634 files changed, 983 insertions, 30 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index d617fa561..47b4bfca3 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -88,7 +88,7 @@ jobs:
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@a669cc5936cc5e1b6a362ec1ff9e410dc570d190
+      uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -99,7 +99,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@a669cc5936cc5e1b6a362ec1ff9e410dc570d190
+      uses: github/codeql-action/autobuild@959cbb7472c4d4ad70cdfe6f4976053fe48ab394
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -113,4 +113,4 @@ jobs:
    #   make release
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@a669cc5936cc5e1b6a362ec1ff9e410dc570d190
+      uses: github/codeql-action/analyze@959cbb7472c4d4ad70cdfe6f4976053fe48ab394
diff --git a/Makefile b/Makefile
index c5d823cac..cf84b2af1 100644
--- a/Makefile
+++ b/Makefile
@@ -242,9 +242,6 @@ dist: config.mk
 asc: config.mk
        ./mkasc.sh $(VERSION)
-deb: dist config.sh
-        ./mkdeb.sh
 deb-apparmor: dist config.sh
        ./mkdeb.sh -apparmor --enable-apparmor
diff --git a/RELNOTES b/RELNOTES
index f8ef7393b..5a532a65d 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,4 +1,4 @@
-firejail (0.9.71) baseline; urgency=low
+firejail (0.9.72rc1) baseline; urgency=low
  * work in progress
  * feature: On failing to remount a fuse filesystem, give warning instead of
    erroring out (#5240 #5242)
@@ -33,6 +33,8 @@ firejail (0.9.71) baseline; urgency=low
  * build: Fix musl warnings (#5421 #5431)
  * build: sort.py improvements (#5429)
  * build: deduplicate makefiles (#5478)
+  * build: fix formatting and misc in configure (#5488)
+  * build: actually set LDFLAGS/LIBS & stop overriding CFLAGS/LDFLAGS (#5504)
  * ci: bump ubuntu to 22.04 and use newer compilers / analyzers (#5275)
  * ci: ignore git-related paths and the project license (#5249)
  * ci: Harden GitHub Actions (StepSecurity) (#5439)
diff --git a/configure b/configure
index 1b827922d..71deb5512 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.71.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.72rc1.
 #
 # Report bugs to <netblue30@protonmail.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.71'
+PACKAGE_VERSION='0.9.72rc1'
-PACKAGE_STRING='firejail 0.9.71'
+PACKAGE_STRING='firejail 0.9.72rc1'
 PACKAGE_BUGREPORT='netblue30@protonmail.com'
 PACKAGE_URL='https://firejail.wordpress.com'
@@ -1298,7 +1298,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures firejail 0.9.71 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.72rc1 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1360,7 +1360,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.71:";;
+     short | recursive ) echo "Configuration of firejail 0.9.72rc1:";;
   esac
  cat <<\_ACEOF
@@ -1484,7 +1484,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-firejail configure 0.9.71
+firejail configure 0.9.72rc1
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1740,7 +1740,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by firejail $as_me 0.9.71, which was
+It was created by firejail $as_me 0.9.72rc1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@@ -4640,7 +4640,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.71, which was
+This file was extended by firejail $as_me 0.9.72rc1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@@ -4694,7 +4694,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.71
+firejail config.status 0.9.72rc1
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
diff --git a/configure.ac b/configure.ac
index 556019232..bee9143c2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -12,7 +12,7 @@
 #
 AC_PREREQ([2.68])
-AC_INIT([firejail], [0.9.71], [netblue30@protonmail.com], [],
+AC_INIT([firejail], [0.9.72rc1], [netblue30@protonmail.com], [],
    [https://firejail.wordpress.com])
 AC_CONFIG_SRCDIR([src/firejail/main.c])
diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile
index 04f58abb9..48a2afdf2 100644
--- a/etc/profile-a-l/0ad.profile
+++ b/etc/profile-a-l/0ad.profile
@@ -54,3 +54,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/2048-qt.profile b/etc/profile-a-l/2048-qt.profile
index 7913fdea9..1cd207996 100644
--- a/etc/profile-a-l/2048-qt.profile
+++ b/etc/profile-a-l/2048-qt.profile
@@ -40,3 +40,5 @@ seccomp
 disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/Cryptocat.profile b/etc/profile-a-l/Cryptocat.profile
index af026fc86..4a850f1bd 100644
--- a/etc/profile-a-l/Cryptocat.profile
+++ b/etc/profile-a-l/Cryptocat.profile
@@ -28,3 +28,5 @@ seccomp
 private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/Fritzing.profile b/etc/profile-a-l/Fritzing.profile
index 09149350d..462bfa517 100644
--- a/etc/profile-a-l/Fritzing.profile
+++ b/etc/profile-a-l/Fritzing.profile
@@ -36,3 +36,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/JDownloader.profile b/etc/profile-a-l/JDownloader.profile
index 8d56c0d95..b229c151d 100644
--- a/etc/profile-a-l/JDownloader.profile
+++ b/etc/profile-a-l/JDownloader.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index ce3d0630f..eb7a5254f 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -46,3 +46,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index ee9420d62..96c56d85d 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -56,3 +56,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index 2f58d9146..184036f24 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -55,3 +55,4 @@ tracelog
 private-dev
 # private-tmp - breaks programs that depend on akonadi
+# restrict-namespaces
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
index 8e6935fb8..d88a1fcad 100644
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -49,3 +49,4 @@ private-dev
 private-tmp
 deterministic-shutdown
+# restrict-namespaces
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 5dc306147..9612ffdd2 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -62,3 +62,4 @@ read-write ${HOME}/.config/menus
 read-write ${HOME}/.gnome/apps
 read-write ${HOME}/.local/share/applications
 read-write ${HOME}/.local/share/flatpak/exports
+restrict-namespaces
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
index ee6be4bc9..0f7407f05 100644
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile
index e00aef423..4e994c025 100644
--- a/etc/profile-a-l/alpine.profile
+++ b/etc/profile-a-l/alpine.profile
@@ -100,3 +100,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}/.signature
+restrict-namespaces
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index 7211f0cf7..3171d738e 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -44,3 +44,5 @@ dbus-user.talk org.freedesktop.Notifications
 #dbus-user.own org.kde.klauncher
 #dbus-user.talk org.kde.knotify
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
index bce22fbfd..ccf7231bd 100644
--- a/etc/profile-a-l/amule.profile
+++ b/etc/profile-a-l/amule.profile
@@ -40,3 +40,4 @@ private-bin amule
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/android-studio.profile b/etc/profile-a-l/android-studio.profile
index add75c849..3dfa0f95a 100644
--- a/etc/profile-a-l/android-studio.profile
+++ b/etc/profile-a-l/android-studio.profile
@@ -40,3 +40,4 @@ private-cache
 # noexec /tmp breaks 'Android Profiler'
 #noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index 45d000012..466f60bda 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -54,3 +54,5 @@ private-tmp
 dbus-user none
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/anydesk.profile b/etc/profile-a-l/anydesk.profile
index fd92f63db..4c2dcf0e6 100644
--- a/etc/profile-a-l/anydesk.profile
+++ b/etc/profile-a-l/anydesk.profile
@@ -33,3 +33,5 @@ disable-mnt
 private-bin anydesk
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/aosp.profile b/etc/profile-a-l/aosp.profile
index 0d3131f8c..80ee71831 100644
--- a/etc/profile-a-l/aosp.profile
+++ b/etc/profile-a-l/aosp.profile
@@ -40,3 +40,5 @@ protocol unix,inet,inet6
 #seccomp
 private-tmp
+#restrict-namespaces
diff --git a/etc/profile-a-l/apktool.profile b/etc/profile-a-l/apktool.profile
index e03ff3084..9f1940a4d 100644
--- a/etc/profile-a-l/apktool.profile
+++ b/etc/profile-a-l/apktool.profile
@@ -35,3 +35,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
index ca4dec918..dab91fe7d 100644
--- a/etc/profile-a-l/apostrophe.profile
+++ b/etc/profile-a-l/apostrophe.profile
@@ -69,3 +69,5 @@ dbus-user filter
 dbus-user.own org.gnome.gitlab.somas.Apostrophe
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/arch-audit.profile b/etc/profile-a-l/arch-audit.profile
index 7db947be8..766c2c96d 100644
--- a/etc/profile-a-l/arch-audit.profile
+++ b/etc/profile-a-l/arch-audit.profile
@@ -49,3 +49,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/archaudit-report.profile b/etc/profile-a-l/archaudit-report.profile
index 6ad75d68c..3e3f77576 100644
--- a/etc/profile-a-l/archaudit-report.profile
+++ b/etc/profile-a-l/archaudit-report.profile
@@ -36,3 +36,4 @@ private-bin arch-audit,archaudit-report,bash,cat,comm,cut,date,fold,grep,pacman,
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index b82563099..b0f83aa32 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -49,3 +49,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/ardour5.profile b/etc/profile-a-l/ardour5.profile
index c93cecf9f..341fe1ed8 100644
--- a/etc/profile-a-l/ardour5.profile
+++ b/etc/profile-a-l/ardour5.profile
@@ -40,3 +40,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/arduino.profile b/etc/profile-a-l/arduino.profile
index bb0bc3513..85ea76939 100644
--- a/etc/profile-a-l/arduino.profile
+++ b/etc/profile-a-l/arduino.profile
@@ -33,3 +33,4 @@ seccomp
 private-cache
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index f108a6291..17eb2451c 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -53,3 +53,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
index 53697a367..272e06219 100644
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -44,3 +44,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
index 556a354e7..db388eee1 100644
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@@ -45,3 +45,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index b83b6bb10..b1347b0d9 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -65,3 +65,4 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/assogiate.profile b/etc/profile-a-l/assogiate.profile
index 26eddf1b6..f28f77748 100644
--- a/etc/profile-a-l/assogiate.profile
+++ b/etc/profile-a-l/assogiate.profile
@@ -51,3 +51,4 @@ dbus-system none
 memory-deny-write-execute
 read-write ${HOME}/.local/share/mime
+restrict-namespaces
diff --git a/etc/profile-a-l/asunder.profile b/etc/profile-a-l/asunder.profile
index 445aa3985..c09ad7936 100644
--- a/etc/profile-a-l/asunder.profile
+++ b/etc/profile-a-l/asunder.profile
@@ -45,3 +45,4 @@ dbus-system none
 # mdwe is disabled due to breaking hardware accelerated decoding
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index 8ec6f433e..f24aff108 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -49,3 +49,4 @@ private-tmp
 # webkit gtk killed by memory-deny-write-execute
 #memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index fe23049f4..b31f3f1b2 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -42,3 +42,5 @@ private-tmp
 # dbus needed for MPRIS
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile
index 2831fec72..078e3bf26 100644
--- a/etc/profile-a-l/audacity.profile
+++ b/etc/profile-a-l/audacity.profile
@@ -44,3 +44,5 @@ private-tmp
 # problems on Fedora 27
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile
index 6c8a90c0b..74dba7411 100644
--- a/etc/profile-a-l/audio-recorder.profile
+++ b/etc/profile-a-l/audio-recorder.profile
@@ -51,3 +51,4 @@ dbus-user.talk ca.desrt.dconf
 dbus-system none
 # memory-deny-write-execute - breaks on Arch
+restrict-namespaces
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index 8e898b5ee..73a2e1806 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -52,3 +52,5 @@ private-tmp
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 5f26a39f5..02c1d8768 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -46,3 +46,4 @@ private-tmp
 # dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/autokey-common.profile b/etc/profile-a-l/autokey-common.profile
index ee63f0ead..834eac11a 100644
--- a/etc/profile-a-l/autokey-common.profile
+++ b/etc/profile-a-l/autokey-common.profile
@@ -39,3 +39,4 @@ private-dev
 private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/avidemux.profile b/etc/profile-a-l/avidemux.profile
index 4cb556f6e..8707dca5b 100644
--- a/etc/profile-a-l/avidemux.profile
+++ b/etc/profile-a-l/avidemux.profile
@@ -55,3 +55,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/aweather.profile b/etc/profile-a-l/aweather.profile
index 0a80a2203..e2646095c 100644
--- a/etc/profile-a-l/aweather.profile
+++ b/etc/profile-a-l/aweather.profile
@@ -37,3 +37,5 @@ tracelog
 private-bin aweather
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile
index 5d1bf5071..ee9280fe8 100644
--- a/etc/profile-a-l/awesome.profile
+++ b/etc/profile-a-l/awesome.profile
@@ -17,3 +17,4 @@ protocol unix,inet,inet6
 seccomp
 read-only ${HOME}/.config/awesome/autorun.sh
+restrict-namespaces
diff --git a/etc/profile-a-l/ballbuster.profile b/etc/profile-a-l/ballbuster.profile
index 05637d247..b60b5715c 100644
--- a/etc/profile-a-l/ballbuster.profile
+++ b/etc/profile-a-l/ballbuster.profile
@@ -49,3 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index 24bb53981..084b7c702 100644
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@@ -52,3 +52,5 @@ private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kb
 private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index c78caad77..661356ff6 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -79,3 +79,4 @@ dbus-user.talk org.gnome.keyring.SystemPrompter
 dbus-system none
 read-only ${HOME}/.mozilla/firefox/profiles.ini
+restrict-namespaces
diff --git a/etc/profile-a-l/baobab.profile b/etc/profile-a-l/baobab.profile
index 40f50e991..31ef66a58 100644
--- a/etc/profile-a-l/baobab.profile
+++ b/etc/profile-a-l/baobab.profile
@@ -41,3 +41,4 @@ private-tmp
 # dbus-system none
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/barrier.profile b/etc/profile-a-l/barrier.profile
index dbd3d38f1..a78d202a2 100644
--- a/etc/profile-a-l/barrier.profile
+++ b/etc/profile-a-l/barrier.profile
@@ -42,3 +42,4 @@ private-cache
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile
index 8dc3847a0..a962bfe02 100644
--- a/etc/profile-a-l/basilisk.profile
+++ b/etc/profile-a-l/basilisk.profile
@@ -22,5 +22,8 @@ ignore seccomp
 #private-etc basilisk
 #private-opt basilisk
+restrict-namespaces
+ignore restrict-namespaces
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
index b43c670b6..d566b94e8 100644
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@@ -44,3 +44,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index bc1cb18ac..85a1a58c7 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -56,3 +56,5 @@ private-tmp
 dbus-user none
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index e6675e0d3..b6b52601e 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -60,3 +60,4 @@ dbus-user.talk org.freedesktop.Tracker1
 dbus-system none
 env WEBKIT_FORCE_SANDBOX=0
+restrict-namespaces
diff --git a/etc/profile-a-l/bitcoin-qt.profile b/etc/profile-a-l/bitcoin-qt.profile
index 390d002ed..9fc01a2fd 100644
--- a/etc/profile-a-l/bitcoin-qt.profile
+++ b/etc/profile-a-l/bitcoin-qt.profile
@@ -47,3 +47,4 @@ private-dev
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/bitlbee.profile b/etc/profile-a-l/bitlbee.profile
index 773fa7500..988a1479e 100644
--- a/etc/profile-a-l/bitlbee.profile
+++ b/etc/profile-a-l/bitlbee.profile
@@ -38,3 +38,4 @@ private-dev
 private-tmp
 read-write /var/lib/bitlbee
+restrict-namespaces
diff --git a/etc/profile-a-l/blackbox.profile b/etc/profile-a-l/blackbox.profile
