fs_logger2("tmpfs", RUN_PULSE_DIR);
+
 out:
         free(pulsecfg);
         free(homeusercfg);
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0965b1017..8bfe76603 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -20,6 +20,7 @@
 
 #include "firejail.h"
 #include "../include/seccomp.h"
+#include <sys/mman.h>
 #include <sys/mount.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
@@ -140,7 +141,6 @@ void set_apparmor(void) {
 }
 #endif
 
-#ifdef HAVE_SECCOMP
 void seccomp_debug(void) {
         if (arg_debug == 0)
                 return;
@@ -157,7 +157,6 @@ void seccomp_debug(void) {
                 printf("No active seccomp files\n");
         EUID_ROOT();
 }
-#endif
 
 static void save_nogroups(void) {
         if (arg_nogroups == 0)
@@ -204,16 +203,17 @@ static void save_umask(void) {
         }
 }
 
-static FILE *create_ready_for_join_file(void) {
-        FILE *fp = fopen(RUN_READY_FOR_JOIN, "wxe");
-        if (fp) {
-                ASSERT_PERMS_STREAM(fp, 0, 0, 0644);
-                return fp;
-        }
-        else {
-                fprintf(stderr, "Error: cannot create %s\n", RUN_READY_FOR_JOIN);
-                exit(1);
-        }
+static char *create_join_file(void) {
+        int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        if (fd == -1)
+                errExit("open");
+        if (ftruncate(fd, 1) == -1)
+                errExit("ftruncate");
+        char *rv = mmap(NULL, 1, PROT_WRITE, MAP_SHARED, fd, 0);
+        if (rv == MAP_FAILED)
+                errExit("mmap");
+        close(fd);
+        return rv;
 }
 
 static void sandbox_if_up(Bridge *br) {
@@ -472,7 +472,7 @@ static int ok_to_run(const char *program) {
         return 0;
 }
 
-void start_application(int no_sandbox, FILE *fp) {
+void start_application(int no_sandbox, char *set_sandbox_status) {
         // set environment
         if (no_sandbox == 0) {
                 env_defaults();
@@ -492,16 +492,12 @@ void start_application(int no_sandbox, FILE *fp) {
         if (arg_audit) {
                 assert(arg_audit_prog);
 
-                if (fp) {
-                        fprintf(fp, "ready\n");
-                        fclose(fp);
-                }
 #ifdef HAVE_GCOV
                 __gcov_dump();
 #endif
-#ifdef HAVE_SECCOMP
                 seccomp_install_filters();
-#endif
+                if (set_sandbox_status)
+                        *set_sandbox_status = SANDBOX_DONE;
                 execl(arg_audit_prog, arg_audit_prog, NULL);
 
                 perror("execl");
@@ -528,23 +524,19 @@ void start_application(int no_sandbox, FILE *fp) {
                 if (!arg_command && !arg_quiet)
                         print_time();
 
-                int rv = ok_to_run(cfg.original_argv[cfg.original_program_index]);
-
-                if (fp) {
-                        fprintf(fp, "ready\n");
-                        fclose(fp);
+                if (ok_to_run(cfg.original_argv[cfg.original_program_index]) == 0) {
+                        fprintf(stderr, "Error: no suitable %s executable found\n", cfg.original_argv[cfg.original_program_index]);
+                        exit(1);
                 }
+
 #ifdef HAVE_GCOV
                 __gcov_dump();
 #endif
-#ifdef HAVE_SECCOMP
                 seccomp_install_filters();
-#endif
-                if (rv)
-                        execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
-                else
-                        fprintf(stderr, "Error: no suitable %s executable found\n", cfg.original_argv[cfg.original_program_index]);
-                exit(1);
+
+                if (set_sandbox_status)
+                        *set_sandbox_status = SANDBOX_DONE;
+                execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
         }
         //****************************************
         // start the program using a shell
@@ -591,16 +583,13 @@ void start_application(int no_sandbox, FILE *fp) {
                 if (!arg_command && !arg_quiet)
                         print_time();
 
-                if (fp) {
-                        fprintf(fp, "ready\n");
-                        fclose(fp);
-                }
 #ifdef HAVE_GCOV
                 __gcov_dump();
 #endif
-#ifdef HAVE_SECCOMP
                 seccomp_install_filters();
-#endif
+
+                if (set_sandbox_status)
+                        *set_sandbox_status = SANDBOX_DONE;
                 execvp(arg[0], arg);
         }
 
@@ -662,6 +651,8 @@ int sandbox(void* sandbox_arg) {
         if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 ||
             mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0)
                 errExit("mounting " RUN_FIREJAIL_LIB_DIR);
+        // keep a copy of dhclient executable before the filesystem is modified
+        dhcp_store_exec();
 
         //****************************
         // log sandbox data
@@ -802,7 +793,6 @@ int sandbox(void* sandbox_arg) {
         //  - build seccomp filters
         //  - create an empty /etc/ld.so.preload
         //****************************
-#ifdef HAVE_SECCOMP
         if (cfg.protocol) {
                 if (arg_debug)
                         printf("Build protocol filter: %s\n", cfg.protocol);
@@ -813,7 +803,6 @@ int sandbox(void* sandbox_arg) {
                 if (rv)
                         exit(rv);
         }
-#endif
 
         // need ld.so.preload if tracing or seccomp with any non-default lists
         bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
@@ -932,6 +921,7 @@ int sandbox(void* sandbox_arg) {
                 }
         }
 
+#ifdef HAVE_USERTMPFS
         if (arg_private_cache) {
                 if (cfg.chrootdir)
                         fwarning("private-cache feature is disabled in chroot\n");
@@ -940,6 +930,7 @@ int sandbox(void* sandbox_arg) {
                 else
                         fs_private_cache();
         }
+#endif
 
         if (arg_private_tmp) {
                 // private-tmp is implemented as a whitelist
@@ -951,8 +942,9 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // Session D-BUS
         //****************************
+#ifdef HAVE_DBUSPROXY
         dbus_apply_policy();
-
+#endif
 
         //****************************
         // hosts and hostname
@@ -1112,7 +1104,6 @@ int sandbox(void* sandbox_arg) {
         save_cgroup();
 
         // set seccomp
-#ifdef HAVE_SECCOMP
         // install protocol filter
 #ifdef SYS_socket
         if (cfg.protocol) {
@@ -1156,17 +1147,15 @@ int sandbox(void* sandbox_arg) {
         // make seccomp filters read-only
         fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0);
         seccomp_debug();
-#endif
 
         // set capabilities
         set_caps();
 
         //****************************************
-        // communicate progress of sandbox set up
-        // to --join
+        // relay status information to join option
         //****************************************
 
-        FILE *rj = create_ready_for_join_file();
+        char *set_sandbox_status = create_join_file();
 
         //****************************************
         // create a new user namespace
@@ -1248,10 +1237,10 @@ int sandbox(void* sandbox_arg) {
                         set_nice(cfg.nice);
                 set_rlimits();
 
-                start_application(0, rj);
+                start_application(0, set_sandbox_status);
         }
 
-        fclose(rj);
+        munmap(set_sandbox_status, 1);
 
         int status = monitor_application(app_pid);      // monitor application
         flush_stdin();
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index a92d62940..a2aaa86eb 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -263,6 +263,7 @@ int sbox_run(unsigned filtermask, int num, ...) {
 
 int sbox_run_v(unsigned filtermask, char * const arg[]) {
         EUID_ROOT();
+        assert(arg);
 
         if (arg_debug) {
                 printf("sbox run: ");
@@ -288,7 +289,7 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
         if (waitpid(child, &status, 0) == -1 ) {
                 errExit("waitpid");
         }
-        if (WIFEXITED(status) && status != 0) {
+        if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
                 fprintf(stderr, "Error: failed to run %s\n", arg[0]);
                 exit(1);
         }
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7f55ccc0e..e47e6c910 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -18,7 +18,6 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
-#ifdef HAVE_SECCOMP
 #include "firejail.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
@@ -445,5 +444,3 @@ errexit:
         printf("Cannot access seccomp filter.\n");
         exit(1);
 }
-
-#endif // HAVE_SECCOMP
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
index 52d6788ef..dd776fcce 100644
--- a/src/firejail/selinux.c
+++ b/src/firejail/selinux.c
@@ -35,7 +35,7 @@ static int selinux_enabled = -1;
 void selinux_relabel_path(const char *path, const char *inside_path)
 {
 #if HAVE_SELINUX
-        char procfs_path[64];
+        char procfs_path[64];
         char *fcon = NULL;
         int fd;
         struct stat st;
@@ -43,26 +43,29 @@ void selinux_relabel_path(const char *path, const char *inside_path)
         if (selinux_enabled == -1)
                 selinux_enabled = is_selinux_enabled();
 
-        if (!selinux_enabled && arg_debug)
+        if (!selinux_enabled)
                 return;
 
         if (!label_hnd)
                 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
 
+        if (!label_hnd)
+                errExit("selabel_open");
+
         /* Open the file as O_PATH, to pin it while we determine and adjust the label */
-        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
         if (fd < 0)
                 return;
         if (fstat(fd, &st) < 0)
                 goto close;
 
-        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
+        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
                 sprintf(procfs_path, "/proc/self/fd/%i", fd);
                 if (arg_debug)
                         printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
 
                 setfilecon_raw(procfs_path, fcon);
-        }
+        }
         freecon(fcon);
  close:
         close(fd);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 2390706f2..d58bbb409 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -123,10 +123,8 @@ static char *usage_str =
         "    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"
 #endif
         "    --machine-id - preserve /etc/machine-id\n"
-#ifdef HAVE_SECCOMP
         "    --memory-deny-write-execute - seccomp filter to block attempts to create\n"
         "\tmemory mappings that are both writable and executable.\n"
-#endif
 #ifdef HAVE_NETWORK
         "    --mtu=number - set interface MTU.\n"
 #endif
@@ -215,7 +213,6 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
         "    --scan - ARP-scan all the networks from inside a network namespace.\n"
 #endif
-#ifdef HAVE_SECCOMP
         "    --seccomp - enable seccomp filter and apply the default blacklist.\n"
         "    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"
         "\tdefault syscall list and the syscalls specified by the command.\n"
@@ -229,7 +226,6 @@ static char *usage_str =
         "    --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
         "    --seccomp-error-action=errno|kill|log - change error code, kill process\n"
         "\tor log the attempt.\n"
-#endif
         "    --shell=none - run the program directly without a user shell.\n"
         "    --shell=program - set default user shell.\n"
         "    --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 9f878611a..02befdc12 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -33,7 +33,7 @@
 
 #include <fcntl.h>
 #ifndef O_PATH
-# define O_PATH 010000000
+#define O_PATH 010000000
 #endif
 
 #define MAX_GROUPS 1024
@@ -281,8 +281,9 @@ static int copy_file_by_fd(int src, int dst) {
                         done += rv;
                 }
         }
-//      fflush(0);
-        return 0;
+        if (len == 0)
+                return 0;
+        return -1;
 }
 
 // return -1 if error, 0 if no error; if destname already exists, return error
diff --git a/src/firemon/apparmor.c b/src/firemon/apparmor.c
index 028dbc212..c34a44165 100644
--- a/src/firemon/apparmor.c
+++ b/src/firemon/apparmor.c
@@ -44,7 +44,7 @@ void apparmor(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1)
                                 print_apparmor(child);
diff --git a/src/firemon/arp.c b/src/firemon/arp.c
index a43593ced..3bd59e65e 100644
--- a/src/firemon/arp.c
+++ b/src/firemon/arp.c
@@ -80,7 +80,7 @@ void arp(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1) {
                                 char *fname;
diff --git a/src/firemon/caps.c b/src/firemon/caps.c
index 951bd21a5..0e720706d 100644
--- a/src/firemon/caps.c
+++ b/src/firemon/caps.c
@@ -53,7 +53,7 @@ void caps(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1)
                                 print_caps(child);
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c
index 251db0077..e0d605d10 100644
--- a/src/firemon/cgroup.c
+++ b/src/firemon/cgroup.c
@@ -53,7 +53,7 @@ void cgroup(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1)
                                 print_cgroup(child);
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c
index 6170ef8c1..e97068851 100644
--- a/src/firemon/cpu.c
+++ b/src/firemon/cpu.c
@@ -54,7 +54,7 @@ void cpu(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1)
                                 print_cpu(child);
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 7468e3240..5ae0ed013 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -40,7 +40,7 @@ static int arg_top = 0;
 static int arg_list = 0;
 static int arg_netstats = 0;
 static int arg_apparmor = 0;
-int arg_nowrap = 0;
+int arg_wrap = 0;
 
 static struct termios tlocal;   // startup terminal setting
 static struct termios twait;    // no wait on key press
@@ -159,6 +159,7 @@ int main(int argc, char **argv) {
                         arg_list = 1;
                 else if (strcmp(argv[i], "--tree") == 0)
                         arg_tree = 1;
+#ifdef HAVE_NETWORK
                 else if (strcmp(argv[i], "--netstats") == 0) {
                         struct stat s;
                         if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) {
@@ -167,7 +168,7 @@ int main(int argc, char **argv) {
                         }
                         arg_netstats = 1;
                 }
-
+#endif
 
                 // cumulative options with or without a pid argument
                 else if (strcmp(argv[i], "--x11") == 0)
@@ -187,10 +188,12 @@ int main(int argc, char **argv) {
                         }
                         arg_interface = 1;
                 }
+#ifdef HAVE_NETWORK
                 else if (strcmp(argv[i], "--route") == 0)
                         arg_route = 1;
                 else if (strcmp(argv[i], "--arp") == 0)
                         arg_arp = 1;
+#endif
                 else if (strcmp(argv[i], "--apparmor") == 0)
                         arg_apparmor = 1;
 
@@ -203,8 +206,8 @@ int main(int argc, char **argv) {
                 }
 
                 // etc
-                else if (strcmp(argv[i], "--nowrap") == 0)
-                        arg_nowrap = 1;
+                else if (strcmp(argv[i], "--wrap") == 0)
+                        arg_wrap = 1;
 
                 // invalid option
                 else if (*argv[i] == '-') {
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index 3fba486eb..948214d4d 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -40,7 +40,7 @@ static inline void firemon_clrscr(void) {
 
 // firemon.c
 extern pid_t skip_process;
-extern int arg_nowrap;
+extern int arg_wrap;
 int find_child(int id);
 void firemon_sleep(int st);
 
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index 325ffd80e..34d616647 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -163,7 +163,7 @@ void interface(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1) {
                                 print_sandbox(child);
diff --git a/src/firemon/list.c b/src/firemon/list.c
index 8a07f9eb2..22a08272d 100644
--- a/src/firemon/list.c
+++ b/src/firemon/list.c
@@ -28,6 +28,6 @@ void list(void) {
                 if (i == skip_process)
                         continue;
                 if (pids[i].level == 1)
-                        pid_print_list(i, arg_nowrap);
+                        pid_print_list(i, arg_wrap);
         }
 }
diff --git a/src/firemon/route.c b/src/firemon/route.c
index 9fd46505f..19c823a87 100644
--- a/src/firemon/route.c
+++ b/src/firemon/route.c
@@ -189,7 +189,7 @@ void route(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1) {
                                 char *fname;
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c
index 7bc700ee6..7867fbad3 100644
--- a/src/firemon/seccomp.c
+++ b/src/firemon/seccomp.c
@@ -52,7 +52,7 @@ void seccomp(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
                         int child = find_child(i);
                         if (child != -1)
                                 print_seccomp(child);
diff --git a/src/firemon/tree.c b/src/firemon/tree.c
index f3610eaec..711066c19 100644
--- a/src/firemon/tree.c
+++ b/src/firemon/tree.c
@@ -28,7 +28,7 @@ void tree(pid_t pid) {
                 if (i == skip_process)
                         continue;
                 if (pids[i].level == 1)
-                        pid_print_tree(i, 0, arg_nowrap);
+                        pid_print_tree(i, 0, arg_wrap);
         }
         printf("\n");
 }
diff --git a/src/firemon/x11.c b/src/firemon/x11.c
index a41f4825f..19b54429c 100644
--- a/src/firemon/x11.c
+++ b/src/firemon/x11.c
@@ -30,7 +30,7 @@ void x11(pid_t pid, int print_procs) {
         for (i = 0; i < max_pids; i++) {
                 if (pids[i].level == 1) {
                         if (print_procs || pid == 0)
-                                pid_print_list(i, arg_nowrap);
+                                pid_print_list(i, arg_wrap);
 
                         char *x11file;
                         // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory
diff --git a/src/fnet/arp.c b/src/fnet/arp.c
index 122d0007c..64f177574 100644
--- a/src/fnet/arp.c
+++ b/src/fnet/arp.c
@@ -149,10 +149,8 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
                         memcpy (frame + 14, &hdr, sizeof(hdr));
 
                         // send packet
-                        int len;
-                        if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
+                        if (sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr)) <= 0)
                                 errExit("send");
-//printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest));
                         fflush(0);
                         dest++;
                 }
diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c
index a6aae5ecb..eecf18832 100644
--- a/src/fsec-print/print.c
+++ b/src/fsec-print/print.c
@@ -19,7 +19,7 @@
  *
  *
  *
- * Parts of this code was lifted from libseccomp project, license LGPV 2.1.
+ * Parts of this code was lifted from libseccomp project, license LGPL 2.1.
  * This is the original copyright notice in libseccomp code:
  *
  *
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index b8b30f488..4d261f9e5 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -57,6 +57,7 @@ static char *protocol[] = {
         "inet6",
         "netlink",
         "packet",
+        "bluetooth",
         NULL
 };
 
@@ -66,7 +67,8 @@ static struct sock_filter protocol_filter_command[] = {
         WHITELIST(AF_INET),
         WHITELIST(AF_INET6),
         WHITELIST(AF_NETLINK),
-        WHITELIST(AF_PACKET)
+        WHITELIST(AF_PACKET),
+        WHITELIST(AF_BLUETOOTH)
 };
 #endif
 // Note: protocol[] and protocol_filter_command are synchronized
@@ -143,22 +145,6 @@ void protocol_build_filter(const char *prlist, const char *fname) {
         memcpy(ptr, &filter_start[0], sizeof(filter_start));
         ptr += sizeof(filter_start);
 
-#if 0
-printf("entries %u\n", (unsigned) (sizeof(filter_start) / sizeof(struct sock_filter)));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned) sizeof(struct sock_filter));
-#endif
-
-
         // parse list and add commands
         char *tmplist = strdup(prlist);
         if (!tmplist)
@@ -176,22 +162,6 @@ printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned
                 memcpy(ptr, domain, whitelist_len * sizeof(struct sock_filter));
                 ptr += whitelist_len * sizeof(struct sock_filter);
                 token = strtok(NULL, ",");
-
-#if 0
-printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-#endif
-
-
         }
         free(tmplist);
 
@@ -202,19 +172,6 @@ printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
         memcpy(ptr, &filter_end[0], sizeof(filter_end));
         ptr += sizeof(filter_end);
 
-#if 0
-printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (unsigned) sizeof(struct sock_filter));
-{
-        unsigned j;
-        unsigned char *ptr2 = (unsigned char *) &filter[0];
-        for (j = 0; j < sizeof(filter); j++, ptr2++) {
-                if ((j % (sizeof(struct sock_filter))) == 0)
-                        printf("\n%u: ", 1 + (unsigned) (j / (sizeof(struct sock_filter))));
-                printf("%02x, ", (*ptr2) & 0xff);
-        }
-        printf("\n");
-}
-#endif
         // save filter to file
         int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (dst < 0) {
diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh
index 936a23512..ef76813ea 100755
--- a/src/fshaper/fshaper.sh
+++ b/src/fshaper/fshaper.sh
@@ -3,6 +3,16 @@
 # Copyright (C) 2014-2020 Firejail Authors
 # License GPL v2
 