index 233f9a96f..753254ffc 100644
--- a/etc/profile-a-l/blackbox.profile
+++ b/etc/profile-a-l/blackbox.profile
@@ -16,3 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp
+restrict-namespaces
diff --git a/etc/profile-a-l/bleachbit.profile b/etc/profile-a-l/bleachbit.profile
index a352ab8d8..45ae345c3 100644
--- a/etc/profile-a-l/bleachbit.profile
+++ b/etc/profile-a-l/bleachbit.profile
@@ -40,3 +40,4 @@ dbus-system none
 # memory-deny-write-execute breaks some systems, see issue #1850
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/blender.profile b/etc/profile-a-l/blender.profile
index 8ee852ab5..cd8fac61f 100644
--- a/etc/profile-a-l/blender.profile
+++ b/etc/profile-a-l/blender.profile
@@ -37,3 +37,5 @@ protocol unix,inet,inet6,netlink
 seccomp !mbind
 private-dev
+restrict-namespaces
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 0e38889c0..9badb4357 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -39,3 +39,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
index 3bd8c79d0..6e7a87e5f 100644
--- a/etc/profile-a-l/blobby.profile
+++ b/etc/profile-a-l/blobby.profile
@@ -48,3 +48,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 9dfbd8f8e..e6926ee29 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -47,3 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile
index ac949d561..d24f76262 100644
--- a/etc/profile-a-l/bluefish.profile
+++ b/etc/profile-a-l/bluefish.profile
@@ -37,3 +37,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/brackets.profile b/etc/profile-a-l/brackets.profile
index 0ab28fffe..a483c2b0a 100644
--- a/etc/profile-a-l/brackets.profile
+++ b/etc/profile-a-l/brackets.profile
@@ -31,3 +31,5 @@ seccomp !chroot,!ioperm
 private-cache
 private-dev
+# restrict-namespaces
diff --git a/etc/profile-a-l/brasero.profile b/etc/profile-a-l/brasero.profile
index f80ad9f20..12d7062ab 100644
--- a/etc/profile-a-l/brasero.profile
+++ b/etc/profile-a-l/brasero.profile
@@ -33,3 +33,5 @@ tracelog
 private-cache
 # private-dev
 # private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
index bd6719b62..cf5f462ae 100644
--- a/etc/profile-a-l/build-systems-common.profile
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -63,3 +63,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/bzflag.profile b/etc/profile-a-l/bzflag.profile
index 5bfe3751b..b28f982fc 100644
--- a/etc/profile-a-l/bzflag.profile
+++ b/etc/profile-a-l/bzflag.profile
@@ -44,3 +44,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/calibre.profile b/etc/profile-a-l/calibre.profile
index acfc1ba0a..b347941d7 100644
--- a/etc/profile-a-l/calibre.profile
+++ b/etc/profile-a-l/calibre.profile
@@ -35,3 +35,5 @@ seccomp !chroot
 private-dev
 private-tmp
+# restrict-namespaces
diff --git a/etc/profile-a-l/calligra.profile b/etc/profile-a-l/calligra.profile
index 6fccf2122..c2972f902 100644
--- a/etc/profile-a-l/calligra.profile
+++ b/etc/profile-a-l/calligra.profile
@@ -37,3 +37,4 @@ private-dev
 # noexec ${HOME}
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index fb3a6df7e..b2248ad06 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -52,3 +52,4 @@ private-tmp
 # dbus-system none
 # memory-deny-write-execute - breaks on Arch
+restrict-namespaces
diff --git a/etc/profile-a-l/cantata.profile b/etc/profile-a-l/cantata.profile
index f2d9c282d..7cb56efee 100644
--- a/etc/profile-a-l/cantata.profile
+++ b/etc/profile-a-l/cantata.profile
@@ -37,3 +37,5 @@ seccomp
 # private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
 private-bin cantata,mpd,perl
 private-dev
+restrict-namespaces
diff --git a/etc/profile-a-l/catfish.profile b/etc/profile-a-l/catfish.profile
index d076c3ca0..e2df341e9 100644
--- a/etc/profile-a-l/catfish.profile
+++ b/etc/profile-a-l/catfish.profile
@@ -46,3 +46,5 @@ tracelog
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index e9affe09e..e4e32b265 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -43,3 +43,5 @@ private-tmp
 # dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 48522c002..0c4335e8f 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -64,3 +64,4 @@ dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.config/celluloid
+restrict-namespaces
diff --git a/etc/profile-a-l/chafa.profile b/etc/profile-a-l/chafa.profile
index b042ac189..72f79681d 100644
--- a/etc/profile-a-l/chafa.profile
+++ b/etc/profile-a-l/chafa.profile
@@ -53,3 +53,4 @@ dbus-user none
 dbus-system none
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/checkbashisms.profile b/etc/profile-a-l/checkbashisms.profile
index 835b884ad..3baa80d50 100644
--- a/etc/profile-a-l/checkbashisms.profile
+++ b/etc/profile-a-l/checkbashisms.profile
@@ -52,3 +52,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index 1e498259c..8aed77c04 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -58,3 +58,5 @@ dbus-user filter
 dbus-user.own org.gnome.Cheese
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/cherrytree.profile b/etc/profile-a-l/cherrytree.profile
index fe0c7cfe8..528d6203e 100644
--- a/etc/profile-a-l/cherrytree.profile
+++ b/etc/profile-a-l/cherrytree.profile
@@ -40,3 +40,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile
index 19addd285..c3944bd65 100644
--- a/etc/profile-a-l/chromium-common-hardened.inc.profile
+++ b/etc/profile-a-l/chromium-common-hardened.inc.profile
@@ -7,3 +7,5 @@ nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp !chroot
+#restrict-namespaces
diff --git a/etc/profile-a-l/cin.profile b/etc/profile-a-l/cin.profile
index 3e62d7ba2..0930c9361 100644
--- a/etc/profile-a-l/cin.profile
+++ b/etc/profile-a-l/cin.profile
@@ -34,3 +34,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/cinelerra-gg b/etc/profile-a-l/cinelerra-gg.profile
index ccb9fe04b..ccb9fe04b 100644
--- a/etc/profile-a-l/cinelerra-gg
+++ b/etc/profile-a-l/cinelerra-gg.profile
diff --git a/etc/profile-a-l/clamav.profile b/etc/profile-a-l/clamav.profile
index f5f665215..ddd0eb1f9 100644
--- a/etc/profile-a-l/clamav.profile
+++ b/etc/profile-a-l/clamav.profile
@@ -37,3 +37,4 @@ dbus-system none
 read-only ${HOME}
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/clamtk.profile b/etc/profile-a-l/clamtk.profile
index 842416171..9fc73ee55 100644
--- a/etc/profile-a-l/clamtk.profile
+++ b/etc/profile-a-l/clamtk.profile
@@ -27,3 +27,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 268cf01b4..4f4e8e7bf 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -51,3 +51,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/clementine.profile b/etc/profile-a-l/clementine.profile
index b1509f391..ee01fa653 100644
--- a/etc/profile-a-l/clementine.profile
+++ b/etc/profile-a-l/clementine.profile
@@ -38,3 +38,5 @@ private-tmp
 dbus-system none
 # dbus-user none
+restrict-namespaces
diff --git a/etc/profile-a-l/clion.profile b/etc/profile-a-l/clion.profile
index a8d57d63d..652809f1b 100644
--- a/etc/profile-a-l/clion.profile
+++ b/etc/profile-a-l/clion.profile
@@ -40,3 +40,4 @@ private-dev
 # private-tmp
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index 4086f46ba..3f3748e1a 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -48,3 +48,5 @@ private-tmp
 # 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it.
 # dbus-user none
 # dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile
index 0356547cd..504bce0b1 100644
--- a/etc/profile-a-l/clipit.profile
+++ b/etc/profile-a-l/clipit.profile
@@ -59,5 +59,5 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute
-restrict-namespaces
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
index fa5693901..ad6332f78 100644
--- a/etc/profile-a-l/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -27,3 +27,5 @@ seccomp
 private-bin cmus
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
+restrict-namespaces
diff --git a/etc/profile-a-l/cointop.profile b/etc/profile-a-l/cointop.profile
index b4f73458c..c341c4ea2 100644
--- a/etc/profile-a-l/cointop.profile
+++ b/etc/profile-a-l/cointop.profile
@@ -60,3 +60,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/colorful.profile b/etc/profile-a-l/colorful.profile
index 79ab5e7b1..442d50259 100644
--- a/etc/profile-a-l/colorful.profile
+++ b/etc/profile-a-l/colorful.profile
@@ -49,3 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 7024ddb28..990b6bc5a 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -52,3 +52,5 @@ private-tmp
 # dbus-user.own com.github.bleakgrey.tootle
 # dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index 05768977d..5f2a1c3e6 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -63,3 +63,4 @@ read-only ${HOME}
 read-write ${HOME}/.cache/agenda
 read-write ${HOME}/.config/agenda
 read-write ${HOME}/.local/share/agenda
+restrict-namespaces
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index 06c6e5f84..21f37494b 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -60,3 +60,4 @@ private-tmp
 read-only ${HOME}
 read-write ${HOME}/.cache/com.github.johnfactotum.Foliate
 read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate
+restrict-namespaces
diff --git a/etc/profile-a-l/com.github.phase1geo.minder.profile b/etc/profile-a-l/com.github.phase1geo.minder.profile
index 667f9805c..07a6a6813 100644
--- a/etc/profile-a-l/com.github.phase1geo.minder.profile
+++ b/etc/profile-a-l/com.github.phase1geo.minder.profile
@@ -58,3 +58,5 @@ dbus-user filter
 dbus-user.own com.github.phase1geo.minder
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/com.github.tchx84.Flatseal.profile b/etc/profile-a-l/com.github.tchx84.Flatseal.profile
index 20236c161..fd4494e92 100644
--- a/etc/profile-a-l/com.github.tchx84.Flatseal.profile
+++ b/etc/profile-a-l/com.github.tchx84.Flatseal.profile
@@ -62,3 +62,4 @@ dbus-user.talk org.gnome.Software
 dbus-system none
 read-write ${HOME}/.local/share/flatpak/overrides
+restrict-namespaces
diff --git a/etc/profile-a-l/conkeror.profile b/etc/profile-a-l/conkeror.profile
index 38edf0d21..6486990f5 100644
--- a/etc/profile-a-l/conkeror.profile
+++ b/etc/profile-a-l/conkeror.profile
@@ -34,3 +34,5 @@ protocol unix,inet,inet6
 seccomp
 disable-mnt
+restrict-namespaces
diff --git a/etc/profile-a-l/conky.profile b/etc/profile-a-l/conky.profile
index 49a0a40ff..39e6d3cf9 100644
--- a/etc/profile-a-l/conky.profile
+++ b/etc/profile-a-l/conky.profile
@@ -43,3 +43,4 @@ private-dev
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile
index 41b9f79a1..1774669f1 100644
--- a/etc/profile-a-l/corebird.profile
+++ b/etc/profile-a-l/corebird.profile
@@ -35,3 +35,4 @@ private-bin corebird
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile
index 2245903a4..e896f3537 100644
--- a/etc/profile-a-l/cower.profile
+++ b/etc/profile-a-l/cower.profile
@@ -46,3 +46,4 @@ private-tmp
 memory-deny-write-execute
 read-only ${HOME}/.config/cower/config
+restrict-namespaces
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
index 24a149c5f..793de8ab4 100644
--- a/etc/profile-a-l/coyim.profile
+++ b/etc/profile-a-l/coyim.profile
@@ -46,3 +46,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/crawl.profile b/etc/profile-a-l/crawl.profile
index 7928dd93c..7df7b4480 100644
--- a/etc/profile-a-l/crawl.profile
+++ b/etc/profile-a-l/crawl.profile
@@ -44,3 +44,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
index ba0dfb1a6..842191f3f 100644
--- a/etc/profile-a-l/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -43,3 +43,4 @@ private-opt none
 private-tmp
 private-srv none
+restrict-namespaces
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 3fa6ab764..3e5878574 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -58,3 +58,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index a3a16fa0c..63d89ec36 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -53,3 +53,4 @@ private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/darktable.profile b/etc/profile-a-l/darktable.profile
index 20d5657eb..f871b80aa 100644
--- a/etc/profile-a-l/darktable.profile
+++ b/etc/profile-a-l/darktable.profile
@@ -41,3 +41,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 95f24a0ad..b259c7e93 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -56,3 +56,4 @@ private-tmp
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index 110c9f58e..876e637b2 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -50,3 +50,5 @@ dbus-user filter
 dbus-user.own ca.desrt.dconf-editor
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
index 56583838e..5136445da 100644
--- a/etc/profile-a-l/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
@@ -50,3 +50,4 @@ private-lib
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index be1f2eece..8ea5d178e 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -51,3 +51,4 @@ dbus-user none
 dbus-system none
 # memory-deny-write-execute - breaks on Arch
+restrict-namespaces
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile
index 205424a62..4eb89503a 100644
--- a/etc/profile-a-l/deadbeef.profile
+++ b/etc/profile-a-l/deadbeef.profile
@@ -32,3 +32,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 397a89bee..a10bbab5b 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -60,4 +60,4 @@ seccomp
 # deterministic-shutdown
 # memory-deny-write-execute
 # read-only ${HOME}
-# restrict-namespaces
+restrict-namespaces
diff --git a/etc/profile-a-l/deluge.profile b/etc/profile-a-l/deluge.profile
index d8a27da62..ebc751e1a 100644
--- a/etc/profile-a-l/deluge.profile
+++ b/etc/profile-a-l/deluge.profile
@@ -43,3 +43,5 @@ seccomp
 private-bin deluge,deluge-console,deluge-gtk,deluge-web,deluged,python*,sh,uname
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/desktopeditors.profile b/etc/profile-a-l/desktopeditors.profile
index 2b03f0ea0..71579905e 100644
--- a/etc/profile-a-l/desktopeditors.profile
+++ b/etc/profile-a-l/desktopeditors.profile
@@ -42,3 +42,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index 42318527c..ef31fc3eb 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -50,3 +50,4 @@ private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 4b4bfbc5f..0579547af 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -56,3 +56,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/dex2jar.profile b/etc/profile-a-l/dex2jar.profile
index 0908c16f1..b71387b2f 100644
--- a/etc/profile-a-l/dex2jar.profile
+++ b/etc/profile-a-l/dex2jar.profile
@@ -39,3 +39,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/dia.profile b/etc/profile-a-l/dia.profile
index 30db25ee9..efcdb7ce4 100644
--- a/etc/profile-a-l/dia.profile
+++ b/etc/profile-a-l/dia.profile
@@ -54,3 +54,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index a6de5e05e..048b92800 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -56,3 +56,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/digikam.profile b/etc/profile-a-l/digikam.profile
index c1f0e3a14..05f0dfba8 100644
--- a/etc/profile-a-l/digikam.profile
+++ b/etc/profile-a-l/digikam.profile
@@ -43,3 +43,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/dillo.profile b/etc/profile-a-l/dillo.profile
index 19b99b5fd..c7cecf23e 100644
--- a/etc/profile-a-l/dillo.profile
+++ b/etc/profile-a-l/dillo.profile
@@ -37,3 +37,4 @@ private-dev
 private-tmp
 deterministic-shutdown
+restrict-namespaces
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile
index 6802c7eed..1f7134ff2 100644
--- a/etc/profile-a-l/dino.profile
+++ b/etc/profile-a-l/dino.profile
@@ -53,3 +53,5 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-system filter
 # Integration with systemd-logind or elogind
 dbus-system.talk org.freedesktop.login1
+restrict-namespaces
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 6e8e30bfe..15f6e441d 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/dnscrypt-proxy.profile b/etc/profile-a-l/dnscrypt-proxy.profile
index 0efebd9a6..0d52805b7 100644
--- a/etc/profile-a-l/dnscrypt-proxy.profile
+++ b/etc/profile-a-l/dnscrypt-proxy.profile
@@ -51,3 +51,4 @@ dbus-system none
 # mdwe can break modules/plugins
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/dnsmasq.profile b/etc/profile-a-l/dnsmasq.profile