+TCFILE=""
+if [ -x "/usr/sbin/tc" ]; then
+        TCFILE="/usr/sbin/tc"
+elif [ -x "/sbin/tc" ]; then
+        TCFILE="/sbin/tc";
+else
+        echo "Error: traffic control utility (tc) not found";
+        exit 1
+fi
+
 usage() {
         echo "Usage:"
         echo "     fshaper.sh --status"
@@ -11,8 +21,8 @@ usage() {
 }
 
 if [ "$1" = "--status" ]; then
-        /sbin/tc -s qdisc ls
-        /sbin/tc -s class ls
+        $TCFILE -s qdisc ls
+        $TCFILE -s class ls
         exit
 fi
 
@@ -25,8 +35,8 @@ if [ "$1" = "--clear" ]; then
 
         DEV=$2
         echo "Removing bandwidth limits"
-        /sbin/tc qdisc del dev $DEV root  2> /dev/null > /dev/null
-        /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
+        $TCFILE qdisc del dev $DEV root  2> /dev/null > /dev/null
+        $TCFILE qdisc del dev $DEV ingress 2> /dev/null > /dev/null
         exit
 
 fi
@@ -34,7 +44,7 @@ fi
 if [ "$1" = "--set" ]; then
         DEV=$2
         echo "Removing bandwidth limit"
-        /sbin/tc qdisc del dev $DEV ingress #2> /dev/null > /dev/null
+        $TCFILE qdisc del dev $DEV ingress #2> /dev/null > /dev/null
 
         if [ $# -ne 4 ]; then
                 echo "Error: missing parameters"
@@ -54,16 +64,16 @@ if [ "$1" = "--set" ]; then
         echo "Upload speed  ${OUT}kbps"
 
         echo "cleaning limits"
-        /sbin/tc qdisc del dev $DEV root  2> /dev/null > /dev/null
-        /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
+        $TCFILE qdisc del dev $DEV root  2> /dev/null > /dev/null
+        $TCFILE qdisc del dev $DEV ingress 2> /dev/null > /dev/null
 
         echo "configuring tc ingress"
-        /sbin/tc qdisc add dev $DEV handle ffff: ingress #2> /dev/null > /dev/null
-        /sbin/tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
+        $TCFILE qdisc add dev $DEV handle ffff: ingress #2> /dev/null > /dev/null
+        $TCFILE filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
            0.0.0.0/0 police rate ${IN}kbit burst 10k drop flowid :1 #2> /dev/null > /dev/null
 
         echo "configuring tc egress"
-        /sbin/tc qdisc add dev $DEV root tbf rate ${OUT}kbit latency 25ms burst 10k #2> /dev/null > /dev/null
+        $TCFILE qdisc add dev $DEV root tbf rate ${OUT}kbit latency 25ms burst 10k #2> /dev/null > /dev/null
         exit
 fi
 
diff --git a/src/include/common.h b/src/include/common.h
index 68d60fef3..2fa61cc91 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -39,7 +39,9 @@
 #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
 
 // check if processes run with dumpable flag set
-#define WARN_DUMPABLE
+// currently we get "Error fseccomp: I am dumpable" every time we run a firejail build on Debian 8,
+// regardless what Debian version we run the build on
+//#define WARN_DUMPABLE
 
 // macro to print ip addresses in a printf statement
 #define PRINT_IP(A) \
diff --git a/src/include/rundefs.h b/src/include/rundefs.h
index d56623907..21aad66f7 100644
--- a/src/include/rundefs.h
+++ b/src/include/rundefs.h
@@ -51,7 +51,7 @@
 #define RUN_LIB_DIR                     RUN_MNT_DIR "/lib"
 #define RUN_LIB_FILE                    RUN_MNT_DIR "/libfiles"
 #define RUN_DNS_ETC                     RUN_MNT_DIR "/dns-etc"
-#define RUN_DHCLIENT_DIR                        RUN_MNT_DIR "/dhclient"
+#define RUN_DHCLIENT_DIR                        RUN_MNT_DIR "/dhclient-dir"
 #define RUN_DHCLIENT_4_LEASES_FILE              RUN_DHCLIENT_DIR "/dhclient.leases"
 #define RUN_DHCLIENT_6_LEASES_FILE              RUN_DHCLIENT_DIR "/dhclient6.leases"
 #define RUN_DHCLIENT_4_LEASES_FILE              RUN_DHCLIENT_DIR "/dhclient.leases"
@@ -113,7 +113,7 @@
 #define RUN_FSLOGGER_FILE               RUN_MNT_DIR "/fslogger"
 #define RUN_TRACE_FILE                  RUN_MNT_DIR "/trace"
 #define RUN_UMASK_FILE                  RUN_MNT_DIR "/umask"
+#define RUN_JOIN_FILE                   RUN_MNT_DIR "/join"
 #define RUN_OVERLAY_ROOT                RUN_MNT_DIR "/oroot"
-#define RUN_READY_FOR_JOIN              RUN_MNT_DIR "/ready-for-join"
 
 #endif
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 29b858c70..90db16d39 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -96,24 +96,7 @@
 # define PR_SET_NO_NEW_PRIVS 38
 #endif
 
-#if HAVE_SECCOMP_H
 #include <linux/seccomp.h>
-#else
-#define SECCOMP_MODE_FILTER     2
-#define SECCOMP_RET_KILL        0x00000000U
-#define SECCOMP_RET_TRAP        0x00030000U
-#define SECCOMP_RET_ALLOW       0x7fff0000U
-#define SECCOMP_RET_ERRNO       0x00050000U
-#define SECCOMP_RET_DATA        0x0000ffffU
-
-struct seccomp_data {
-    int nr;
-    __u32 arch;
-    __u64 instruction_pointer;
-    __u64 args[6];
-};
-#endif
-
 #ifndef SECCOMP_RET_LOG
 #define SECCOMP_RET_LOG         0x7ffc0000U
 #endif
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index 2f8ccaed7..4903971ad 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -230,6 +230,7 @@ static const SyscallGroupList sysgroups[] = {
           "@cpu-emulation,"
           "@debug,"
           "@module,"
+          "@mount,"
           "@obsolete,"
           "@raw-io,"
           "@reboot,"
@@ -297,9 +298,6 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_vmsplice
           "vmsplice,"
 #endif
-#ifdef SYS_umount
-          "umount,"
-#endif
 #ifdef SYS_userfaultfd
           "userfaultfd,"
 #endif
@@ -309,27 +307,15 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_bpf
           "bpf,"
 #endif
-#ifdef SYS_chroot
-          "chroot,"
-#endif
-#ifdef SYS_mount
-          "mount,"
-#endif
 #ifdef SYS_nfsservctl
           "nfsservctl,"
 #endif
-#ifdef SYS_pivot_root
-          "pivot_root,"
-#endif
 #ifdef SYS_setdomainname
           "setdomainname,"
 #endif
 #ifdef SYS_sethostname
           "sethostname,"
 #endif
-#ifdef SYS_umount2
-          "umount2,"
-#endif
 #ifdef SYS_vhangup
           "vhangup"
 #endif
diff --git a/src/libpostexecseccomp/Makefile.in b/src/libpostexecseccomp/Makefile.in
index 00dc6ee7e..edd4534b8 100644
--- a/src/libpostexecseccomp/Makefile.in
+++ b/src/libpostexecseccomp/Makefile.in
@@ -9,7 +9,7 @@ C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
 
 all: libpostexecseccomp.so
 
diff --git a/src/libtrace/Makefile.in b/src/libtrace/Makefile.in
index 2070fe0ea..5c7d0f885 100644
--- a/src/libtrace/Makefile.in
+++ b/src/libtrace/Makefile.in
@@ -9,7 +9,7 @@ C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
 
 all: libtrace.so
 
diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in
index db640617a..b1ac9e57c 100644
--- a/src/libtracelog/Makefile.in
+++ b/src/libtracelog/Makefile.in
@@ -9,7 +9,7 @@ C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
-LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
+LDFLAGS += -pie -fPIE -Wl,-z,relro -Wl,-z,now
 
 all: libtracelog.so
 
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
new file mode 100644
index 000000000..1c4444307
--- /dev/null
+++ b/src/man/Makefile.in
@@ -0,0 +1,10 @@
+all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man
+include ../common.mk
+
+%.man: %.txt
+        gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@
+
+clean:; rm -fr *.man
+
+distclean: clean
+        rm -fr Makefile
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index e282c8cf0..f3123356a 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -44,9 +44,10 @@ The following actions are implemented by default by running sudo firecfg:
 .br
 - fix desktop files in $HOME/.local/share/applications/ (firecfg --fix).
 .br
-
+#ifdef HAVE_APPARMOR
 .br
 - automatically loads and forces the AppArmor profile "firejail-default".
+#endif
 .RE
 
 .SH OPTIONS
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 0784e7fd7..9524254c1 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -150,9 +150,10 @@ Example: "nowhitelist ~/.config"
 Ignore command.
 
 Example: "ignore seccomp"
+#ifdef HAVE_NETWORK
 .br
 Example: "ignore net eth0"
-
+#endif
 .TP
 \fBquiet
 Disable Firejail's output. This should be the first uncommented command in the profile file.
@@ -245,6 +246,7 @@ before the sandbox is started. The file is created if it doesn't already exist.
 .TP
 \fBnoexec file_or_directory
 Remount the file or the directory noexec, nodev and nosuid.
+#ifdef HAVE_OVERLAYFS
 .TP
 \fBoverlay
 Mount  a  filesystem  overlay  on top of the current filesystem.
@@ -257,6 +259,7 @@ The overlay is stored in $HOME/.firejail/name  directory.
 \fBoverlay-tmpfs
 Mount  a  filesystem  overlay  on top of the current filesystem.
 All filesystem  modifications are discarded when the sandbox is closed.
+#endif
 .TP
 \fBprivate
 Mount new /root and /home/user directories in temporary
@@ -294,6 +297,7 @@ filesystem, and copy the files and directories in the list.
 The files and directories in the list must be expressed as relative to
 the /etc directory.
 All modifications are discarded when the sandbox is closed.
+#ifdef HAVE_PRIVATE_HOME
 .TP
 \fBprivate-home file,directory
 Build a new user home in a temporary
@@ -303,6 +307,7 @@ The files and directories in the list must be expressed as relative to
 the current user's home directory.
 All modifications are discarded when the sandbox is
 closed.
+#endif
 .TP
 \fBprivate-lib file,directory
 Build a new /lib directory and bring in the libraries required by the application to run.
@@ -369,9 +374,11 @@ The following security filters are currently implemented:
 .TP
 \fBallow-debuggers
 Allow tools such as strace and gdb inside the sandbox by whitelisting system calls ptrace and process_vm_readv.
+#ifdef HAVE_APPARMOR
 .TP
 \fBapparmor
 Enable AppArmor confinement.
+#endif
 .TP
 \fBcaps
 Enable default Linux capabilities filter.
@@ -395,15 +402,17 @@ Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
 cannot acquire new privileges using execve(2);  in particular,
 this means that calling a suid binary (or one with file capabilities)
 does not result in an increase of privilege.
+#ifdef HAVE_USERNS
 .TP
 \fBnoroot
 Use this command  to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
+#endif
 .TP
 \fBprotocol protocol1,protocol2,protocol3
 Enable protocol filter. The filter is based on seccomp and  checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
-\fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
+\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
 .TP
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
@@ -437,6 +446,7 @@ Enable seccomp filter and whitelist the system calls in the list for 32 bit syst
 Return a different error instead of EPERM to the process, kill it when
 an attempt is made to call a blocked system call, or allow but log the
 attempt.
+#ifdef HAVE_X11
 .TP
 \fBx11
 Enable X11 sandboxing.
@@ -470,7 +480,8 @@ Example:
 xephyr-screen 640x480
 .br
 x11 xephyr
-
+#endif
+#ifdef HAVE_DBUSPROXY
 .SH DBus filtering
 
 Access to the session and system DBus UNIX sockets can be allowed, filtered or
@@ -513,7 +524,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati
 Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to recieve broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-user filter
 Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
@@ -534,7 +545,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati
 Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
 .TP
 \fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to recieve broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
+Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.
 .TP
 \fBnodbus \fR(deprecated)
 Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.
@@ -565,7 +576,7 @@ and the user wants to disable notifications, this can be achieved by putting the
 ignore dbus-user.talk org.freedesktop.Notifications
 .br
 [...]
-
+#endif
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
 The limits can be modified inside the sandbox using the regular \fBulimit\fR command. \fBcpu\fR command
@@ -661,6 +672,7 @@ Disable video devices.
 Run the program directly, without a shell.
 
 
+#ifdef HAVE_NETWORK
 .SH Networking
 Networking features available in profile files.
 
@@ -853,7 +865,7 @@ a default gateway address also have to be added.
 \fBveth-name name
 Use this name for the interface connected to the bridge for --net=bridge_interface commands,
 instead of the default one.
-
+#endif
 .SH Other
 .TP
 \fBdeterministic-exit-code
@@ -877,5 +889,5 @@ Homepage: https://firejail.wordpress.com
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-login\fR\|(5),
 \&\flfirejail-users\fR\|(5),
-.UR https://github.com/netblue30/firejail/wiki/Creating-Profiles 
-.UE 
+.UR https://github.com/netblue30/firejail/wiki/Creating-Profiles
+.UE
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt
index 88b4041b0..6fa09e05e 100644
--- a/src/man/firejail-users.txt
+++ b/src/man/firejail-users.txt
@@ -38,7 +38,7 @@ See \fBman 1 firecfg\fR for details.
 An alternative way of restricting user access to firejail executable is to create a special firejail user group and
 allow only users in this group to run the sandbox:
 
-        # addgroup firejail
+        # addgroup --system firejail
 .br
         # chown root:firejail /usr/bin/firejail
 .br
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 3b7ba4e3d..8c73962fb 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -14,18 +14,22 @@ Start an AppImage program:
 firejail [OPTIONS] --appimage [appimage-file and arguments]
 .RE
 .PP
+#ifdef HAVE_FILE_TRANSFER
 File transfer from an existing sandbox
 .PP
 .RS
-firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename
+firejail {\-\-ls | \-\-get | \-\-put | \-\-cat} dir_or_filename
 .RE
 .PP
+#endif
+#ifdef HAVE_NETWORK
 Network traffic shaping for an existing sandbox:
 .PP
 .RS
 firejail \-\-bandwidth={name|pid} bandwidth-command
 .RE
 .PP
+#endif
 Monitoring:
 .PP
 .RS
@@ -106,6 +110,7 @@ All directories under /home are visible inside the sandbox. By default, only cur
 Example:
 .br
 $ firejail --allusers
+#ifdef HAVE_APPARMOR
 .TP
 \fB\-\-apparmor
 Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
@@ -122,11 +127,12 @@ $ firejail \-\-apparmor.print=browser
 5074:netblue:/usr/bin/firejail /usr/bin/firefox-esr
 .br
   AppArmor: firejail-default enforce
-
+#endif
 .TP
 \fB\-\-appimage
 Sandbox an AppImage (https://appimage.org/) application. If the sandbox is started
 as a regular user, nonewprivs and a default capabilities filter are enabled.
+private-bin and private-lib are disabled by default when running appimages.
 .br
 
 .br
@@ -136,8 +142,9 @@ $ firejail --appimage krita-3.0-x86_64.appimage
 .br
 $ firejail --appimage --private krita-3.0-x86_64.appimage
 .br
+#ifdef HAVE_X11
 $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
-
+#endif
 .TP
 \fB\-\-audit
 Audit the sandbox, see \fBAUDIT\fR section for more details.
@@ -272,10 +279,11 @@ $ firejail \-\-list
 .br
 $ firejail \-\-caps.print=3272
 
+#ifdef HAVE_FILE_TRANSFER
 .TP
 \fB\-\-cat=name|pid filename
 Print content of file from sandbox container, see FILE TRANSFER section for more details.
-
+#endif
 .TP
 \fB\-\-cgroup=tasks-file
 Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file.
@@ -285,7 +293,7 @@ Place the sandbox in the specified control group. tasks-file is the full path of
 Example:
 .br
 # firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks
-
+#ifdef HAVE_CHROOT
 .TP
 \fB\-\-chroot=dirname
 Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,
@@ -297,7 +305,7 @@ regular user, nonewprivs and a default capabilities filter are enabled.
 Example:
 .br
 $ firejail \-\-chroot=/media/ubuntu warzone2100
-
+#endif
 .TP
 \fB\-\-cpu=cpu-number,cpu-number,cpu-number
 Set CPU affinity.
@@ -329,7 +337,7 @@ $ firejail \-\-list
 3272:netblue::firejail \-\-private firefox
 .br
 $ firejail \-\-cpu.print=3272
-
+#ifdef HAVE_DBUSPROXY
 .TP
 \fB\-\-dbus-log=file
 Specify the location for the DBus log file.
@@ -344,7 +352,9 @@ path is given, logs are written to the standard output instead.
 .br
 Example:
 .br
-$ firejail --dbus-system=filter --dbus-system.log --dbus-log=dbus.txt
+$ firejail --dbus-system=filter --dbus-system.log \\
+.br
+--dbus-log=dbus.txt
 
 .TP
 \fB\-\-dbus-system=filter|none
@@ -390,7 +400,11 @@ object paths, respectively.
 .br
 Example:
 .br
-$ firejail --dbus-system=filter --dbus-system.broadcast=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+$ firejail --dbus-system=filter --dbus-system.broadcast=\\
+.br
+org.freedesktop.Notifications=\\
+.br
+org.freedesktop.Notifications.*@/org/freedesktop/Notifications
 
 .TP
 \fB\-\-dbus-system.call=name=[member][@path]
@@ -408,7 +422,11 @@ object paths, respectively.
 .br
 Example:
 .br
-$ firejail --dbus-system=filter --dbus-system.call=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+$ firejail --dbus-system=filter --dbus-system.call=\\
+.br
+org.freedesktop.Notifications=\\
+.br
+org.freedesktop.Notifications.*@/org/freedesktop/Notifications
 
 .TP
 \fB\-\-dbus-system.log
@@ -430,7 +448,9 @@ not "foobar").
 .br
 Example:
 .br
-$ firejail --dbus-system=filter --dbus-system.own=org.gnome.ghex.*
+$ firejail --dbus-system=filter --dbus-system.own=\\
+.br
+org.gnome.ghex.*
 
 .TP
 \fB\-\-dbus-system.see=name
@@ -444,7 +464,9 @@ not "foobar").
 .br
 Example:
 .br
-$ firejail --dbus-system=filter --dbus-system.see=org.freedesktop.Notifications
+$ firejail --dbus-system=filter --dbus-system.see=\\
+.br
+org.freedesktop.Notifications
 
 .TP
 \fB\-\-dbus-system.talk=name
@@ -457,7 +479,9 @@ not "foobar").
 .br
 Example:
 .br
-$ firejail --dbus-system=filter --dbus-system.talk=org.freedesktop.Notifications
+$ firejail --dbus-system=filter --dbus-system.talk=\\
+.br
+org.freedesktop.Notifications
 
 .TP
 \fB\-\-dbus-user=filter|none
@@ -503,7 +527,11 @@ object paths, respectively.
 .br
 Example:
 .br
-$ firejail --dbus-user=filter --dbus-user.broadcast=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+$ firejail --dbus-user=filter --dbus-user.broadcast=\\
+.br
+org.freedesktop.Notifications=\\
+.br
+org.freedesktop.Notifications.*@/org/freedesktop/Notifications
 
 .TP
 \fB\-\-dbus-user.call=name=[member][@path]
@@ -521,7 +549,11 @@ object paths, respectively.
 .br
 Example:
 .br
-$ firejail --dbus-user=filter --dbus-user.call=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
+$ firejail --dbus-user=filter --dbus-user.call=\\
+.br
+org.freedesktop.Notifications=\\
+.br
+org.freedesktop.Notifications.*@/org/freedesktop/Notifications
 
 .TP
 \fB\-\-dbus-user.log
@@ -556,7 +588,9 @@ not "foobar").
 .br
 Example:
 .br
-$ firejail --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications
+$ firejail --dbus-user=filter --dbus-user.talk=\\
+.br
+org.freedesktop.Notifications
 