index 13efd2fa8..40ccab8c7 100644
--- a/etc/profile-a-l/dnsmasq.profile
+++ b/etc/profile-a-l/dnsmasq.profile
@@ -40,3 +40,5 @@ private
 private-dev
 private-tmp
 writable-var
+restrict-namespaces
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index b8a29beb7..acaf2e021 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -60,3 +60,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/dooble.profile b/etc/profile-a-l/dooble.profile
index 427d70e97..6e8d32848 100644
--- a/etc/profile-a-l/dooble.profile
+++ b/etc/profile-a-l/dooble.profile
@@ -38,3 +38,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/dosbox.profile b/etc/profile-a-l/dosbox.profile
index 845277396..1edbb7ca0 100644
--- a/etc/profile-a-l/dosbox.profile
+++ b/etc/profile-a-l/dosbox.profile
@@ -41,3 +41,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile
index 14c5e7155..742385855 100644
--- a/etc/profile-a-l/dragon.profile
+++ b/etc/profile-a-l/dragon.profile
@@ -39,3 +39,4 @@ private-bin dragon
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index b533ad590..9d9fa291b 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -51,3 +51,4 @@ dbus-user none
 dbus-system none
 # memory-deny-write-execute - breaks on Arch
+# restrict-namespaces
diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile
index ffbd06cb6..bd6fb6dcc 100644
--- a/etc/profile-a-l/drill.profile
+++ b/etc/profile-a-l/drill.profile
@@ -52,3 +52,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/dropbox.profile b/etc/profile-a-l/dropbox.profile
index 5d83485d2..4fdf1bbfe 100644
--- a/etc/profile-a-l/dropbox.profile
+++ b/etc/profile-a-l/dropbox.profile
@@ -46,3 +46,4 @@ private-dev
 private-tmp
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index 9db24f5a3..920eb7697 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -53,3 +53,4 @@ private-tmp
 # dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index ad3a38bfa..78a996f71 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -51,3 +51,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile
index 7e9be653d..5b44f4ccd 100644
--- a/etc/profile-a-l/emacs.profile
+++ b/etc/profile-a-l/emacs.profile
@@ -30,3 +30,4 @@ seccomp
 read-write ${HOME}/.emacs
 read-write ${HOME}/.emacs.d
+restrict-namespaces
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 89c44bf76..86fb27514 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -81,3 +81,4 @@ dbus-system none
 read-only ${HOME}/.mozilla/firefox/profiles.ini
 read-only ${HOME}/.signature
+restrict-namespaces
diff --git a/etc/profile-a-l/empathy.profile b/etc/profile-a-l/empathy.profile
index 5ca640d30..9a128d7af 100644
--- a/etc/profile-a-l/empathy.profile
+++ b/etc/profile-a-l/empathy.profile
@@ -24,3 +24,5 @@ seccomp
 private-cache
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
index d9abe52b0..37a6c088b 100644
--- a/etc/profile-a-l/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -55,3 +55,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile
index 37eb21546..1118c3bf0 100644
--- a/etc/profile-a-l/engrampa.profile
+++ b/etc/profile-a-l/engrampa.profile
@@ -38,3 +38,5 @@ private-dev
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/enpass.profile b/etc/profile-a-l/enpass.profile
index 2d3367255..45a1125b4 100644
--- a/etc/profile-a-l/enpass.profile
+++ b/etc/profile-a-l/enpass.profile
@@ -59,3 +59,4 @@ private-opt Enpass
 private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index f25f2a291..83abb551e 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -49,3 +49,5 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/ephemeral.profile b/etc/profile-a-l/ephemeral.profile
index 37b7fdf11..adda53660 100644
--- a/etc/profile-a-l/ephemeral.profile
+++ b/etc/profile-a-l/ephemeral.profile
@@ -61,3 +61,5 @@ private-tmp
 # breaks preferences
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/epiphany.profile b/etc/profile-a-l/epiphany.profile
index 225811226..a8d00d045 100644
--- a/etc/profile-a-l/epiphany.profile
+++ b/etc/profile-a-l/epiphany.profile
@@ -34,3 +34,5 @@ nonewprivs
 notv
 protocol unix,inet,inet6
 seccomp
+restrict-namespaces
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
index 60d50a7fa..2fe0a4af4 100644
--- a/etc/profile-a-l/equalx.profile
+++ b/etc/profile-a-l/equalx.profile
@@ -60,3 +60,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/etr.profile b/etc/profile-a-l/etr.profile
index 8fa6cd3b4..7d27f12c9 100644
--- a/etc/profile-a-l/etr.profile
+++ b/etc/profile-a-l/etr.profile
@@ -53,3 +53,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index eec9f86db..95115d484 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -64,3 +64,5 @@ dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.gtk.vfs.Daemon
 dbus-user.talk org.gtk.vfs.Metadata
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/evolution.profile b/etc/profile-a-l/evolution.profile
index 6f959df6e..517bb6206 100644
--- a/etc/profile-a-l/evolution.profile
+++ b/etc/profile-a-l/evolution.profile
@@ -43,3 +43,5 @@ seccomp
 private-dev
 private-tmp
 writable-var
+restrict-namespaces
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index dd5e32f49..45331487c 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -54,3 +54,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 321cb0145..2daf1ff15 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -53,3 +53,5 @@ private-tmp
 # dbus-user filter
 # dbus-user.own org.kde.Falkon
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/fbreader.profile b/etc/profile-a-l/fbreader.profile
index 5679f7cc1..434371aee 100644
--- a/etc/profile-a-l/fbreader.profile
+++ b/etc/profile-a-l/fbreader.profile
@@ -36,3 +36,5 @@ seccomp
 private-bin fbreader,FBReader
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index ee775566e..248cb5b49 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -47,3 +47,4 @@ private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 83de90908..6aa24cc86 100644
--- a/etc/profile-a-l/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -56,3 +56,5 @@ dbus-user.talk org.freedesktop.secrets
 #dbus-user.talk org.freedesktop.Notifications
 #dbus-user.talk org.gnome.OnlineAccounts
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 9b0262f5b..be5ab8627 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -40,3 +40,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/ferdi.profile b/etc/profile-a-l/ferdi.profile
index e11baa536..3a044542f 100644
--- a/etc/profile-a-l/ferdi.profile
+++ b/etc/profile-a-l/ferdi.profile
@@ -44,3 +44,5 @@ seccomp !chroot
 disable-mnt
 private-dev
 private-tmp
+# restrict-namespaces
diff --git a/etc/profile-a-l/fetchmail.profile b/etc/profile-a-l/fetchmail.profile
index cb01fc5dd..ea90239e0 100644
--- a/etc/profile-a-l/fetchmail.profile
+++ b/etc/profile-a-l/fetchmail.profile
@@ -31,3 +31,5 @@ seccomp
 #private-bin bash,chmod,fetchmail,procmail
 private-dev
+restrict-namespaces
diff --git a/etc/profile-a-l/ffmpeg.profile b/etc/profile-a-l/ffmpeg.profile
index 42de048d7..160f26f78 100644
--- a/etc/profile-a-l/ffmpeg.profile
+++ b/etc/profile-a-l/ffmpeg.profile
@@ -54,3 +54,4 @@ dbus-user none
 dbus-system none
 # memory-deny-write-execute - it breaks old versions of ffmpeg
+restrict-namespaces
diff --git a/etc/profile-a-l/file-manager-common.profile b/etc/profile-a-l/file-manager-common.profile
index 9ab7e36d3..bf8475758 100644
--- a/etc/profile-a-l/file-manager-common.profile
+++ b/etc/profile-a-l/file-manager-common.profile
@@ -49,3 +49,5 @@ private-dev
 #dbus-user none
 #dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 06744cdd3..ef4e0e117 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -46,3 +46,5 @@ private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
 # private-tmp
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile
index bcb2abc8b..a5fd05bc7 100644
--- a/etc/profile-a-l/file.profile
+++ b/etc/profile-a-l/file.profile
@@ -44,3 +44,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/filezilla.profile b/etc/profile-a-l/filezilla.profile
index 273e6180c..e80a875f1 100644
--- a/etc/profile-a-l/filezilla.profile
+++ b/etc/profile-a-l/filezilla.profile
@@ -41,3 +41,5 @@ seccomp
 private-bin bash,filezilla,fzputtygen,fzsftp,lsb_release,python*,sh,uname,zsh
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 491ce2eeb..13313cb67 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -68,3 +68,5 @@ blacklist ${PATH}/wget2
 # Gnome connector, KDE connect and power management on KDE Plasma.
 dbus-user none
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index d5034ef8e..0984055a3 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -65,3 +65,5 @@ dbus-user.talk org.kde.KWin
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 ?ALLOW_TRAY: dbus-user.own org.kde.*
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/flowblade.profile b/etc/profile-a-l/flowblade.profile
index 4bb1b2a71..740dc153f 100644
--- a/etc/profile-a-l/flowblade.profile
+++ b/etc/profile-a-l/flowblade.profile
@@ -35,3 +35,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/fluxbox.profile b/etc/profile-a-l/fluxbox.profile
index 1210f365c..2ae87be48 100644
--- a/etc/profile-a-l/fluxbox.profile
+++ b/etc/profile-a-l/fluxbox.profile
@@ -16,3 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp
+restrict-namespaces
diff --git a/etc/profile-a-l/font-manager.profile b/etc/profile-a-l/font-manager.profile
index fcd4afa44..88ae56c82 100644
--- a/etc/profile-a-l/font-manager.profile
+++ b/etc/profile-a-l/font-manager.profile
@@ -54,3 +54,4 @@ private-dev
 private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/fontforge.profile b/etc/profile-a-l/fontforge.profile
index f18250fdb..756ca4fae 100644
--- a/etc/profile-a-l/fontforge.profile
+++ b/etc/profile-a-l/fontforge.profile
@@ -38,3 +38,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
index 796081ece..a614d7d9f 100644
--- a/etc/profile-a-l/fractal.profile
+++ b/etc/profile-a-l/fractal.profile
@@ -55,3 +55,5 @@ dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.secrets
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/franz.profile b/etc/profile-a-l/franz.profile
index 4a2e13d89..e21789d73 100644
--- a/etc/profile-a-l/franz.profile
+++ b/etc/profile-a-l/franz.profile
@@ -44,3 +44,5 @@ seccomp !chroot
 disable-mnt
 private-dev
 private-tmp
+# restrict-namespaces
diff --git a/etc/profile-a-l/freecad.profile b/etc/profile-a-l/freecad.profile
index e0330b52a..53315c249 100644
--- a/etc/profile-a-l/freecad.profile
+++ b/etc/profile-a-l/freecad.profile
@@ -42,3 +42,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/freeciv.profile b/etc/profile-a-l/freeciv.profile
index 1690f6eb9..0788acce1 100644
--- a/etc/profile-a-l/freeciv.profile
+++ b/etc/profile-a-l/freeciv.profile
@@ -44,3 +44,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/freecol.profile b/etc/profile-a-l/freecol.profile
index 3092e830a..f1b2ffcb7 100644
--- a/etc/profile-a-l/freecol.profile
+++ b/etc/profile-a-l/freecol.profile
@@ -55,3 +55,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/freemind.profile b/etc/profile-a-l/freemind.profile
index c3f32de03..ae5843f7f 100644
--- a/etc/profile-a-l/freemind.profile
+++ b/etc/profile-a-l/freemind.profile
@@ -50,3 +50,5 @@ private-srv none
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/freshclam.profile b/etc/profile-a-l/freshclam.profile
index ab6877de8..133d66f0d 100644
--- a/etc/profile-a-l/freshclam.profile
+++ b/etc/profile-a-l/freshclam.profile
@@ -33,3 +33,4 @@ writable-var
 writable-var-log
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index 521d50b3b..067fe3caa 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -49,3 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index bb60d98a5..86a8a8fc6 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -46,3 +46,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/ftp.profile b/etc/profile-a-l/ftp.profile
index 15b68eb08..f448ab932 100644
--- a/etc/profile-a-l/ftp.profile
+++ b/etc/profile-a-l/ftp.profile
@@ -51,3 +51,4 @@ dbus-system none
 memory-deny-write-execute
 noexec ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index ee4226852..8ca349d1c 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -52,3 +52,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index 3d4d4b4e7..d4d578dd4 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -75,4 +75,5 @@ dbus-system.talk org.freedesktop.login1
 # Add the next line to your gajim.local to enable location plugin support.
 #dbus-system.talk org.freedesktop.GeoClue2
+restrict-namespaces
 join-or-start gajim
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 95afc8020..0fba8ac07 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -50,3 +50,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 6fac9affc..106e0eda6 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -70,3 +70,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 60fac668e..313b34a53 100644
--- a/etc/profile-a-l/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -40,3 +40,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
index 33441ac0e..5b434342b 100644
--- a/etc/profile-a-l/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
@@ -58,3 +58,4 @@ private-lib GConf,libpython*,python2*
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile
index 783183bea..4eb94edf4 100644
--- a/etc/profile-a-l/gdu.profile
+++ b/etc/profile-a-l/gdu.profile
@@ -37,6 +37,7 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
 # gdu has built-in delete (d), empty (e) dir/file support and shell spawning (b) features.
 # Depending on workflow and use case the sandbox can be hardened by adding the
diff --git a/etc/profile-a-l/geany.profile b/etc/profile-a-l/geany.profile
index 021abefb3..ec1d68e0d 100644
--- a/etc/profile-a-l/geany.profile
+++ b/etc/profile-a-l/geany.profile
@@ -32,3 +32,5 @@ seccomp
 private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index cc2119f2a..ad9b45b57 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -91,3 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5
 dbus-system none
 read-only ${HOME}/.mozilla/firefox/profiles.ini
+restrict-namespaces
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index 28a79b646..dbb3ab971 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -49,3 +49,5 @@ private-tmp
 # makes settings immutable
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 19ac4e026..cda47a7e9 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -55,3 +55,4 @@ dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.geekbench5
+restrict-namespaces
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile
index 268c3b334..95adc6840 100644
--- a/etc/profile-a-l/geeqie.profile
+++ b/etc/profile-a-l/geeqie.profile
@@ -34,3 +34,5 @@ seccomp
 # private-bin geeqie
 private-dev
+restrict-namespaces
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index 7b42fadd1..d3d49433b 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -67,3 +67,5 @@ dbus-user filter
 dbus-user.own org.gabmus.gfeeds
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
index b40c96e5b..02c4f9509 100644
--- a/etc/profile-a-l/gget.profile
+++ b/etc/profile-a-l/gget.profile
@@ -56,3 +56,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index e908e5cd9..9c719ddb1 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -56,3 +56,5 @@ private-tmp
 dbus-user filter
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index 400c8c54f..083b85a91 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -63,3 +63,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
index ffd1b1f13..d315619b7 100644
--- a/etc/profile-a-l/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -58,3 +58,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 6c6a0bfd4..2f7068d68 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -84,3 +84,5 @@ read-only ${HOME}/.git-credentials
 # Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts.
 read-only ${HOME}/.ssh
+restrict-namespaces
diff --git a/etc/profile-a-l/git.profile b/etc/profile-a-l/git.profile
index 76636cc03..78d6cb2a1 100644
--- a/etc/profile-a-l/git.profile
+++ b/etc/profile-a-l/git.profile
@@ -65,3 +65,4 @@ private-cache
 private-dev
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 4c4ddd2d2..85f08d52e 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -61,3 +61,5 @@ dbus-user.talk ca.desrt.dconf
 # Add the next line to your gitg.local if you need keyring access.
 #dbus-user.talk org.freedesktop.secrets
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 012bc6159..0f9ed9592 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -41,3 +41,4 @@ private-opt Gitter
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gjs.profile b/etc/profile-a-l/gjs.profile
index 9bdbd0e37..bd332a6d5 100644
--- a/etc/profile-a-l/gjs.profile
+++ b/etc/profile-a-l/gjs.profile
@@ -42,3 +42,5 @@ tracelog
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
index 311d7f127..92ba70113 100644
--- a/etc/profile-a-l/gl-117.profile
+++ b/etc/profile-a-l/gl-117.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
index 162d292f8..d61b566d8 100644
--- a/etc/profile-a-l/glaxium.profile
+++ b/etc/profile-a-l/glaxium.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/globaltime.profile b/etc/profile-a-l/globaltime.profile
index 5e823a5a8..46553d457 100644
--- a/etc/profile-a-l/globaltime.profile
+++ b/etc/profile-a-l/globaltime.profile
@@ -34,3 +34,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index edd2cd9ee..d4e4caebe 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -51,3 +51,4 @@ writable-run-user
 # dbus-system none
 # memory-deny-write-execute - breaks on Arch
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-books.profile b/etc/profile-a-l/gnome-books.profile
index 0c19faab3..812923b2d 100644
--- a/etc/profile-a-l/gnome-books.profile
+++ b/etc/profile-a-l/gnome-books.profile
@@ -43,3 +43,4 @@ tracelog
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
index fe3a392b4..e171224c0 100644
--- a/etc/profile-a-l/gnome-builder.profile
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -37,3 +37,4 @@ seccomp
 private-dev
 read-write ${HOME}/.bash_history
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-calculator.profile b/etc/profile-a-l/gnome-calculator.profile
index 11fdb9828..3926146ff 100644
--- a/etc/profile-a-l/gnome-calculator.profile
+++ b/etc/profile-a-l/gnome-calculator.profile
@@ -52,3 +52,5 @@ dbus-user filter
 dbus-user.own org.gnome.Calculator
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index 482992778..b0d3f1d34 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -60,3 +60,4 @@ dbus-system filter
 #dbus-system.talk org.freedesktop.GeoClue2
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index af5b61fe6..2e11f335b 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -56,3 +56,4 @@ private-tmp
 # dbus-system none
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index 815ede80b..78bd54b64 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -51,3 +51,5 @@ private-cache
 private-dev
 private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index cc8f3fea0..8af9870bf 100644
--- a/etc/profile-a-l/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -44,3 +44,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-contacts.profile b/etc/profile-a-l/gnome-contacts.profile
index f96f750dd..2326115c3 100644
--- a/etc/profile-a-l/gnome-contacts.profile
+++ b/etc/profile-a-l/gnome-contacts.profile
@@ -38,3 +38,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-documents.profile b/etc/profile-a-l/gnome-documents.profile
index 24fa9721a..c8af97a61 100644
--- a/etc/profile-a-l/gnome-documents.profile
+++ b/etc/profile-a-l/gnome-documents.profile
@@ -41,3 +41,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-font-viewer.profile b/etc/profile-a-l/gnome-font-viewer.profile
index 294729152..17d266537 100644
--- a/etc/profile-a-l/gnome-font-viewer.profile
+++ b/etc/profile-a-l/gnome-font-viewer.profile
@@ -35,3 +35,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index f734f23bd..f0493c645 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -49,3 +49,4 @@ dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.cache/mesa_shader_cache
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-keyring.profile b/etc/profile-a-l/gnome-keyring.profile
index 5f9679cc7..45b6fd880 100644
--- a/etc/profile-a-l/gnome-keyring.profile
+++ b/etc/profile-a-l/gnome-keyring.profile
@@ -59,3 +59,4 @@ private-tmp
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 105996b38..43e0a1ec1 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -50,3 +50,5 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index f93d9ca24..b619b0f27 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -51,3 +51,4 @@ dbus-system none
 # Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}.
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index 2f5e033ad..d14b2a5a1 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -73,3 +73,5 @@ dbus-user.own org.gnome.Maps
 dbus-system filter
 #dbus-system.talk org.freedesktop.NetworkManager
 dbus-system.talk org.freedesktop.GeoClue2
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-mplayer.profile b/etc/profile-a-l/gnome-mplayer.profile
index 444f6ed34..052e9ba9c 100644
--- a/etc/profile-a-l/gnome-mplayer.profile
+++ b/etc/profile-a-l/gnome-mplayer.profile
@@ -31,3 +31,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index 8c2ff90ea..ec033dbf0 100644
--- a/etc/profile-a-l/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -44,3 +44,4 @@ private-dev
 private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-nettool.profile b/etc/profile-a-l/gnome-nettool.profile
index abf3dd759..ce4e5edd8 100644
--- a/etc/profile-a-l/gnome-nettool.profile
+++ b/etc/profile-a-l/gnome-nettool.profile
@@ -46,3 +46,5 @@ private-tmp
 dbus-user none
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index bd39ab0c9..0d7fb2de8 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -59,3 +59,5 @@ dbus-user filter
 dbus-user.own org.gnome.PasswordSafe
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-photos.profile b/etc/profile-a-l/gnome-photos.profile
index 5c848d0af..1d0291aa2 100644
--- a/etc/profile-a-l/gnome-photos.profile
+++ b/etc/profile-a-l/gnome-photos.profile
@@ -40,3 +40,4 @@ tracelog
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index 0086edab0..6d90773aa 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -38,3 +38,4 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index e4120743a..fb019227f 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -56,3 +56,4 @@ dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.local/share/gnome-pomodoro
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index 483783195..75f3199e2 100644
--- a/etc/profile-a-l/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -50,3 +50,4 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so
 private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-ring.profile b/etc/profile-a-l/gnome-ring.profile
index 44c608e8c..8f2ab7fd6 100644
--- a/etc/profile-a-l/gnome-ring.profile
+++ b/etc/profile-a-l/gnome-ring.profile
@@ -30,3 +30,4 @@ disable-mnt
 # private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
index 415d8eb04..b71d77621 100644
--- a/etc/profile-a-l/gnome-schedule.profile
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -61,4 +61,3 @@ disable-mnt
 private-cache
 private-dev
 writable-var
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index 95e1309ad..74238a109 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -48,3 +48,5 @@ dbus-user filter
 dbus-user.own org.gnome.Screenshot
 dbus-user.talk org.gnome.Shell.Screenshot
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index 0faf17c2f..d07bd80a7 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -41,3 +41,5 @@ private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index ae2f79e35..4c74c0a61 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -53,3 +53,4 @@ writable-var-log
 memory-deny-write-execute
 # Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}.
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 097a4d5aa..ae7ea83d8 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -61,3 +61,4 @@ dbus-system none
 #dbus-system.talk org.freedesktop.login1
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-twitch.profile b/etc/profile-a-l/gnome-twitch.profile
index 3b9e44f66..dfeeff950 100644
--- a/etc/profile-a-l/gnome-twitch.profile
+++ b/etc/profile-a-l/gnome-twitch.profile
@@ -37,3 +37,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome-weather.profile b/etc/profile-a-l/gnome-weather.profile
index ddffb8942..147b84a19 100644
--- a/etc/profile-a-l/gnome-weather.profile
+++ b/etc/profile-a-l/gnome-weather.profile
@@ -46,3 +46,4 @@ private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index bd20bb2bc..c9145d78e 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -46,3 +46,5 @@ private-tmp
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index 9df2f06a4..d7944ae24 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -57,3 +57,5 @@ dbus-user filter
 dbus-user.own org.gnome.Gnote
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index bc69f4729..bdbcf9baf 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -47,3 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index 57ad9bedc..36a2cae07 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -42,3 +42,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile
index c1119dcb0..327648cd1 100644
--- a/etc/profile-a-l/goldendict.profile
+++ b/etc/profile-a-l/goldendict.profile
@@ -55,3 +55,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/goobox.profile b/etc/profile-a-l/goobox.profile
index 1eaa68c1d..8807a239d 100644
--- a/etc/profile-a-l/goobox.profile
+++ b/etc/profile-a-l/goobox.profile
@@ -32,3 +32,5 @@ tracelog
 private-dev
 # private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,machine-id,pki,pulse,ssl
 # private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/google-earth.profile b/etc/profile-a-l/google-earth.profile
index 71e41b289..4af6ce36b 100644
--- a/etc/profile-a-l/google-earth.profile
+++ b/etc/profile-a-l/google-earth.profile
@@ -39,3 +39,4 @@ private-bin bash,dirname,google-earth,grep,ls,sed,sh
 private-dev
 private-opt google
+restrict-namespaces
diff --git a/etc/profile-a-l/google-play-music-desktop-player.profile b/etc/profile-a-l/google-play-music-desktop-player.profile
index b84ae83b7..c2a7d89fd 100644
--- a/etc/profile-a-l/google-play-music-desktop-player.profile
+++ b/etc/profile-a-l/google-play-music-desktop-player.profile
@@ -39,3 +39,5 @@ seccomp
 disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
index 74cfd5b89..da7c24581 100644
--- a/etc/profile-a-l/googler-common.profile
+++ b/etc/profile-a-l/googler-common.profile
@@ -58,3 +58,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gpa.profile b/etc/profile-a-l/gpa.profile
index 40c3b434d..e05cdf424 100644
--- a/etc/profile-a-l/gpa.profile
+++ b/etc/profile-a-l/gpa.profile
@@ -30,3 +30,5 @@ tracelog
 # private-bin gpa,gpg
 private-dev
+restrict-namespaces
diff --git a/etc/profile-a-l/gpg-agent.profile b/etc/profile-a-l/gpg-agent.profile