 .TP
 \fB\-\-dbus-user.see=name
@@ -570,8 +604,10 @@ not "foobar").
 .br
 Example:
 .br
-$ firejail --dbus-user=filter --dbus-user.see=org.freedesktop.Notifications
-
+$ firejail --dbus-user=filter --dbus-user.see=\\
+.br
+org.freedesktop.Notifications
+#endif
 .TP
 \fB\-\-debug\fR
 Print debug messages.
@@ -645,7 +681,7 @@ Debug whitelisting.
 Example:
 .br
 $ firejail \-\-debug-whitelists firefox
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-defaultgw=address
 Use this address as default gateway in the new network namespace.
@@ -655,7 +691,7 @@ Use this address as default gateway in the new network namespace.
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
-
+#endif
 .TP
 \fB\-\-disable-mnt
 Blacklist /mnt, /media, /run/mount and /run/media access.
@@ -738,10 +774,11 @@ $ firejail \-\-list
 .br
 $ firejail \-\-fs.print=3272
 
+#ifdef HAVE_FILE_TRANSFER
 .TP
 \fB\-\-get=name|pid filename
 Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details.
-
+#endif
 .TP
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
@@ -776,8 +813,12 @@ Ignore command in profile file.
 Example:
 .br
 $ firejail \-\-ignore=shell --ignore=seccomp firefox
+#ifdef HAVE_NETWORK
 .br
 $ firejail \-\-ignore="net eth0" firefox
+#endif
+
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-interface=interface
 Move interface in a new network namespace. Up to four --interface options can be specified.
@@ -899,6 +940,7 @@ for sandboxes started as root.
 Example:
 .br
 $ firejail \-\-ipc-namespace firefox
+#endif
 .TP
 \fB\-\-join=name|pid
 Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox.
@@ -930,7 +972,7 @@ $ firejail \-\-join=3272
 Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox.
 If a program is specified, the program is run in the sandbox. This command is available only to root user.
 Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-join-network=name|pid
 Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
@@ -986,7 +1028,7 @@ Switching to pid 1932, the first child process inside the sandbox
     inet6 fe80::7458:14ff:fe42:78e4/64 scope link
 .br
        valid_lft forever preferred_lft forever
-
+#endif
 .TP
 \fB\-\-join-or-start=name
 Join the sandbox identified by name or start a new one.
@@ -1025,15 +1067,21 @@ Example:
 $ firejail \-\-list
 .br
 7015:netblue:browser:firejail firefox
+#ifdef HAVE_NETWORK
 .br
 7056:netblue:torrent:firejail \-\-net=eth0 transmission-gtk
+#endif
+#ifdef HAVE_USERNS
 .br
 7064:netblue::firejail \-\-noroot xterm
 .br
+#endif
+#ifdef HAVE_FILE_TRANSFER
 .TP
 \fB\-\-ls=name|pid dir_or_filename
 List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
-
+#endif
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-mac=address
 Assign MAC addresses to the last network interface defined by a \-\-net option. This option
@@ -1044,7 +1092,7 @@ is not supported for wireless interfaces.
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
-
+#endif
 .TP
 \fB\-\-machine-id
 Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
@@ -1070,7 +1118,7 @@ kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
 Note: shmat is not implemented
 as a system call on some platforms including i386, and it cannot be
 handled by seccomp-bpf.
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-mtu=number
 Assign a MTU value to the last network interface defined by a \-\-net option.
@@ -1080,7 +1128,7 @@ Assign a MTU value to the last network interface defined by a \-\-net option.
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-mtu=1492
-
+#endif
 .TP
 \fB\-\-name=name
 Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use
@@ -1105,7 +1153,7 @@ $ firejail --list
 .br
 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote
 .br
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-net=bridge_interface
 Enable a new network namespace and connect it to this bridge interface.
@@ -1146,7 +1194,7 @@ Example:
 $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox
 .br
 $ firejail \-\-net=wlan0 firefox
-
+#endif
 .TP
 \fB\-\-net=none
 Enable a new, unconnected network namespace. The only interface
@@ -1164,7 +1212,7 @@ $ firejail \-\-net=none vlc
 .br
 Note: \-\-net=none can crash the application on some platforms.
 In these cases, it can be replaced with \-\-protocol=unix.
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-net=tap_interface
 Enable a new network namespace and connect it
@@ -1278,9 +1326,6 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\
 .br
 --net=eth0 firefox
 
-
-
-
 .TP
 \fB\-\-netfilter=filename,arg1,arg2,arg3 ...
 This is the template version of the previous command. $ARG1, $ARG2, $ARG3 ... in the firewall script
@@ -1294,8 +1339,6 @@ $ firejail --net=eth0 --ip=192.168.1.105 \\
 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
 .br
 
-
-
 .TP
 \fB\-\-netfilter.print=name|pid
 Print the firewall installed in the sandbox specified by name or PID. Example:
@@ -1359,7 +1402,7 @@ PID  User    RX(KB/s) TX(KB/s) Command
 1294 netblue 53.355   1.473    firejail \-\-net=eth0 firefox
 .br
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
-
+#endif
 .TP
 \fB\-\-nice=value
 Set nice value for all processes running inside the sandbox.
@@ -1418,6 +1461,7 @@ $ nc dict.org 2628
 .br
 .TP
 \fB\-\-nodbus \fR(deprecated)
+#ifdef HAVE_DBUSPROXY
 Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none.
 .br
 
@@ -1425,6 +1469,7 @@ Disable D-Bus access (both system and session buses). Equivalent to --dbus-syste
 Example:
 .br
 $ firejail \-\-nodbus \-\-net=none
+#endif
 .TP
 \fB\-\-nodvd
 Disable DVD and audio CD devices.
@@ -1513,7 +1558,7 @@ Parent pid 8553, child pid 8554
 Child process initialized
 .br
 [...]
-
+#if HAVE_USERNS
 .TP
 \fB\-\-noroot
 Install a user namespace with a single user - the current user.
@@ -1537,7 +1582,7 @@ $ ping google.com
 ping: icmp open socket: Operation not permitted
 .br
 $
-
+#endif
 .TP
 \fB\-\-nosound
 Disable sound system.
@@ -1608,6 +1653,7 @@ $ ls -l sandboxlog*
 \fB\-\-output-stderr=logfile
 Similar to \-\-output, but stderr is also stored.
 
+#ifdef HAVE_OVERLAYFS
 .TP
 \fB\-\-overlay
 Mount a filesystem overlay on top of the current filesystem.  Unlike the regular filesystem container,
@@ -1674,7 +1720,7 @@ This option is not available on Grsecurity systems.
 Example:
 .br
 $ firejail \-\-overlay-tmpfs firefox
-
+#endif
 .TP
 \fB\-\-private
 Mount new /root and /home/user directories in temporary
@@ -1811,7 +1857,7 @@ Example:
 $ firejail --private-etc=group,hostname,localtime, \\
 .br
 nsswitch.conf,passwd,resolv.conf,default/motd-news
-
+#ifdef HAVE_PRIVATE_HOME
 .TP
 \fB\-\-private-home=file,directory
 Build a new user home in a temporary
@@ -1827,7 +1873,7 @@ closed.
 Example:
 .br
 $ firejail \-\-private-home=.mozilla firefox
-
+#endif
 .TP
 \fB\-\-private-lib=file,directory
 This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
@@ -1957,7 +2003,7 @@ $ firejail \-\-profile.print=browser
 .TP
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
-Recognized values: unix, inet, inet6, netlink and packet. This option is not supported for i386 architecture.
+Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture.
 .br
 
 .br
@@ -1989,9 +2035,11 @@ $ firejail \-\-list
 $ firejail \-\-protocol.print=3272
 .br
 unix,inet,inet6,netlink
+#ifdef HAVE_FILE_TRANSFER
 .TP
 \fB\-\-put=name|pid src-filename dest-filename
 Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more details.
+#endif
 .TP
 \fB\-\-quiet
 Turn off Firejail's output.
@@ -2059,7 +2107,7 @@ Remove environment variable in the new sandbox.
 Example:
 .br
 $ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-scan
 ARP-scan all the networks from inside a network namespace.
@@ -2070,6 +2118,7 @@ This makes it possible to detect macvlan kernel device drivers running on the cu
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-scan
+#endif
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list,
@@ -2549,11 +2598,14 @@ $ firejail \-\-tree
   11904:netblue:iceweasel
 .br
     11957:netblue:/usr/lib/iceweasel/plugin-container
+#ifdef HAVE_NETWORK
 .br
 11969:netblue:firejail \-\-net=eth0 transmission-gtk
+#endif
 .br
   11970:netblue:transmission-gtk
 
+#ifdef HAVE_FIRETUNNEL
 .TP
 \fB\-\-tunnel[=devname]
 Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options
@@ -2574,6 +2626,7 @@ Example:
 .br
 $ firejail --tunnel firefox
 .br
+#endif
 .TP
 \fB\-\-version
 Print program version/compile time support and exit.
@@ -2600,6 +2653,7 @@ Compile time support:
     - user namespace support is enabled
     - X11 sandboxing support is enabled
 .br
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-veth-name=name
 Use this name for the interface connected to the bridge for --net=bridge_interface commands,
@@ -2610,7 +2664,7 @@ instead of the default one.
 Example:
 .br
 $ firejail \-\-net=br0 --veth-name=if0
-
+#endif
 .TP
 \fB\-\-whitelist=dirname_or_filename
 Whitelist directory or file. A temporary file system is mounted on the top directory, and the
@@ -2680,7 +2734,7 @@ Example:
 .br
 $ sudo firejail --writable-var-log
 
-
+#ifdef HAVE_X11
 .TP
 \fB\-\-x11
 Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension.
@@ -2841,7 +2895,8 @@ Example:
 .br
 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
 .br
-
+#endif
+#ifdef HAVE_APPARMOR
 .SH APPARMOR
 .TP
 AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it:
@@ -2884,6 +2939,7 @@ To enable AppArmor confinement on top of your current Firejail security features
 
 .br
 $ firejail --apparmor firefox
+#endif
 
 .SH AUDIT
 Audit feature allows the user to point out gaps in security profiles. The
@@ -2903,6 +2959,10 @@ In the examples above, the sandbox configures transmission-gtk profile and
 starts the test program. The real program, transmission-gtk, will not be
 started.
 