index 78546f547..848960f5f 100644
--- a/etc/profile-a-l/gpg-agent.profile
+++ b/etc/profile-a-l/gpg-agent.profile
@@ -49,3 +49,5 @@ tracelog
 # private-bin gpg-agent,gpg
 private-cache
 private-dev
+restrict-namespaces
diff --git a/etc/profile-a-l/gpg.profile b/etc/profile-a-l/gpg.profile
index bc4fb060b..250c9c396 100644
--- a/etc/profile-a-l/gpg.profile
+++ b/etc/profile-a-l/gpg.profile
@@ -51,3 +51,4 @@ private-dev
 # installing/upgrading archlinux-keyring extremely slow.
 read-write /etc/pacman.d/gnupg
 read-write /usr/share/pacman/keyrings
+restrict-namespaces
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
index 937ef14fe..1012f5774 100644
--- a/etc/profile-a-l/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -48,3 +48,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
index 628205015..53a6f94e2 100644
--- a/etc/profile-a-l/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -38,3 +38,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index 8ff0d92bb..368482fa3 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -52,3 +52,5 @@ dbus-user.own de.haeckerfelix.gradio
 dbus-user.own org.mpris.MediaPlayer2.gradio
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile
index 6d9c54967..5073e79c9 100644
--- a/etc/profile-a-l/gramps.profile
+++ b/etc/profile-a-l/gramps.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index ab0915cd6..02a49134c 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -44,3 +44,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gthumb.profile b/etc/profile-a-l/gthumb.profile
index b9e3d8e25..9654f0ffc 100644
--- a/etc/profile-a-l/gthumb.profile
+++ b/etc/profile-a-l/gthumb.profile
@@ -34,3 +34,5 @@ private-bin gthumb
 private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index 793fb0440..5fd92fd4f 100644
--- a/etc/profile-a-l/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -53,3 +53,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/guayadeque.profile b/etc/profile-a-l/guayadeque.profile
index 594c99863..35ce2816b 100644
--- a/etc/profile-a-l/guayadeque.profile
+++ b/etc/profile-a-l/guayadeque.profile
@@ -32,3 +32,4 @@ private-bin guayadeque
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/gucharmap.profile b/etc/profile-a-l/gucharmap.profile
index 774652fd5..68b78ec62 100644
--- a/etc/profile-a-l/gucharmap.profile
+++ b/etc/profile-a-l/gucharmap.profile
@@ -51,3 +51,4 @@ private-tmp
 # dbus-system none
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile
index e8f64e4e0..db307e940 100644
--- a/etc/profile-a-l/guvcview.profile
+++ b/etc/profile-a-l/guvcview.profile
@@ -52,3 +52,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 93af4d1f8..8f7f74e0d 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -52,3 +52,4 @@ private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.prel
 # dbus-system none
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile
index 1f13232f2..488665154 100644
--- a/etc/profile-a-l/handbrake.profile
+++ b/etc/profile-a-l/handbrake.profile
@@ -36,3 +36,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/hashcat.profile b/etc/profile-a-l/hashcat.profile
index 8d665ce68..e5b0a06af 100644
--- a/etc/profile-a-l/hashcat.profile
+++ b/etc/profile-a-l/hashcat.profile
@@ -43,3 +43,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
index a1a491ca1..fd8246aae 100644
--- a/etc/profile-a-l/hasher-common.profile
+++ b/etc/profile-a-l/hasher-common.profile
@@ -56,3 +56,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
index 9c6f162c6..2de09ea93 100644
--- a/etc/profile-a-l/hedgewars.profile
+++ b/etc/profile-a-l/hedgewars.profile
@@ -35,3 +35,5 @@ tracelog
 disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/hexchat.profile b/etc/profile-a-l/hexchat.profile
index c730187a9..df7f8f3a3 100644
--- a/etc/profile-a-l/hexchat.profile
+++ b/etc/profile-a-l/hexchat.profile
@@ -55,3 +55,4 @@ private-dev
 private-tmp
 # memory-deny-write-execute - breaks python
+restrict-namespaces
diff --git a/etc/profile-a-l/highlight.profile b/etc/profile-a-l/highlight.profile
index 04a603794..d77f49ce0 100644
--- a/etc/profile-a-l/highlight.profile
+++ b/etc/profile-a-l/highlight.profile
@@ -41,3 +41,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/homebank.profile b/etc/profile-a-l/homebank.profile
index cf06b397f..91b73e8e9 100644
--- a/etc/profile-a-l/homebank.profile
+++ b/etc/profile-a-l/homebank.profile
@@ -56,3 +56,4 @@ dbus-user none
 dbus-system none
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/host.profile b/etc/profile-a-l/host.profile
index 22a3ecf51..09af8f0f5 100644
--- a/etc/profile-a-l/host.profile
+++ b/etc/profile-a-l/host.profile
@@ -49,3 +49,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/hugin.profile b/etc/profile-a-l/hugin.profile
index d4587a303..c4085cf9c 100644
--- a/etc/profile-a-l/hugin.profile
+++ b/etc/profile-a-l/hugin.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index 8fd80564a..13dc06ecc 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index c131381c8..757af67b0 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -69,3 +69,5 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/i3.profile b/etc/profile-a-l/i3.profile
index e96b1843c..a0c3f2d97 100644
--- a/etc/profile-a-l/i3.profile
+++ b/etc/profile-a-l/i3.profile
@@ -16,3 +16,4 @@ noroot
 protocol unix,inet,inet6
 seccomp
+restrict-namespaces
diff --git a/etc/profile-a-l/iagno.profile b/etc/profile-a-l/iagno.profile
index 727dabb77..e16f3f1d5 100644
--- a/etc/profile-a-l/iagno.profile
+++ b/etc/profile-a-l/iagno.profile
@@ -37,3 +37,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/idea.sh.profile b/etc/profile-a-l/idea.sh.profile
index 0d976222f..31f65962f 100644
--- a/etc/profile-a-l/idea.sh.profile
+++ b/etc/profile-a-l/idea.sh.profile
@@ -39,3 +39,4 @@ private-dev
 # private-tmp
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/imagej.profile b/etc/profile-a-l/imagej.profile
index 29aeb006b..60e97b24c 100644
--- a/etc/profile-a-l/imagej.profile
+++ b/etc/profile-a-l/imagej.profile
@@ -38,3 +38,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/img2txt.profile b/etc/profile-a-l/img2txt.profile
index 889e4ba65..ee341423a 100644
--- a/etc/profile-a-l/img2txt.profile
+++ b/etc/profile-a-l/img2txt.profile
@@ -50,3 +50,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/impressive.profile b/etc/profile-a-l/impressive.profile
index 7306de4b3..d9a256c11 100644
--- a/etc/profile-a-l/impressive.profile
+++ b/etc/profile-a-l/impressive.profile
@@ -54,3 +54,4 @@ dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.cache/mesa_shader_cache
+restrict-namespaces
diff --git a/etc/profile-a-l/imv.profile b/etc/profile-a-l/imv.profile
index 43085bb9b..94333a610 100644
--- a/etc/profile-a-l/imv.profile
+++ b/etc/profile-a-l/imv.profile
@@ -54,3 +54,4 @@ dbus-user none
 dbus-system none
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index d461add95..1034c225f 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -60,3 +60,4 @@ dbus-user none
 dbus-system none
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/io.github.lainsce.Notejot.profile b/etc/profile-a-l/io.github.lainsce.Notejot.profile
index 483772a1e..cb2f30350 100644
--- a/etc/profile-a-l/io.github.lainsce.Notejot.profile
+++ b/etc/profile-a-l/io.github.lainsce.Notejot.profile
@@ -57,3 +57,5 @@ dbus-user filter
 dbus-user.own io.github.lainsce.Notejot
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index cdf78ea94..983c31bcb 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -59,3 +59,4 @@ dbus-system none
 # memory-deny-write-execute
 # read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-a-l/itch.profile b/etc/profile-a-l/itch.profile
index 85ea915c7..1c4ddebdb 100644
--- a/etc/profile-a-l/itch.profile
+++ b/etc/profile-a-l/itch.profile
@@ -39,3 +39,4 @@ private-dev
 private-tmp
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile
index fc1f7e42c..5fe484029 100644
--- a/etc/profile-a-l/jami-gnome.profile
+++ b/etc/profile-a-l/jami-gnome.profile
@@ -39,3 +39,4 @@ private-dev
 private-tmp
 env QT_QPA_PLATFORM=xcb
+restrict-namespaces
diff --git a/etc/profile-a-l/jd-gui.profile b/etc/profile-a-l/jd-gui.profile
index 628a646c2..e34b3e676 100644
--- a/etc/profile-a-l/jd-gui.profile
+++ b/etc/profile-a-l/jd-gui.profile
@@ -41,3 +41,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
index f55305a08..3136b412e 100644
--- a/etc/profile-a-l/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -40,3 +40,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/jitsi.profile b/etc/profile-a-l/jitsi.profile
index 23f7b720d..c0bda1cbf 100644
--- a/etc/profile-a-l/jitsi.profile
+++ b/etc/profile-a-l/jitsi.profile
@@ -28,3 +28,5 @@ tracelog
 disable-mnt
 private-cache
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index dee252281..66d63283a 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile
index a98f09d7d..81d4f3458 100644
--- a/etc/profile-a-l/k3b.profile
+++ b/etc/profile-a-l/k3b.profile
@@ -35,3 +35,5 @@ novideo
 private-dev
 # private-tmp
+# restrict-namespaces - breaks privileged helpers
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index 8dba3b4e9..73417bf11 100644
--- a/etc/profile-a-l/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
@@ -40,3 +40,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index 6331e3990..bde52f30e 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -46,3 +46,5 @@ private-tmp
 dbus-user none
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
index dc6e58c99..152f73d5d 100644
--- a/etc/profile-a-l/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -60,4 +60,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
 join-or-start kate
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 61802383d..c01000af1 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -52,3 +52,5 @@ private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cach
 private-tmp
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index 6e1de1abd..ea56f2d39 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -67,3 +67,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/kdeinit4.profile b/etc/profile-a-l/kdeinit4.profile
index 8b02142c3..2f426e191 100644
--- a/etc/profile-a-l/kdeinit4.profile
+++ b/etc/profile-a-l/kdeinit4.profile
@@ -34,3 +34,4 @@ private-bin kbuildsycoca4,kded4,kdeinit4,knotify4
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/kdenlive.profile b/etc/profile-a-l/kdenlive.profile
index 872e6d9aa..d4933d816 100644
--- a/etc/profile-a-l/kdenlive.profile
+++ b/etc/profile-a-l/kdenlive.profile
@@ -38,3 +38,5 @@ private-dev
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 947e35750..e0b3eadfd 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -55,3 +55,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/keepass.profile b/etc/profile-a-l/keepass.profile
index db3bbd76f..648ed95cf 100644
--- a/etc/profile-a-l/keepass.profile
+++ b/etc/profile-a-l/keepass.profile
@@ -43,3 +43,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
index c8b895fc2..935fe3933 100644
--- a/etc/profile-a-l/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -47,3 +47,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 827951071..80374690c 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -106,5 +106,7 @@ dbus-user.talk org.xfce.ScreenSaver
 dbus-system filter
 dbus-system.talk org.freedesktop.login1
+restrict-namespaces
 # Mutex is stored in /tmp by default, which is broken by private-tmp.
 join-or-start keepassxc
diff --git a/etc/profile-a-l/kfind.profile b/etc/profile-a-l/kfind.profile
index dee84482f..c70030a38 100644
--- a/etc/profile-a-l/kfind.profile
+++ b/etc/profile-a-l/kfind.profile
@@ -44,3 +44,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
index 9b6646725..dd45c1889 100644
--- a/etc/profile-a-l/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -41,3 +41,4 @@ private-dev
 private-tmp
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
index 637b00c35..424fb006e 100644
--- a/etc/profile-a-l/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -45,3 +45,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/kino.profile b/etc/profile-a-l/kino.profile
index 2df907376..a4c8486e1 100644
--- a/etc/profile-a-l/kino.profile
+++ b/etc/profile-a-l/kino.profile
@@ -34,3 +34,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 1c50ad2ea..5a028aeea 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-a-l/klatexformula.profile b/etc/profile-a-l/klatexformula.profile
index c7b5123d2..0c2d171b9 100644
--- a/etc/profile-a-l/klatexformula.profile
+++ b/etc/profile-a-l/klatexformula.profile
@@ -42,3 +42,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
index 4b8c9e414..0785b904d 100644
--- a/etc/profile-a-l/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -51,3 +51,5 @@ private-srv none
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 1bbc141e8..9724f4963 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -62,3 +62,5 @@ private-dev
 # private-tmp - interrupts connection to akonadi, breaks opening of email attachments
 # writable-run-user is needed for signing and encrypting emails
 writable-run-user
+# restrict-namespaces
diff --git a/etc/profile-a-l/kmplayer.profile b/etc/profile-a-l/kmplayer.profile
index 135e8f3ad..992b312ee 100644
--- a/etc/profile-a-l/kmplayer.profile
+++ b/etc/profile-a-l/kmplayer.profile
@@ -38,3 +38,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/kodi.profile b/etc/profile-a-l/kodi.profile
index b78d9c474..474a10a31 100644
--- a/etc/profile-a-l/kodi.profile
+++ b/etc/profile-a-l/kodi.profile
@@ -51,3 +51,5 @@ tracelog
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
index 875d0ef76..e4781fea3 100644
--- a/etc/profile-a-l/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -43,3 +43,4 @@ private-dev
 private-tmp
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/kopete.profile b/etc/profile-a-l/kopete.profile
index 9e75b03eb..91030f453 100644
--- a/etc/profile-a-l/kopete.profile
+++ b/etc/profile-a-l/kopete.profile
@@ -37,3 +37,4 @@ private-dev
 private-tmp
 writable-var
+restrict-namespaces
diff --git a/etc/profile-a-l/krita.profile b/etc/profile-a-l/krita.profile
index 70d721e9f..a04376430 100644
--- a/etc/profile-a-l/krita.profile
+++ b/etc/profile-a-l/krita.profile
@@ -48,3 +48,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index 96eb6978d..27feccf40 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -35,3 +35,5 @@ protocol unix,inet,inet6
 seccomp
 # private-cache
+restrict-namespaces
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index cb06dd38f..da267b962 100644
--- a/etc/profile-a-l/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -67,3 +67,4 @@ private-tmp
 deterministic-shutdown
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 086a4500a..68ef6111a 100644
--- a/etc/profile-a-l/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -50,3 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 176c78515..0cdfe4f10 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -78,3 +78,4 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-system none
 read-only ${HOME}/.mozilla/firefox/profiles.ini
+restrict-namespaces
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index c3b2a1205..7ecf26d8e 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -44,3 +44,5 @@ private-bin kwin_x11
 private-dev
 private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 1883d7c86..18a024c7e 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -52,4 +52,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
 join-or-start kwrite
diff --git a/etc/profile-a-l/latex-common.profile b/etc/profile-a-l/latex-common.profile
index f6c28fafa..f1e1a897b 100644
--- a/etc/profile-a-l/latex-common.profile
+++ b/etc/profile-a-l/latex-common.profile
@@ -38,3 +38,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile
index ce62b8d5c..27b27a20b 100644
--- a/etc/profile-a-l/leafpad.profile
+++ b/etc/profile-a-l/leafpad.profile
@@ -38,3 +38,4 @@ private-dev
 private-lib
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/less.profile b/etc/profile-a-l/less.profile
index 24d6261fb..6efe23ade 100644
--- a/etc/profile-a-l/less.profile
+++ b/etc/profile-a-l/less.profile
@@ -48,3 +48,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
 read-write ${HOME}/.lesshst
+restrict-namespaces
diff --git a/etc/profile-a-l/librecad.profile b/etc/profile-a-l/librecad.profile
index 00447c6c1..40ec7b9c6 100644
--- a/etc/profile-a-l/librecad.profile
+++ b/etc/profile-a-l/librecad.profile
@@ -47,3 +47,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index e25eaa2e9..518928876 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -54,4 +54,5 @@ private-tmp
 dbus-system none
+restrict-namespaces
 join-or-start libreoffice
diff --git a/etc/profile-a-l/lifeograph.profile b/etc/profile-a-l/lifeograph.profile
index 280669b24..025156d2d 100644
--- a/etc/profile-a-l/lifeograph.profile
+++ b/etc/profile-a-l/lifeograph.profile
@@ -54,3 +54,5 @@ private-tmp
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index 75aac74d1..b0e9015ee 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -59,3 +59,5 @@ dbus-user.talk ca.desrt.dconf
 # Add the next line to your liferea.local if you use the 'Libsecret Support' plugin.
 #dbus-user.talk org.freedesktop.secrets
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/lincity-ng.profile b/etc/profile-a-l/lincity-ng.profile
index 79eca0a6f..d81e21636 100644
--- a/etc/profile-a-l/lincity-ng.profile
+++ b/etc/profile-a-l/lincity-ng.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index 4eec03855..22a4a2a2a 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -59,3 +59,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-a-l/linphone.profile b/etc/profile-a-l/linphone.profile
index e375f0c13..2273ed560 100644
--- a/etc/profile-a-l/linphone.profile
+++ b/etc/profile-a-l/linphone.profile
@@ -47,3 +47,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/lmms.profile b/etc/profile-a-l/lmms.profile
index b4582c4f5..35fca733a 100644
--- a/etc/profile-a-l/lmms.profile
+++ b/etc/profile-a-l/lmms.profile
@@ -37,3 +37,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
index 3108900ef..78b78662b 100644
--- a/etc/profile-a-l/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
@@ -39,3 +39,4 @@ private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/lugaru.profile b/etc/profile-a-l/lugaru.profile
index 2b61f4d48..f6436d93d 100644
--- a/etc/profile-a-l/lugaru.profile
+++ b/etc/profile-a-l/lugaru.profile
@@ -49,3 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/luminance-hdr.profile b/etc/profile-a-l/luminance-hdr.profile
index b7280b61c..4a8352831 100644
--- a/etc/profile-a-l/luminance-hdr.profile
+++ b/etc/profile-a-l/luminance-hdr.profile
@@ -36,3 +36,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 80cecd056..2658c5373 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -80,3 +80,5 @@ dbus-user filter
 dbus-user.own net.lutris.Lutris
 dbus-user.talk com.feralinteractive.GameMode
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-a-l/lximage-qt.profile b/etc/profile-a-l/lximage-qt.profile
index d8485ba65..589f1cf6b 100644
--- a/etc/profile-a-l/lximage-qt.profile
+++ b/etc/profile-a-l/lximage-qt.profile
@@ -35,3 +35,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/lxmusic.profile b/etc/profile-a-l/lxmusic.profile
index a5fc967be..1ecf3c9d7 100644
--- a/etc/profile-a-l/lxmusic.profile
+++ b/etc/profile-a-l/lxmusic.profile
@@ -37,3 +37,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-a-l/lynx.profile b/etc/profile-a-l/lynx.profile
index 02a9f8d82..caf8de104 100644
--- a/etc/profile-a-l/lynx.profile
+++ b/etc/profile-a-l/lynx.profile
@@ -39,3 +39,5 @@ private-cache
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/Maelstrom.profile b/etc/profile-m-z/Maelstrom.profile
index 930d49db2..23b44dbf5 100644
--- a/etc/profile-m-z/Maelstrom.profile
+++ b/etc/profile-m-z/Maelstrom.profile
@@ -43,3 +43,5 @@ private-tmp
 dbus-user none
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-m-z/Mathematica.profile b/etc/profile-m-z/Mathematica.profile
index 6286f066e..08283bd33 100644
--- a/etc/profile-m-z/Mathematica.profile
+++ b/etc/profile-m-z/Mathematica.profile
@@ -27,3 +27,5 @@ nonewprivs
 noroot
 notv
 seccomp
+restrict-namespaces
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
index cc52f053f..902fc9a6a 100644
--- a/etc/profile-m-z/PCSX2.profile
+++ b/etc/profile-m-z/PCSX2.profile
@@ -53,3 +53,5 @@ private-tmp
 dbus-user none
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile
index cf597c215..1e9af5769 100644
--- a/etc/profile-m-z/QMediathekView.profile
+++ b/etc/profile-m-z/QMediathekView.profile
@@ -56,3 +56,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index 6bf69d055..6140de60f 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -52,3 +52,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index e13337b7c..2ea185ec0 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -34,3 +34,5 @@ disable-mnt
 private-bin awk,bash,dig,sh,Viber
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
 private-tmp
+# restrict-namespaces
diff --git a/etc/profile-m-z/XMind.profile b/etc/profile-m-z/XMind.profile
index 53cecd4b1..97b9d2898 100644
--- a/etc/profile-m-z/XMind.profile
+++ b/etc/profile-m-z/XMind.profile
@@ -35,3 +35,4 @@ private-bin cp,sh,XMind
 private-tmp
 private-dev
+restrict-namespaces
diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile
index bda639232..2fc1d1b8a 100644
--- a/etc/profile-m-z/Xephyr.profile
+++ b/etc/profile-m-z/Xephyr.profile
@@ -40,3 +40,5 @@ private
 private-dev
 # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
 #private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 223370f30..8bf79f554 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -44,3 +44,5 @@ private
 private-dev
 private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/ZeGrapher.profile b/etc/profile-m-z/ZeGrapher.profile
index 89024f976..6ddc24bf6 100644
--- a/etc/profile-m-z/ZeGrapher.profile
+++ b/etc/profile-m-z/ZeGrapher.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/macrofusion.profile b/etc/profile-m-z/macrofusion.profile
index e8fba41c3..24158d062 100644
--- a/etc/profile-m-z/macrofusion.profile
+++ b/etc/profile-m-z/macrofusion.profile
@@ -42,3 +42,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
index 76fc6e6da..e5d994b57 100644
--- a/etc/profile-m-z/magicor.profile
+++ b/etc/profile-m-z/magicor.profile
@@ -49,3 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile
index 4ec6ef82e..e9d245a6d 100644
--- a/etc/profile-m-z/makepkg.profile
+++ b/etc/profile-m-z/makepkg.profile
@@ -58,3 +58,4 @@ private-cache
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index b8d221dc3..0e3f9e6e2 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -65,3 +65,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
 #read-only /tmp # breaks mandoc (see #4927)
+restrict-namespaces
diff --git a/etc/profile-m-z/manaplus.profile b/etc/profile-m-z/manaplus.profile
index ede669c08..5ee4d0cb5 100644
--- a/etc/profile-m-z/manaplus.profile
+++ b/etc/profile-m-z/manaplus.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index fe0077f3d..7066f4229 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -60,3 +60,5 @@ dbus-user filter
 dbus-user.own com.github.fabiocolacio.marker
 dbus-user.talk ca.desrt.dconf
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index a78927cc5..176506ff2 100644
--- a/etc/profile-m-z/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -38,3 +38,4 @@ private-dev
 private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index 00f0bd9a3..e3a5c6ab6 100644
--- a/etc/profile-m-z/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -50,3 +50,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
index a59f5e139..337c2d6e5 100644
--- a/etc/profile-m-z/mate-color-select.profile
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -38,3 +38,4 @@ private-lib
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index 3720c824e..e80b220b7 100644
--- a/etc/profile-m-z/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -42,3 +42,4 @@ private-dev
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile
index 1df04c117..1ebe9aaba 100644
--- a/etc/profile-m-z/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -31,3 +31,5 @@ seccomp
 private-bin mcabber
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl
+restrict-namespaces
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile
index e654cc16e..a3ff768b7 100644
--- a/etc/profile-m-z/mcomix.profile
+++ b/etc/profile-m-z/mcomix.profile
@@ -70,3 +70,4 @@ read-write ${HOME}/.local/share/mcomix
 read-write ${HOME}/.local/share
 # used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails
 read-write ${HOME}/.thumbnails
+restrict-namespaces
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index 63b07d474..e1025a1fb 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -52,3 +52,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index 35d59d439..12d692b72 100644
--- a/etc/profile-m-z/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -49,3 +49,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile
index f0ef7d010..19ce6fcd1 100644
--- a/etc/profile-m-z/mediathekview.profile
+++ b/etc/profile-m-z/mediathekview.profile
@@ -51,3 +51,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/megaglest.profile b/etc/profile-m-z/megaglest.profile
index a28a66786..73fd65bcd 100644
--- a/etc/profile-m-z/megaglest.profile
+++ b/etc/profile-m-z/megaglest.profile
@@ -53,3 +53,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index dddc7f977..634694363 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -78,3 +78,4 @@ private-dev
 private-tmp
 read-only ${HOME}/.ssh
+restrict-namespaces
diff --git a/etc/profile-m-z/mendeleydesktop.profile b/etc/profile-m-z/mendeleydesktop.profile
index 4f9bcea71..f2626b0c1 100644
--- a/etc/profile-m-z/mendeleydesktop.profile
+++ b/etc/profile-m-z/mendeleydesktop.profile
@@ -47,3 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 08b155a27..cd4938ec6 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -61,3 +61,4 @@ read-write ${HOME}/.config/menus
 read-write ${HOME}/.gnome/apps
 read-write ${HOME}/.local/share/applications
 read-write ${HOME}/.local/share/flatpak/exports
+restrict-namespaces
diff --git a/etc/profile-m-z/meteo-qt.profile b/etc/profile-m-z/meteo-qt.profile
index 47b4cf8c9..db87b21bc 100644
--- a/etc/profile-m-z/meteo-qt.profile
+++ b/etc/profile-m-z/meteo-qt.profile
@@ -51,3 +51,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/midori.profile b/etc/profile-m-z/midori.profile
index eb037f51b..d1655fabb 100644
--- a/etc/profile-m-z/midori.profile
+++ b/etc/profile-m-z/midori.profile
@@ -62,3 +62,5 @@ tracelog
 disable-mnt
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
index 8f1cd0bc6..a26896b19 100644
--- a/etc/profile-m-z/mindless.profile
+++ b/etc/profile-m-z/mindless.profile
@@ -48,3 +48,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile
index 22684be39..e6bf86802 100644
--- a/etc/profile-m-z/minecraft-launcher.profile
+++ b/etc/profile-m-z/minecraft-launcher.profile
@@ -56,3 +56,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index 3d7ede3dc..15474c96e 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -61,3 +61,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
index 385edbd7a..ce938c867 100644
--- a/etc/profile-m-z/minitube.profile
+++ b/etc/profile-m-z/minitube.profile
@@ -58,3 +58,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
index 2b05bbfde..d36c0fc81 100644
--- a/etc/profile-m-z/mirage.profile
+++ b/etc/profile-m-z/mirage.profile
@@ -58,3 +58,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index 707ef34e9..34721b4a3 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index fdaf885bd..46320f8ea 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -50,3 +50,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
 read-write ${HOME}/.moc
+restrict-namespaces
diff --git a/etc/profile-m-z/mousepad.profile b/etc/profile-m-z/mousepad.profile
index e87c82e30..8e597fa99 100644
--- a/etc/profile-m-z/mousepad.profile
+++ b/etc/profile-m-z/mousepad.profile
@@ -37,3 +37,5 @@ private-bin mousepad
 private-dev
 private-lib
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index 0dd9f7b43..89cee657d 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -41,3 +41,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index e1b26aaf0..77ad30d0c 100644
--- a/etc/profile-m-z/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -46,7 +46,8 @@ private-dev
 private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
-memory-deny-write-execute
 dbus-user none
 dbus-system none
+memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index ed8a7eee3..1d875c3c4 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -55,3 +55,4 @@ private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-m-z/mpd.profile b/etc/profile-m-z/mpd.profile
index 604db8105..d1c4bd24f 100644
--- a/etc/profile-m-z/mpd.profile
+++ b/etc/profile-m-z/mpd.profile
@@ -41,3 +41,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/mpg123.profile b/etc/profile-m-z/mpg123.profile
index d03879836..12650dbc9 100644
--- a/etc/profile-m-z/mpg123.profile
+++ b/etc/profile-m-z/mpg123.profile
@@ -42,3 +42,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index ebb4b0e73..7d9ff39ad 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -37,3 +37,5 @@ seccomp
 private-bin mplayer
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index 9dcdd34a3..e73e3142c 100644
--- a/etc/profile-m-z/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -68,3 +68,4 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 4ea5740c2..c9706999a 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -86,3 +86,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index f4d8d7f6a..4f7ae09b9 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -56,3 +56,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
index 7eb8efae6..d979e7401 100644
--- a/etc/profile-m-z/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -40,3 +40,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/mtpaint.profile b/etc/profile-m-z/mtpaint.profile
index 5467718e2..363c6fe4a 100644
--- a/etc/profile-m-z/mtpaint.profile
+++ b/etc/profile-m-z/mtpaint.profile
@@ -46,3 +46,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 283840c17..73107680c 100644
--- a/etc/profile-m-z/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
@@ -49,3 +49,4 @@ disable-mnt
 private-dev
 private-tmp
+# restrict-namespaces
diff --git a/etc/profile-m-z/mumble.profile b/etc/profile-m-z/mumble.profile
index e2530efc7..ef09e6fca 100644
--- a/etc/profile-m-z/mumble.profile
+++ b/etc/profile-m-z/mumble.profile
@@ -42,3 +42,4 @@ private-bin mumble
 private-tmp
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-m-z/mupdf.profile b/etc/profile-m-z/mupdf.profile
index 1876dc5ca..954016c2c 100644
--- a/etc/profile-m-z/mupdf.profile
+++ b/etc/profile-m-z/mupdf.profile
@@ -44,3 +44,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-m-z/mupen64plus.profile b/etc/profile-m-z/mupen64plus.profile
index 093767c27..f97c6f271 100644
--- a/etc/profile-m-z/mupen64plus.profile
+++ b/etc/profile-m-z/mupen64plus.profile
@@ -31,3 +31,5 @@ seccomp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/musescore.profile b/etc/profile-m-z/musescore.profile
index fa4a37bf8..ca951f70c 100644
--- a/etc/profile-m-z/musescore.profile
+++ b/etc/profile-m-z/musescore.profile
@@ -39,3 +39,5 @@ tracelog
 # private-bin musescore,mscore
 private-tmp
+# restrict-namespaces
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile
index 9f83bb428..01b8d20b3 100644
--- a/etc/profile-m-z/musictube.profile
+++ b/etc/profile-m-z/musictube.profile
@@ -54,3 +54,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 796d7fbb0..d2032dcf6 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -35,3 +35,4 @@ disable-mnt
 private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl
+# restrict-namespaces
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 6c6341d40..52d30669f 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -146,3 +146,4 @@ read-only ${HOME}/.elinks
 read-only ${HOME}/.nanorc
 read-only ${HOME}/.signature
 read-only ${HOME}/.w3m
+restrict-namespaces
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
index 41519bbb1..18117965e 100644
--- a/etc/profile-m-z/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -47,3 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index e8cee2538..a20eb3828 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -56,3 +56,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/natron.profile b/etc/profile-m-z/natron.profile
index 2c7e36a35..b979e1aee 100644
--- a/etc/profile-m-z/natron.profile
+++ b/etc/profile-m-z/natron.profile
@@ -34,3 +34,5 @@ private-bin natron,Natron,NatronRenderer
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/ncdu.profile b/etc/profile-m-z/ncdu.profile
index 010f823d0..09687199b 100644
--- a/etc/profile-m-z/ncdu.profile
+++ b/etc/profile-m-z/ncdu.profile
@@ -35,3 +35,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index a50fdd072..fde1d4d2c 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -62,3 +62,5 @@ dbus-user.talk org.freedesktop.Notifications
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user.talk org.kde.kwalletd5
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 9000b7972..c255a85c9 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -129,3 +129,4 @@ read-only ${HOME}/.elinks
 read-only ${HOME}/.nanorc
 read-only ${HOME}/.signature
 read-only ${HOME}/.w3m
+restrict-namespaces
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
index 60fc2fa65..4d5265397 100644
--- a/etc/profile-m-z/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -52,3 +52,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/nethack-vultures.profile b/etc/profile-m-z/nethack-vultures.profile
index d130d5b3a..c07bb7107 100644
--- a/etc/profile-m-z/nethack-vultures.profile
+++ b/etc/profile-m-z/nethack-vultures.profile
@@ -42,3 +42,5 @@ writable-var
 dbus-user none
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-m-z/nethack.profile b/etc/profile-m-z/nethack.profile
index 9cb7457e5..a43889349 100644
--- a/etc/profile-m-z/nethack.profile
+++ b/etc/profile-m-z/nethack.profile
@@ -44,3 +44,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute
+#restrict-namespaces
diff --git a/etc/profile-m-z/netsurf.profile b/etc/profile-m-z/netsurf.profile
index 0ddb7bbbe..467ce5829 100644
--- a/etc/profile-m-z/netsurf.profile
+++ b/etc/profile-m-z/netsurf.profile
@@ -32,3 +32,5 @@ seccomp
 tracelog
 disable-mnt
+restrict-namespaces
diff --git a/etc/profile-m-z/neverball.profile b/etc/profile-m-z/neverball.profile
index b9a25b66c..68b0ce2ea 100644
--- a/etc/profile-m-z/neverball.profile
+++ b/etc/profile-m-z/neverball.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index 10f9240b7..b80a0a151 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -59,3 +59,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
index 4da14beae..59f16bb10 100644
--- a/etc/profile-m-z/newsflash.profile
+++ b/etc/profile-m-z/newsflash.profile
@@ -57,3 +57,5 @@ dbus-user none
 #dbus-user.own com.gitlab.newsflash
 #dbus-user.talk org.freedesktop.Notifications
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index 95f9f5d14..c26942c81 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -69,3 +69,5 @@ dbus-user filter
 dbus-user.talk org.freedesktop.secrets
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 662584892..4e4c7bfe7 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -56,3 +56,5 @@ dbus-user.talk org.freedesktop.secrets