+You can also audit a specific profile without specifying a program.
+.br
+        $ firejail --audit --profile=/etc/firejail/zoom.profile
+
 Limitations: audit feature is not implemented for --x11 commands.
 
 .SH DESKTOP INTEGRATION
@@ -2976,6 +3036,7 @@ Start Firefox with a new, empty home directory.
 .TP
 \f\firejail --net=none vlc
 Start VLC in an unconnected network namespace.
+#ifdef HAVE_NETWORK
 .TP
 \f\firejail \-\-net=eth0 firefox
 Start Firefox in a new network namespace. An IP address is
@@ -2985,6 +3046,7 @@ assigned automatically.
 Start a /bin/bash session in a new network namespace and connect it
 to br0, br1, and br2 host bridge devices. IP addresses are assigned
 automatically for the interfaces connected to br1 and b2
+#endif
 .TP
 \f\firejail \-\-list
 List all sandboxed processes.
@@ -3030,6 +3092,7 @@ $ firejail --blacklist=~/dir[1234]
 $ firejail --read-only=~/dir[1-4]
 .br
 
+#ifdef HAVE_FILE_TRANSFER
 .SH FILE TRANSFER
 These features allow the user to inspect the filesystem container of an existing sandbox
 and transfer files between the container and the host filesystem.
@@ -3087,7 +3150,7 @@ $ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png
 .br
 $ firejail \-\-cat=mybrowser ~/.bashrc
 .br
-
+#endif
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
 for each process entry is as follows:
@@ -3104,7 +3167,6 @@ sandboxes.
 
 Option \-\-netstats prints network statistics for active sandboxes installing new network namespaces.
 
-
 Listed below are the available fields (columns) in alphabetical
 order for \-\-top and \-\-netstats options:
 
@@ -3222,7 +3284,7 @@ Child process initialized
 .RE
 
 See \fBman 5 firejail-profile\fR for profile file syntax information.
-
+#ifdef HAVE_NETWORK
 .SH TRAFFIC SHAPING
 Network bandwidth is an expensive resource shared among all sandboxes running on a system.
 Traffic shaping allows the user to increase network performance by controlling
@@ -3264,7 +3326,7 @@ Example:
         $ firejail \-\-bandwidth=mybrowser status
 .br
         $ firejail \-\-bandwidth=mybrowser clear eth0
-
+#endif
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 40a00ec3f..cea6c0265 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -12,9 +12,11 @@ can run this program.
 .TP
 \fB\-\-apparmor
 Print AppArmor confinement status for each sandbox.
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-arp
 Print ARP table for each sandbox.
+#endif
 .TP
 \fB\-\-caps
 Print capabilities configuration for each sandbox.
@@ -39,15 +41,16 @@ List all sandboxes.
 .TP
 \fB\-\-name=name
 Print information only about named sandbox.
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-netstats
 Monitor network statistics for sandboxes creating a new network namespace.
-.TP
-\fB\-\-nowrap
-Enable line wrapping in terminals. By default the lines are trimmed.
+#endif
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-route
 Print route table for each sandbox.
+#endif
 .TP
 \fB\-\-seccomp
 Print seccomp configuration for each sandbox.
@@ -61,7 +64,9 @@ Print a tree of all sandboxed processes.
 .TP
 \fB\-\-version
 Print program version and exit.
-
+.TP
+\fB\-\-wrap
+Enable line wrapping in terminals. By default the lines are trimmed.
 .TP
 \fB\-\-x11
 Print X11 display number.
diff --git a/src/man/preproc.awk b/src/man/preproc.awk
new file mode 100755
index 000000000..20081b551
--- /dev/null
+++ b/src/man/preproc.awk
@@ -0,0 +1,55 @@
+#!/usr/bin/gawk -E
+
+# Copyright (c) 2019,2020 rusty-snake
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+BEGIN {
+        macros[0] = 0
+        for (arg in ARGV) {
+                if (ARGV[arg] ~ /^-D[A-Z_]+$/) {
+                        macros[length(macros) + 1] = substr(ARGV[arg], 3)
+                }
+                ARGV[arg] = ""
+        }
+
+        include = 1
+}
+/^#ifdef [A-Z_]+$/ {
+        macro = substr($0, 8)
+        for (i in macros) {
+                if (macros[i] == macro) {
+                        include = 1
+                        next
+                }
+        }
+        include = 0
+}
+/^#if 0$/ {
+        include = 0
+        next
+}
+/^#endif$/ {
+        include = 1
+        next
+}
+{
+        if (include)
+                print
+}
diff --git a/src/profstats/main.c b/src/profstats/main.c
index a75ad8e29..4c1221464 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -28,6 +28,8 @@ static int cnt_profiles = 0;
 static int cnt_apparmor = 0;
 static int cnt_seccomp = 0;
 static int cnt_caps = 0;
+static int cnt_dbus_system_none = 0;
+static int cnt_dbus_user_none = 0;
 static int cnt_dotlocal = 0;
 static int cnt_globalsdotlocal = 0;
 static int cnt_netnone = 0;
@@ -41,6 +43,7 @@ static int cnt_whitelistrunuser = 0;	// include whitelist-runuser-common.inc
 static int cnt_whitelistusrshare = 0;   // include whitelist-usr-share-common.inc
 static int cnt_ssh = 0;
 static int cnt_mdwx = 0;
+static int cnt_whitelisthome = 0;
 
 static int level = 0;
 static int arg_debug = 0;
@@ -57,6 +60,10 @@ static int arg_whitelistrunuser = 0;
 static int arg_whitelistusrshare = 0;
 static int arg_ssh = 0;
 static int arg_mdwx = 0;
+static int arg_dbus_system_none = 0;
+static int arg_dbus_user_none = 0;
+static int arg_whitelisthome = 0;
+
 
 static char *profile = NULL;
 
@@ -67,6 +74,8 @@ static void usage(void) {
         printf("Options:\n");
         printf("   --apparmor - print profiles without apparmor\n");
         printf("   --caps - print profiles without caps\n");
+        printf("   --dbus-system-none - profiles without  \"dbus-system none\"\n");
+        printf("   --dbus-user-none - profiles without  \"dbus-user none\"\n");
         printf("   --ssh - print profiles without \"include disable-common.inc\"\n");
         printf("   --noexec - print profiles without \"include disable-exec.inc\"\n");
         printf("   --private-bin - print profiles without private-bin\n");
@@ -75,6 +84,7 @@ static void usage(void) {
         printf("   --private-tmp - print profiles without private-tmp\n");
         printf("   --seccomp - print profiles without seccomp\n");
         printf("   --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n");
+        printf("   --whitelist-home - print profiles whitelisting home directory\n");
         printf("   --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
         printf("   --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n");
         printf("   --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n");
@@ -120,6 +130,8 @@ void process_file(const char *fname) {
                 else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 ||
                         strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0)
                         cnt_whitelistrunuser++;
+                else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0)
+                        cnt_whitelisthome++;
                 else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 38) == 0)
                         cnt_whitelistusrshare++;
                 else if (strncmp(ptr, "include disable-common.inc", 26) == 0)
@@ -138,6 +150,10 @@ void process_file(const char *fname) {
                         cnt_privatetmp++;
                 else if (strncmp(ptr, "private-etc", 11) == 0)
                         cnt_privateetc++;
+                else if (strncmp(ptr, "dbus-system none", 16) == 0)
+                        cnt_dbus_system_none++;
+                else if (strncmp(ptr, "dbus-user none", 14) == 0)
+                        cnt_dbus_user_none++;
                 else if (strncmp(ptr, "include ", 8) == 0) {
                         // not processing .local files
                         if (strstr(ptr, ".local")) {
@@ -148,6 +164,11 @@ void process_file(const char *fname) {
                                         cnt_dotlocal++;
                                 continue;
                         }
+                        // clean blanks
+                        char *ptr = buf + 8;
+                        while (*ptr != '\0' && *ptr != ' ' && *ptr != '\t')
+                                ptr++;
+                        *ptr = '\0';
                         process_file(buf + 8);
                 }
         }
@@ -189,6 +210,8 @@ int main(int argc, char **argv) {
                         arg_privatetmp = 1;
                 else if (strcmp(argv[i], "--private-etc") == 0)
                         arg_privateetc = 1;
+                else if (strcmp(argv[i], "--whitelist-home") == 0)
+                        arg_whitelisthome = 1;
                 else if (strcmp(argv[i], "--whitelist-var") == 0)
                         arg_whitelistvar = 1;
                 else if (strcmp(argv[i], "--whitelist-runuser") == 0)
@@ -197,6 +220,10 @@ int main(int argc, char **argv) {
                         arg_whitelistusrshare = 1;
                 else if (strcmp(argv[i], "--ssh") == 0)
                         arg_ssh = 1;
+                else if (strcmp(argv[i], "--dbus-system-none") == 0)
+                        arg_dbus_system_none = 1;
+                else if (strcmp(argv[i], "--dbus-user-none") == 0)
+                        arg_dbus_user_none = 1;
                 else if (*argv[i] == '-') {
                         fprintf(stderr, "Error: invalid option %s\n", argv[i]);
                         return 1;
@@ -225,9 +252,12 @@ int main(int argc, char **argv) {
                 int privateetc = cnt_privateetc;
                 int dotlocal = cnt_dotlocal;
                 int globalsdotlocal = cnt_globalsdotlocal;
+                int whitelisthome = cnt_whitelisthome;
                 int whitelistvar = cnt_whitelistvar;
                 int whitelistrunuser = cnt_whitelistrunuser;
                 int whitelistusrshare = cnt_whitelistusrshare;
+                int dbussystemnone = cnt_dbus_system_none;
+                int dbususernone = cnt_dbus_user_none;
                 int ssh = cnt_ssh;
                 int mdwx = cnt_mdwx;
 