 # Add the next line to your nheko.local to enable notification support.
 #dbus-user.talk org.freedesktop.Notifications
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/nicotine.profile b/etc/profile-m-z/nicotine.profile
index 22c8b1782..568899eea 100644
--- a/etc/profile-m-z/nicotine.profile
+++ b/etc/profile-m-z/nicotine.profile
@@ -59,3 +59,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index b4da229c4..cefe9fa79 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -49,3 +49,4 @@ private-tmp
 # dbus-system none
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 2ba125a02..f185a04ee 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -100,3 +100,4 @@ dbus-system none
 # Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry.
 #env GATSBY_TELEMETRY_DISABLED=1
+restrict-namespaces
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index 733de1096..ac8336331 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -42,3 +42,5 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index 7e9290513..11d6bd795 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -57,3 +57,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-m-z/nslookup.profile b/etc/profile-m-z/nslookup.profile
index 160385d70..37d9f593c 100644
--- a/etc/profile-m-z/nslookup.profile
+++ b/etc/profile-m-z/nslookup.profile
@@ -52,3 +52,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/nvim.profile b/etc/profile-m-z/nvim.profile
index 1f8334d08..6f415d60a 100644
--- a/etc/profile-m-z/nvim.profile
+++ b/etc/profile-m-z/nvim.profile
@@ -51,3 +51,4 @@ read-write ${HOME}/.local/share/nvim
 read-write ${HOME}/.local/state/nvim
 read-write ${HOME}/.vim
 read-write ${HOME}/.vimrc
+restrict-namespaces
diff --git a/etc/profile-m-z/nylas.profile b/etc/profile-m-z/nylas.profile
index a86ef478a..8acf09e90 100644
--- a/etc/profile-m-z/nylas.profile
+++ b/etc/profile-m-z/nylas.profile
@@ -35,3 +35,5 @@ protocol unix,inet,inet6,netlink
 seccomp
 private-dev
+restrict-namespaces
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
index f58f4fd1c..4f767f046 100644
--- a/etc/profile-m-z/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -51,3 +51,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/obs.profile b/etc/profile-m-z/obs.profile
index 91abdc032..82e7a4137 100644
--- a/etc/profile-m-z/obs.profile
+++ b/etc/profile-m-z/obs.profile
@@ -40,3 +40,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 0ce3aa088..87c665cba 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -59,3 +59,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index 38751aa25..25da2139f 100644
--- a/etc/profile-m-z/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -44,3 +44,4 @@ dbus-user none
 dbus-system none
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index 265ed1490..568b6566e 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -69,4 +69,5 @@ private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,mach
 # memory-deny-write-execute
+restrict-namespaces
 join-or-start okular
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index e9d6ac028..913b499d3 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -53,3 +53,5 @@ private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.pr
 private-tmp
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile
index db923056a..47ac9fc05 100644
--- a/etc/profile-m-z/onionshare-gui.profile
+++ b/etc/profile-m-z/onionshare-gui.profile
@@ -65,3 +65,4 @@ dbus-user.talk org.freedesktop.secrets
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index 730ed271d..f6b070ab3 100644
--- a/etc/profile-m-z/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -39,3 +39,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 87366547f..053f54b48 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -47,3 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile
index b49fd9932..6a256593c 100644
--- a/etc/profile-m-z/openbox.profile
+++ b/etc/profile-m-z/openbox.profile
@@ -18,3 +18,4 @@ seccomp
 read-only ${HOME}/.config/openbox/autostart
 read-only ${HOME}/.config/openbox/environment
+restrict-namespaces
diff --git a/etc/profile-m-z/opencity.profile b/etc/profile-m-z/opencity.profile
index 3001a355d..a7d147ec9 100644
--- a/etc/profile-m-z/opencity.profile
+++ b/etc/profile-m-z/opencity.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 5f05480d8..3449ac686 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile
index 8fe18f12b..be97552ab 100644
--- a/etc/profile-m-z/openmw.profile
+++ b/etc/profile-m-z/openmw.profile
@@ -58,3 +58,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/openshot.profile b/etc/profile-m-z/openshot.profile
index e867eccc3..0082be581 100644
--- a/etc/profile-m-z/openshot.profile
+++ b/etc/profile-m-z/openshot.profile
@@ -46,3 +46,5 @@ private-tmp
 dbus-user filter
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/openstego.profile b/etc/profile-m-z/openstego.profile
index 05b1d222d..fd8f70531 100644
--- a/etc/profile-m-z/openstego.profile
+++ b/etc/profile-m-z/openstego.profile
@@ -55,3 +55,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/openttd.profile b/etc/profile-m-z/openttd.profile
index 19ba69b14..6e5c09eda 100644
--- a/etc/profile-m-z/openttd.profile
+++ b/etc/profile-m-z/openttd.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/orage.profile b/etc/profile-m-z/orage.profile
index 250e07004..fa16c05e2 100644
--- a/etc/profile-m-z/orage.profile
+++ b/etc/profile-m-z/orage.profile
@@ -36,3 +36,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile
index a2c3e7d1d..f12838b72 100644
--- a/etc/profile-m-z/ostrichriders.profile
+++ b/etc/profile-m-z/ostrichriders.profile
@@ -47,3 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/otter-browser.profile b/etc/profile-m-z/otter-browser.profile
index 7af611cc4..028c6fe90 100644
--- a/etc/profile-m-z/otter-browser.profile
+++ b/etc/profile-m-z/otter-browser.profile
@@ -56,3 +56,5 @@ private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts
 private-tmp
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
index acb2ce176..24701b657 100644
--- a/etc/profile-m-z/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
@@ -22,5 +22,8 @@ ignore seccomp
 #private-etc palemoon
 #private-opt palemoon
+restrict-namespaces
+ignore restrict-namespaces
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index aac1fc5b6..2610ae67a 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -56,3 +56,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile
index ca54d7ad4..fb629669a 100644
--- a/etc/profile-m-z/parole.profile
+++ b/etc/profile-m-z/parole.profile
@@ -27,3 +27,5 @@ seccomp
 private-bin dbus-launch,parole
 private-cache
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl
+restrict-namespaces
diff --git a/etc/profile-m-z/patch.profile b/etc/profile-m-z/patch.profile
index 573410630..5a0f69f79 100644
--- a/etc/profile-m-z/patch.profile
+++ b/etc/profile-m-z/patch.profile
@@ -48,3 +48,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index d21157325..88cfd3352 100644
--- a/etc/profile-m-z/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -53,3 +53,4 @@ dbus-system none
 # mdwe is broken under Wayland, but works under Xorg.
 #memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile
index 9a1e7d420..784d82736 100644
--- a/etc/profile-m-z/pcsxr.profile
+++ b/etc/profile-m-z/pcsxr.profile
@@ -53,3 +53,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index 0441c9e04..2e38dde3b 100644
--- a/etc/profile-m-z/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -40,3 +40,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/pdfmod.profile b/etc/profile-m-z/pdfmod.profile
index 463deca4c..81115b2e3 100644
--- a/etc/profile-m-z/pdfmod.profile
+++ b/etc/profile-m-z/pdfmod.profile
@@ -41,3 +41,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/pdfsam.profile b/etc/profile-m-z/pdfsam.profile
index 3e56a9c1d..34f8387af 100644
--- a/etc/profile-m-z/pdfsam.profile
+++ b/etc/profile-m-z/pdfsam.profile
@@ -41,3 +41,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index 482181c86..7ece10835 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -53,3 +53,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index 9809a488f..24a1bc979 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -59,3 +59,4 @@ dbus-user.talk org.gnome.Shell.Screencast
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/penguin-command.profile b/etc/profile-m-z/penguin-command.profile
index e79e5cbc8..c740f5576 100644
--- a/etc/profile-m-z/penguin-command.profile
+++ b/etc/profile-m-z/penguin-command.profile
@@ -39,3 +39,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
index 9f8e094fb..dcb52c846 100644
--- a/etc/profile-m-z/photoflare.profile
+++ b/etc/profile-m-z/photoflare.profile
@@ -47,3 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/picard.profile b/etc/profile-m-z/picard.profile
index 2350f83a2..b007e3ca9 100644
--- a/etc/profile-m-z/picard.profile
+++ b/etc/profile-m-z/picard.profile
@@ -40,3 +40,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index 904c17e09..2dc49a28d 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -45,3 +45,5 @@ tracelog
 private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/pinball.profile b/etc/profile-m-z/pinball.profile
index 440ee7800..3664e1469 100644
--- a/etc/profile-m-z/pinball.profile
+++ b/etc/profile-m-z/pinball.profile
@@ -52,3 +52,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/ping-hardened.inc.profile b/etc/profile-m-z/ping-hardened.inc.profile
index eda53654a..e3288d2b1 100644
--- a/etc/profile-m-z/ping-hardened.inc.profile
+++ b/etc/profile-m-z/ping-hardened.inc.profile
@@ -9,3 +9,4 @@ protocol unix,inet,inet6
 seccomp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile
index dcb2134c7..2a7967de7 100644
--- a/etc/profile-m-z/ping.profile
+++ b/etc/profile-m-z/ping.profile
@@ -68,3 +68,4 @@ dbus-user none
 dbus-system none
 read-only ${HOME}
+#restrict-namespaces
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index 14ac487ab..419dd5d1a 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -54,3 +54,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/pinta.profile b/etc/profile-m-z/pinta.profile
index d5a1b1141..e084a7933 100644
--- a/etc/profile-m-z/pinta.profile
+++ b/etc/profile-m-z/pinta.profile
@@ -38,3 +38,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/pioneer.profile b/etc/profile-m-z/pioneer.profile
index cf79adc6f..dc447def2 100644
--- a/etc/profile-m-z/pioneer.profile
+++ b/etc/profile-m-z/pioneer.profile
@@ -44,3 +44,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/pithos.profile b/etc/profile-m-z/pithos.profile
index 9db4459e1..714ebd86d 100644
--- a/etc/profile-m-z/pithos.profile
+++ b/etc/profile-m-z/pithos.profile
@@ -40,3 +40,4 @@ private-bin env,pithos,python*
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/pitivi.profile b/etc/profile-m-z/pitivi.profile
index 773454c53..5ad20aafc 100644
--- a/etc/profile-m-z/pitivi.profile
+++ b/etc/profile-m-z/pitivi.profile
@@ -39,3 +39,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/pix.profile b/etc/profile-m-z/pix.profile
index fb426681e..49bd8c318 100644
--- a/etc/profile-m-z/pix.profile
+++ b/etc/profile-m-z/pix.profile
@@ -34,3 +34,5 @@ private-bin pix
 private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
index 2af311269..88173edca 100644
--- a/etc/profile-m-z/pkglog.profile
+++ b/etc/profile-m-z/pkglog.profile
@@ -56,3 +56,4 @@ read-only ${HOME}
 read-only /var/log/apt/history.log
 read-only /var/log/dnf.rpm.log
 read-only /var/log/pacman.log
+restrict-namespaces
diff --git a/etc/profile-m-z/pluma.profile b/etc/profile-m-z/pluma.profile
index 0e4a06b44..efcdaa661 100644
--- a/etc/profile-m-z/pluma.profile
+++ b/etc/profile-m-z/pluma.profile
@@ -48,4 +48,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
 join-or-start pluma
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 2140d1a21..62927f9f7 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -57,3 +57,4 @@ dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.config/PacmanLogViewer
 read-only /var/log/pacman.log
+restrict-namespaces
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index ad30c5703..8e2c39b83 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -53,3 +53,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/polari.profile b/etc/profile-m-z/polari.profile
index 068fd3412..dd730bf76 100644
--- a/etc/profile-m-z/polari.profile
+++ b/etc/profile-m-z/polari.profile
@@ -49,3 +49,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index bf5d9a9c3..58528c372 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
index 9faa1fcd6..73b377712 100644
--- a/etc/profile-m-z/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
@@ -35,3 +35,4 @@ private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
index 13f48b048..ddc6524a5 100644
--- a/etc/profile-m-z/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -50,3 +50,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/psi-plus.profile b/etc/profile-m-z/psi-plus.profile
index 8f8b2fff4..af117c3b5 100644
--- a/etc/profile-m-z/psi-plus.profile
+++ b/etc/profile-m-z/psi-plus.profile
@@ -42,3 +42,5 @@ seccomp !chroot
 disable-mnt
 private-dev
 private-tmp
+# restrict-namespaces
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index 943b8d3ac..be06c5d89 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -75,3 +75,5 @@ private-tmp
 dbus-user none
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-m-z/pybitmessage.profile b/etc/profile-m-z/pybitmessage.profile
index 358cc36da..ba71ab29d 100644
--- a/etc/profile-m-z/pybitmessage.profile
+++ b/etc/profile-m-z/pybitmessage.profile
@@ -43,3 +43,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,hosts,ld.so.cache,ld.so.preload,localtime,pki,pki,PyBitmessage,PyBitmessage.conf,resolv.conf,selinux,sni-qt.conf,ssl,system-fips,Trolltech.conf,xdg
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/qbittorrent.profile b/etc/profile-m-z/qbittorrent.profile
index 2a0f4288f..9605da3ac 100644
--- a/etc/profile-m-z/qbittorrent.profile
+++ b/etc/profile-m-z/qbittorrent.profile
@@ -63,3 +63,4 @@ dbus-user none
 dbus-system none
 # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo
+restrict-namespaces
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile
index f24916630..71374a8c8 100644
--- a/etc/profile-m-z/qcomicbook.profile
+++ b/etc/profile-m-z/qcomicbook.profile
@@ -64,3 +64,4 @@ read-write ${HOME}/.config/PawelStolowski
 read-write ${HOME}/.local/share/PawelStolowski
 #to allow ${HOME}/.local/share/recently-used.xbel
 read-write ${HOME}/.local/share
+restrict-namespaces
diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile
index 034a2b7c1..8484d3705 100644
--- a/etc/profile-m-z/qemu-launcher.profile
+++ b/etc/profile-m-z/qemu-launcher.profile
@@ -25,3 +25,4 @@ private-cache
 private-tmp
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile
index e565e0165..495c469f7 100644
--- a/etc/profile-m-z/qemu-system-x86_64.profile
+++ b/etc/profile-m-z/qemu-system-x86_64.profile
@@ -24,3 +24,4 @@ private-cache
 private-tmp
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
index 2f8c42548..d4b71f972 100644
--- a/etc/profile-m-z/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -56,3 +56,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/qlipper.profile b/etc/profile-m-z/qlipper.profile
index d0a14b079..f183f6e0e 100644
--- a/etc/profile-m-z/qlipper.profile
+++ b/etc/profile-m-z/qlipper.profile
@@ -35,3 +35,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/qmmp.profile b/etc/profile-m-z/qmmp.profile
index a3fd56186..ecd62a7d1 100644
--- a/etc/profile-m-z/qmmp.profile
+++ b/etc/profile-m-z/qmmp.profile
@@ -36,3 +36,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
index f6576ae2f..037cc96ec 100644
--- a/etc/profile-m-z/qnapi.profile
+++ b/etc/profile-m-z/qnapi.profile
@@ -52,3 +52,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/qpdfview.profile b/etc/profile-m-z/qpdfview.profile
index 17142a47f..4caa0917f 100644
--- a/etc/profile-m-z/qpdfview.profile
+++ b/etc/profile-m-z/qpdfview.profile
@@ -43,3 +43,5 @@ private-tmp
 # needs D-Bus when started from a file manager
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
index e7566cbe4..09b70756b 100644
--- a/etc/profile-m-z/qrencode.profile
+++ b/etc/profile-m-z/qrencode.profile
@@ -54,3 +54,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index c0d737f00..f95720d71 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -49,3 +49,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-m-z/quassel.profile b/etc/profile-m-z/quassel.profile
index c65089e20..4589c9e4a 100644
--- a/etc/profile-m-z/quassel.profile
+++ b/etc/profile-m-z/quassel.profile
@@ -24,3 +24,5 @@ seccomp !chroot
 private-cache
 private-tmp
+# restrict-namespaces
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile
index 686562646..ad45a26d5 100644
--- a/etc/profile-m-z/quaternion.profile
+++ b/etc/profile-m-z/quaternion.profile
@@ -51,3 +51,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/quiterss.profile b/etc/profile-m-z/quiterss.profile
index 761eb7215..a59f01f85 100644
--- a/etc/profile-m-z/quiterss.profile
+++ b/etc/profile-m-z/quiterss.profile
@@ -52,3 +52,4 @@ private-bin quiterss
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,pki,ssl,X11
+restrict-namespaces
diff --git a/etc/profile-m-z/quodlibet.profile b/etc/profile-m-z/quodlibet.profile