@@ -249,6 +279,10 @@ int main(int argc, char **argv) {
                 if (cnt_whitelistrunuser > (whitelistrunuser + 1))
                         cnt_whitelistrunuser = whitelistrunuser + 1;
 
+                if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none)
+                        printf("No dbus-system none found in %s\n", argv[i]);
+                if (arg_dbus_user_none && dbususernone == cnt_dbus_user_none)
+                        printf("No dbus-user none found in %s\n", argv[i]);
                 if (arg_apparmor && apparmor == cnt_apparmor)
                         printf("No apparmor found in %s\n", argv[i]);
                 if (arg_caps && caps == cnt_caps)
@@ -265,6 +299,8 @@ int main(int argc, char **argv) {
                         printf("No private-tmp found in %s\n", argv[i]);
                 if (arg_privateetc && privateetc == cnt_privateetc)
                         printf("No private-etc found in %s\n", argv[i]);
+                if (arg_whitelisthome && whitelisthome == cnt_whitelisthome)
+                        printf("Home directory not whitelisted in %s\n", argv[i]);
                 if (arg_whitelistvar && whitelistvar == cnt_whitelistvar)
                         printf("No include whitelist-var-common.inc found in %s\n", argv[i]);
                 if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser)
@@ -294,11 +330,14 @@ int main(int argc, char **argv) {
         printf("    private-dev\t\t\t%d\n", cnt_privatedev);
         printf("    private-etc\t\t\t%d\n", cnt_privateetc);
         printf("    private-tmp\t\t\t%d\n", cnt_privatetmp);
+        printf("    whitelist home directory\t%d\n", cnt_whitelisthome);
         printf("    whitelist var\t\t%d   (include whitelist-var-common.inc)\n", cnt_whitelistvar);
         printf("    whitelist run/user\t\t%d   (include whitelist-runuser-common.inc\n", cnt_whitelistrunuser);
         printf("\t\t\t\t\tor blacklist ${RUNUSER})\n");
         printf("    whitelist usr/share\t\t%d   (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare);
         printf("    net none\t\t\t%d\n", cnt_netnone);
+        printf("    dbus-user none \t\t%d\n", cnt_dbus_user_none);
+        printf("    dbus-system none \t\t%d\n", cnt_dbus_system_none);
         printf("\n");
         return 0;
 }
diff --git a/test/Makefile.in b/test/Makefile.in
new file mode 100644
index 000000000..ef1ca73bc
--- /dev/null
+++ b/test/Makefile.in
@@ -0,0 +1,10 @@
+TESTS=$(patsubst %/,%,$(wildcard */))
+
+.PHONY: $(TESTS)
+
+$(TESTS):
+        cd $@ && ./$@.sh 2>&1 | tee $@.log
+        cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log
+
+clean:
+        for test in $(TESTS); do rm -f "$$test/$$test.log"; done
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
index 03c7218ac..cee01d509 100755
--- a/test/appimage/appimage-args.exp
+++ b/test/appimage/appimage-args.exp
@@ -56,7 +56,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp --nowrap\r"
+send -- "firemon --seccomp --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 8\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -71,7 +71,7 @@ expect {
         "name=blablabla"
 }
 after 100
-send -- "firemon --caps --nowrap\r"
+send -- "firemon --caps --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
         "appimage Leafpad"
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp
index 7b6fa2120..80e228145 100755
--- a/test/appimage/appimage-v1.exp
+++ b/test/appimage/appimage-v1.exp
@@ -44,7 +44,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp --nowrap\r"
+send -- "firemon --seccomp --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -59,7 +59,7 @@ expect {
         "name=blablabla"
 }
 after 100
-send -- "firemon --caps --nowrap\r"
+send -- "firemon --caps --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         "appimage Leafpad"
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh
index 843fdc50b..568dee85d 100755
--- a/test/apps-x11-xorg/apps-x11-xorg.sh
+++ b/test/apps-x11-xorg/apps-x11-xorg.sh
@@ -25,6 +25,15 @@ else
         echo "TESTING SKIP: transmission-gtk not found"
 fi
 
+which transmission-qt 2>/dev/null
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: transmission-qt x11 xorg"
+        ./transmission-qt.exp
+else
+        echo "TESTING SKIP: transmission-qt not found"
+fi
+
 which thunderbird 2>/dev/null
 if [ "$?" -eq 0 ];
 then
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp
index 0a43db568..8322e2d0e 100755
--- a/test/apps-x11-xorg/firefox.exp
+++ b/test/apps-x11-xorg/firefox.exp
@@ -41,7 +41,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp --nowrap\r"
+send -- "firemon --seccomp --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -61,7 +61,7 @@ expect {
         "name=blablabla"
 }
 sleep 1
-send -- "firemon --caps --nowrap\r"
+send -- "firemon --caps --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         " firefox" {puts "firefox detected\n";}
diff --git a/test/apps-x11-xorg/thunderbird.exp b/test/apps-x11-xorg/thunderbird.exp
index 8cf0ac244..24549e6c8 100755
--- a/test/apps-x11-xorg/thunderbird.exp
+++ b/test/apps-x11-xorg/thunderbird.exp
@@ -38,7 +38,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp --nowrap\r"
+send -- "firemon --seccomp --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -57,7 +57,7 @@ expect {
         "name=blablabla"
 }
 sleep 2
-send -- "firemon --caps --nowrap\r"
+send -- "firemon --caps --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         ":firejail"
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp
index fdbf388e9..b688bc619 100755
--- a/test/apps-x11-xorg/transmission-gtk.exp
+++ b/test/apps-x11-xorg/transmission-gtk.exp
@@ -38,7 +38,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firemon --seccomp --nowrap\r"
+send -- "firemon --seccomp --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
         "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
@@ -57,7 +57,7 @@ expect {
         "name=blablabla"
 }
 sleep 1
-send -- "firemon --caps --nowrap\r"
+send -- "firemon --caps --wrap\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
         ":firejail"
diff --git a/test/apps-x11-xorg/transmission-qt.exp b/test/apps-x11-xorg/transmission-qt.exp
new file mode 100755
index 000000000..5864bb845
--- /dev/null
+++ b/test/apps-x11-xorg/transmission-qt.exp
@@ -0,0 +1,85 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange transmission-qt\r"
+sleep 10
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "transmission-qt"
+}
+sleep 1
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp --wrap\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "transmission-qt"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps --wrap\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "transmission-qt"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+
+puts "\nall done\n"
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index 2f9e0ece6..91fcfb85d 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -4,7 +4,7 @@
 # License GPL v2
 
 arr[1]="TEST 1: standard compilation"
-arr[2]="TEST 2: compile seccomp disabled"
+arr[2]="TEST 2: compile dbus proxy disabled"
 arr[3]="TEST 3: compile chroot disabled"
 arr[4]="TEST 4: compile firetunnel disabled"
 arr[5]="TEST 5: compile user namespace disabled"
@@ -17,13 +17,16 @@ arr[11]="TEST 11: compile disable global config"
 arr[12]="TEST 12: compile apparmor"
 arr[13]="TEST 13: compile busybox"
 arr[14]="TEST 14: compile overlayfs disabled"
-arr[14]="TEST 15: compile private-home disabled"
+arr[15]="TEST 15: compile private-home disabled"
+arr[15]="TEST 16: compile disable manpages"
 
 # remove previous reports and output file
 cleanup() {
         rm -f report*
         rm -fr firejail
         rm -f oc* om*
+        rm -f output-configure
+        rm -f output-make
 }
 
 print_title() {
@@ -77,13 +80,12 @@ rm output-configure output-make
 #*****************************************************************
 # TEST 2
 #*****************************************************************
-# - disable seccomp configuration
+# - disable dbus proxy configuration
 #*****************************************************************
 print_title "${arr[2]}"
-# seccomp
 cd firejail
 make distclean
-./configure --prefix=/usr --disable-seccomp  --enable-fatal-warnings 2>&1 | tee ../output-configure
+./configure --prefix=/usr --disable-dbusproxy  --enable-fatal-warnings 2>&1 | tee ../output-configure
 make -j4 2>&1 | tee ../output-make
 cd ..
 grep Warning output-configure output-make > ./report-test2
@@ -98,7 +100,6 @@ rm output-configure output-make
 # - disable chroot configuration
 #*****************************************************************
 print_title "${arr[3]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-chroot  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -116,7 +117,6 @@ rm output-configure output-make
 # - disable firetunnel configuration
 #*****************************************************************
 print_title "${arr[4]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-firetunnel  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -134,7 +134,6 @@ rm output-configure output-make
 # - disable user namespace configuration
 #*****************************************************************
 print_title "${arr[5]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-userns  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -153,7 +152,6 @@ rm output-configure output-make
 # - check compilation
 #*****************************************************************
 print_title "${arr[6]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-network  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -171,7 +169,6 @@ rm output-configure output-make
 # - disable X11 support
 #*****************************************************************
 print_title "${arr[7]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-x11  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -189,7 +186,6 @@ rm output-configure output-make
 # - enable selinux
 #*****************************************************************
 print_title "${arr[8]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --enable-selinux --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -207,7 +203,6 @@ rm output-configure output-make
 # - disable file transfer
 #*****************************************************************
 print_title "${arr[9]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-file-transfer  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -225,7 +220,6 @@ rm output-configure output-make
 # - disable whitelist
 #*****************************************************************
 print_title "${arr[10]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-whitelist  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -243,7 +237,6 @@ rm output-configure output-make
 # - disable global config
 #*****************************************************************
 print_title "${arr[11]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-globalcfg  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -261,7 +254,6 @@ rm output-configure output-make
 # - enable apparmor
 #*****************************************************************
 print_title "${arr[12]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --enable-apparmor  --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -279,7 +271,6 @@ rm output-configure output-make
 # - enable busybox workaround
 #*****************************************************************
 print_title "${arr[13]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --enable-busybox-workaround --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -297,7 +288,6 @@ rm output-configure output-make
 # - disable overlayfs
 #*****************************************************************
 print_title "${arr[14]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -315,7 +305,6 @@ rm output-configure output-make
 # - disable private home
 #*****************************************************************
 print_title "${arr[15]}"
-# seccomp
 cd firejail
 make distclean
 ./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure
@@ -328,6 +317,23 @@ cp output-make om15
 rm output-configure output-make
 
 #*****************************************************************
+# TEST 16
+#*****************************************************************
+# - disable manpages
+#*****************************************************************
+print_title "${arr[16]}"
+cd firejail
+make distclean
+./configure --prefix=/usr --disable-man --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test16
+grep Error output-configure output-make >> ./report-test16
+cp output-configure oc16
+cp output-make om16
+rm output-configure output-make
+
+#*****************************************************************
 # PRINT REPORTS
 #*****************************************************************
 echo
@@ -356,3 +362,4 @@ echo ${arr[12]}
 echo ${arr[13]}
 echo ${arr[14]}
 echo ${arr[15]}
+echo ${arr[16]}
diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp
index 9b61397ca..22392f882 100755
--- a/test/filters/seccomp-chmod-profile.exp
+++ b/test/filters/seccomp-chmod-profile.exp
@@ -41,7 +41,7 @@ expect {
 send -- "chmod +x testfile; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Bad system call"
+        "Operation not permitted"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp
index 01b9cbaac..c72a68c82 100755
--- a/test/filters/seccomp-chmod.exp
+++ b/test/filters/seccomp-chmod.exp
@@ -41,7 +41,7 @@ expect {
 send -- "chmod +x testfile; echo done\r"
 expect {
         timeout {puts "TESTING ERROR 5\n";exit}
-        "Bad system call"
+        "Operation not permitted"
 }
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
diff --git a/test/filters/seccomp-run-files.exp b/test/filters/seccomp-run-files.exp
index fd3033a69..5f468cf24 100755
--- a/test/filters/seccomp-run-files.exp
+++ b/test/filters/seccomp-run-files.exp
@@ -24,7 +24,7 @@ after 100
 send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "5"
+        "6"
 }
 send -- "exit\r"
 sleep 1
@@ -90,7 +90,7 @@ after 100
 send -- "ls -l /run/firejail/mnt/seccomp | grep -c seccomp\r"
 expect {
         timeout {puts "TESTING ERROR 18\n";exit}
-        "6"
+        "8"
 }
 send -- "exit\r"
 sleep 1
diff --git a/test/fs/fscheck-tmpfs.exp b/test/fs/fscheck-tmpfs.exp
index ebd3eeb9c..818549fe2 100755
--- a/test/fs/fscheck-tmpfs.exp
+++ b/test/fs/fscheck-tmpfs.exp
@@ -7,12 +7,49 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-# ..
-send -- "firejail --tmpfs=fscheck-dir\r"
+send -- "mkdir -p ~/fjtest-dir/fjtest-dir\r"
+after 100
+send -- "mkdir /tmp/fjtest-dir\r"
+after 100
+
+if { ! [file exists ~/fjtest-dir/fjtest-dir] } {
+        puts "TESTING ERROR 1\n"
+        exit
+}
+if { ! [file exists /tmp/fjtest-dir] } {
+        puts "TESTING ERROR 2\n"
+        exit
+}
+
+send -- "firejail --noprofile --tmpfs=~/fjtest-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+after 500
+
+send -- "ls ~/fjtest-dir/fjtest-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "No such file or directory"
+}
+after 500
+
+send -- "exit\r"
+after 500
+
+send -- "firejail --noprofile --tmpfs=/tmp/fjtest-dir\r"
 expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
         "Error"
 }
+after 500
+
+# cleanup
+send -- "rm -fr ~/fjtest-dir\r"
 after 100
+send -- "rm -fr /tmp/fjtest-dir\r"
+after 100
+
 
 puts "\nall done\n"
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp
index 59005e1a2..61029ec18 100755
--- a/test/fs/mkdir.exp
+++ b/test/fs/mkdir.exp
@@ -7,11 +7,12 @@ set timeout 3
 spawn $env(SHELL)
 match_max 100000
 
+send -- "rm -fr ~/.firejail_test\r"
+after 100
+
 send -- "firejail --profile=mkdir.profile find ~/.firejail_test\r"
 expect {
         timeout {puts "TESTING ERROR 1.1\n";exit}
-        "Warning: cannot create" { puts "TESTING ERROR 1.2\n";exit}
-        "No such file or directory" { puts "TESTING ERROR 1.3\n";exit}
         ".firejail_test/a/b/c/d.txt"
 }
 send -- "rm -rf ~/.firejail_test\r"
@@ -20,30 +21,29 @@ after 100
 send -- "firejail --profile=mkdir.profile find /tmp/.firejail_test\r"
 expect {
         timeout {puts "TESTING ERROR 2.1\n";exit}
-        "Warning: cannot create" { puts "TESTING ERROR 2.2\n";exit}
-        "No such file or directory" { puts "TESTING ERROR 2.3\n";exit}
         "/tmp/.firejail_test/a/b/c/d.txt"
 }
 send -- "rm -rf /tmp/.firejail_test\r"
 after 100
 
 set UID [exec id -u]
-send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r"
-expect {
-        timeout {puts "TESTING ERROR 3.1\n";exit}
-        "Warning: cannot create" { puts "TESTING ERROR 3.2\n";exit}
-        "No such file or directory" { puts "TESTING ERROR 3.3\n";exit}
-        "/run/user/$UID/.firejail_test/a/b/c/d.txt"
-}
-send -- "rm -rf /run/user/$UID/.firejail_test\r"
-after 100
+set fexist [file exist /run/user/$UID]
+if { $fexist } {
+        send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r"
+        expect {
+                timeout {puts "TESTING ERROR 3.1\n";exit}
+                "/run/user/$UID/.firejail_test/a/b/c/d.txt"
+        }
+        send -- "rm -rf /run/user/$UID/.firejail_test\r"
+        after 100
 
 
-send -- "firejail --profile=mkdir2.profile\r"
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "only files or directories in user home, /tmp, or /run/user/<UID>"
+        send -- "firejail --profile=mkdir2.profile\r"
+        expect {
+                timeout {puts "TESTING ERROR 4\n";exit}
+                "only files or directories in user home, /tmp, or /run/user/<UID>"
+        }
+        after 100
 }
-after 100
 
 puts "\nall done\n"
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
index 69f0dc086..2d7d2a966 100755
--- a/test/profiles/profiles.sh
+++ b/test/profiles/profiles.sh
@@ -34,11 +34,16 @@ echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)"
 echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)"
 ./profile_noperm.exp
 
+# GitHub CI doesn't have a /run/user/$UID directory. Using it to test a small number of profiles.
+UID=`id -u`
+if [ -d "/run/user/$UID" ]; then
+        PROFILES=`ls /etc/firejail/*.profile`
+        echo "TESTING: default profiles installed in /etc"
+else
+        PROFILES=`ls /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile`
+        echo "TESTING: small number of default profiles installed in /etc"
+fi
 
-
-
-echo "TESTING: default profiles installed in /etc"
-PROFILES=`ls /etc/firejail/*.profile`
 for PROFILE in $PROFILES
 do
         echo "TESTING: $PROFILE"
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp
index 2bfb60302..daa666c18 100755
--- a/test/sysutils/less.exp
+++ b/test/sysutils/less.exp
@@ -10,6 +10,7 @@ match_max 100000
 send -- "firejail less sysutils.sh\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
+        "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
         "MALLOC_CHECK"
 }
 expect {
diff --git a/test/sysutils/xz.exp b/test/sysutils/xz.exp
index 63b1ad3c7..074b90076 100755
--- a/test/sysutils/xz.exp
+++ b/test/sysutils/xz.exp
@@ -3,7 +3,7 @@
 # Copyright (C) 2014-2020 Firejail Authors
 # License GPL v2
 
-set timeout 10
+set timeout 60
 spawn $env(SHELL)
 match_max 100000
 
@@ -13,6 +13,9 @@ sleep 1
 send -- "firejail /usr/bin/xz -c /usr/bin/firejail > firejail_t2\r"
 sleep 1
 
+send -- "md5sum firejail_t1 firejail_t2; ls -l firejail_t1 firejail_t2\r"
+sleep 1
+
 send -- "diff -s firejail_t1 firejail_t2\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
diff --git a/test/utils/join5.exp b/test/utils/join5.exp
new file mode 100755
index 000000000..43ca09b4d
--- /dev/null
+++ b/test/utils/join5.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2020 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --name=test123 --profile=join5.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Child process initialized"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --join=test123\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Switching to pid"
+}
+sleep 1
+send -- "ps aux\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/bin/bash"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/bin/bash"
+}
+
+send -- "exit\r"
+after 100
+
+send --  "firejail --protocol.print=test123\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Switching to pid"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "unix"
+}
+
+puts "\nall done\n"
diff --git a/test/utils/join5.profile b/test/utils/join5.profile
new file mode 100644
index 000000000..e9eb37a4f
--- /dev/null
+++ b/test/utils/join5.profile
@@ -0,0 +1,4 @@
+dbus-user filter
+dbus-system none
+seccomp
+protocol unix
diff --git a/test/utils/man.exp b/test/utils/man.exp
index 3cde9f2c8..102701a6a 100755
--- a/test/utils/man.exp
+++ b/test/utils/man.exp
@@ -10,6 +10,7 @@ match_max 100000
 send -- "man firejail\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
+        "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit}
         "Linux namespaces sandbox program"
 }
 after 100
diff --git a/test/utils/utils.sh b/test/utils/utils.sh
index 48a8051fa..7e8426f35 100755
--- a/test/utils/utils.sh
+++ b/test/utils/utils.sh
@@ -99,9 +99,12 @@ echo "TESTING: join2 (test/utils/join2.exp)"
 echo "TESTING: join3 (test/utils/join3.exp)"
 ./join3.exp
 
-echo "TESTING: join3 (test/utils/join4.exp)"
+echo "TESTING: join4 (test/utils/join4.exp)"
 ./join4.exp
 
+echo "TESTING: join5 (test/utils/join5.exp)"
+./join5.exp
+
 echo "TESTING: join profile (test/utils/join-profile.exp)"
 ./join-profile.exp