index 345e85cdf..ea49684e3 100644
--- a/etc/profile-m-z/quodlibet.profile
+++ b/etc/profile-m-z/quodlibet.profile
@@ -63,3 +63,5 @@ private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,
 private-tmp
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile
index 3bdfb2cec..b83a0ce2d 100644
--- a/etc/profile-m-z/qutebrowser.profile
+++ b/etc/profile-m-z/qutebrowser.profile
@@ -48,7 +48,7 @@ notv
 protocol unix,inet,inet6,netlink
 # blacklisting of chroot system calls breaks qt webengine
 seccomp !chroot,!name_to_handle_at
-# tracelog
+#tracelog
 disable-mnt
 private-cache
@@ -65,3 +65,5 @@ dbus-user.talk org.freedesktop.Notifications
 # with the above lines (might depend on the portal implementation).
 #ignore noroot
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-m-z/raincat.profile b/etc/profile-m-z/raincat.profile
index 3042d5e3f..e320d82f7 100644
--- a/etc/profile-m-z/raincat.profile
+++ b/etc/profile-m-z/raincat.profile
@@ -46,3 +46,4 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/rambox.profile b/etc/profile-m-z/rambox.profile
index a14d7862b..38a093337 100644
--- a/etc/profile-m-z/rambox.profile
+++ b/etc/profile-m-z/rambox.profile
@@ -35,4 +35,6 @@ protocol unix,inet,inet6,netlink
 # electron-based application, needing chroot
 #seccomp
 seccomp !chroot
-# tracelog
+#tracelog
+#restrict-namespaces
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile
index e738d8cb3..774b46b28 100644
--- a/etc/profile-m-z/redeclipse.profile
+++ b/etc/profile-m-z/redeclipse.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/rednotebook.profile b/etc/profile-m-z/rednotebook.profile
index 7ee79d4c5..1295ce00d 100644
--- a/etc/profile-m-z/rednotebook.profile
+++ b/etc/profile-m-z/rednotebook.profile
@@ -63,3 +63,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/redshift.profile b/etc/profile-m-z/redshift.profile
index e5564a532..cfc68a697 100644
--- a/etc/profile-m-z/redshift.profile
+++ b/etc/profile-m-z/redshift.profile
@@ -50,3 +50,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index 82653c209..571381f57 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -52,3 +52,4 @@ dbus-system none
 # never write anything
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile
index 79630f09c..208f57710 100644
--- a/etc/profile-m-z/remmina.profile
+++ b/etc/profile-m-z/remmina.profile
@@ -42,3 +42,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/retroarch.profile b/etc/profile-m-z/retroarch.profile
index cb5544f5f..91486dc23 100644
--- a/etc/profile-m-z/retroarch.profile
+++ b/etc/profile-m-z/retroarch.profile
@@ -51,3 +51,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index b4eabf7ee..dccd93429 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -63,3 +63,5 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
 dbus-system filter
 dbus-system.talk org.freedesktop.Avahi
+restrict-namespaces
diff --git a/etc/profile-m-z/ricochet.profile b/etc/profile-m-z/ricochet.profile
index a05c1f310..d5cb77fff 100644
--- a/etc/profile-m-z/ricochet.profile
+++ b/etc/profile-m-z/ricochet.profile
@@ -39,3 +39,4 @@ private-bin ricochet,tor
 private-dev
 #private-etc alternatives,alternatives,ca-certificates,crypto-policies,fonts,pki,ssl,tor,X11
+restrict-namespaces
diff --git a/etc/profile-m-z/ripperx.profile b/etc/profile-m-z/ripperx.profile
index 5740fcfc4..33878e999 100644
--- a/etc/profile-m-z/ripperx.profile
+++ b/etc/profile-m-z/ripperx.profile
@@ -40,3 +40,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/ristretto.profile b/etc/profile-m-z/ristretto.profile
index 6dcf2121b..4562616d2 100644
--- a/etc/profile-m-z/ristretto.profile
+++ b/etc/profile-m-z/ristretto.profile
@@ -39,3 +39,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile
index afd9da70a..186e31b46 100644
--- a/etc/profile-m-z/rpcs3.profile
+++ b/etc/profile-m-z/rpcs3.profile
@@ -59,3 +59,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index a3cb0122c..91b18678f 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -55,3 +55,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile
index cd84ce05e..87aa69bcb 100644
--- a/etc/profile-m-z/rtin.profile
+++ b/etc/profile-m-z/rtin.profile
@@ -5,4 +5,5 @@
 # Persistent local customizations
 include rtin.local
+# Redirect
 include tin.profile
diff --git a/etc/profile-m-z/rtorrent.profile b/etc/profile-m-z/rtorrent.profile
index 8c52e3161..a1c735645 100644
--- a/etc/profile-m-z/rtorrent.profile
+++ b/etc/profile-m-z/rtorrent.profile
@@ -31,3 +31,5 @@ private-bin rtorrent
 private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile
index c4047ebd4..565925e7a 100644
--- a/etc/profile-m-z/rtv.profile
+++ b/etc/profile-m-z/rtv.profile
@@ -62,3 +62,5 @@ private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,host
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/sayonara.profile b/etc/profile-m-z/sayonara.profile
index c299dd13a..f7ef54f5c 100644
--- a/etc/profile-m-z/sayonara.profile
+++ b/etc/profile-m-z/sayonara.profile
@@ -33,3 +33,4 @@ private-bin sayonara
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/scallion.profile b/etc/profile-m-z/scallion.profile
index f8f9c681c..8f5c00f4a 100644
--- a/etc/profile-m-z/scallion.profile
+++ b/etc/profile-m-z/scallion.profile
@@ -41,3 +41,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/scorched3d.profile b/etc/profile-m-z/scorched3d.profile
index 838286665..a1a0176b9 100644
--- a/etc/profile-m-z/scorched3d.profile
+++ b/etc/profile-m-z/scorched3d.profile
@@ -47,3 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
index 316bad98a..6dfb50c5a 100644
--- a/etc/profile-m-z/scorchwentbonkers.profile
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -47,3 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/scribus.profile b/etc/profile-m-z/scribus.profile
index b9d1e59aa..34cf783fe 100644
--- a/etc/profile-m-z/scribus.profile
+++ b/etc/profile-m-z/scribus.profile
@@ -61,3 +61,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/sdat2img.profile b/etc/profile-m-z/sdat2img.profile
index a353bc495..c0f9e8aa5 100644
--- a/etc/profile-m-z/sdat2img.profile
+++ b/etc/profile-m-z/sdat2img.profile
@@ -41,3 +41,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/seafile-applet.profile b/etc/profile-m-z/seafile-applet.profile
index 00ae021fd..184a06958 100644
--- a/etc/profile-m-z/seafile-applet.profile
+++ b/etc/profile-m-z/seafile-applet.profile
@@ -59,3 +59,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index 45b12f2c8..7ff252ec7 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -52,3 +52,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index af7abc1d9..0b7232cc4 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -67,3 +67,5 @@ dbus-user.own org.gnome.seahorse
 dbus-user.own org.gnome.seahorse.Application
 dbus-user.talk org.freedesktop.secrets
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/seamonkey.profile b/etc/profile-m-z/seamonkey.profile
index 5210a594c..c2dbbc2c6 100644
--- a/etc/profile-m-z/seamonkey.profile
+++ b/etc/profile-m-z/seamonkey.profile
@@ -57,3 +57,5 @@ tracelog
 disable-mnt
 # private-etc adobe,alternatives,asound.conf,ca-certificates,crypto-policies,firefox,fonts,group,gtk-2.0,hostname,hosts,iceweasel,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl
 writable-run-user
+restrict-namespaces
diff --git a/etc/profile-m-z/server.profile b/etc/profile-m-z/server.profile
index 8d8a1dac6..5b71fe6c3 100644
--- a/etc/profile-m-z/server.profile
+++ b/etc/profile-m-z/server.profile
@@ -83,6 +83,9 @@ private-dev
 # private-lib
 # private-opt none
 private-tmp
+# writable-run-user
+# writable-var
+# writable-var-log
 dbus-user none
 # dbus-system none
@@ -90,7 +93,4 @@ dbus-user none
 # deterministic-shutdown
 # memory-deny-write-execute
 # read-only ${HOME}
-# restrict-namespaces
+restrict-namespaces
-# writable-run-user
-# writable-var
-# writable-var-log
diff --git a/etc/profile-m-z/servo.profile b/etc/profile-m-z/servo.profile
index 6eeba9eb6..65fef339e 100644
--- a/etc/profile-m-z/servo.profile
+++ b/etc/profile-m-z/servo.profile
@@ -46,3 +46,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/shellcheck.profile b/etc/profile-m-z/shellcheck.profile
index 49c4646ed..cf6b37db6 100644
--- a/etc/profile-m-z/shellcheck.profile
+++ b/etc/profile-m-z/shellcheck.profile
@@ -49,3 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/shortwave.profile b/etc/profile-m-z/shortwave.profile
index 22cb272c5..cd2a9f13e 100644
--- a/etc/profile-m-z/shortwave.profile
+++ b/etc/profile-m-z/shortwave.profile
@@ -47,3 +47,5 @@ private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/shotcut.profile b/etc/profile-m-z/shotcut.profile
index e2cbce2f5..ec0380ce7 100644
--- a/etc/profile-m-z/shotcut.profile
+++ b/etc/profile-m-z/shotcut.profile
@@ -35,3 +35,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
index 44898a2e9..d33a97ffc 100644
--- a/etc/profile-m-z/shotwell.profile
+++ b/etc/profile-m-z/shotwell.profile
@@ -57,3 +57,5 @@ dbus-user.own org.gnome.Shotwell
 dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/signal-cli.profile b/etc/profile-m-z/signal-cli.profile
index b70275d0d..d2b604df5 100644
--- a/etc/profile-m-z/signal-cli.profile
+++ b/etc/profile-m-z/signal-cli.profile
@@ -48,3 +48,5 @@ private-dev
 # Does not work with all Java configurations. You will notice immediately, so you might want to give it a try
 #private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/silentarmy.profile b/etc/profile-m-z/silentarmy.profile
index 74a51208c..96e4cf283 100644
--- a/etc/profile-m-z/silentarmy.profile
+++ b/etc/profile-m-z/silentarmy.profile
@@ -37,3 +37,4 @@ private-dev
 private-opt none
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/simple-scan.profile b/etc/profile-m-z/simple-scan.profile
index 4d13a3ad3..14846cf58 100644
--- a/etc/profile-m-z/simple-scan.profile
+++ b/etc/profile-m-z/simple-scan.profile
@@ -38,3 +38,5 @@ tracelog
 # private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
 # private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/simplescreenrecorder.profile b/etc/profile-m-z/simplescreenrecorder.profile
index a68de8f40..6ee9ea6ba 100644
--- a/etc/profile-m-z/simplescreenrecorder.profile
+++ b/etc/profile-m-z/simplescreenrecorder.profile
@@ -36,3 +36,5 @@ tracelog
 private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/simutrans.profile b/etc/profile-m-z/simutrans.profile
index 733ea6413..6ba735556 100644
--- a/etc/profile-m-z/simutrans.profile
+++ b/etc/profile-m-z/simutrans.profile
@@ -39,3 +39,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/skanlite.profile b/etc/profile-m-z/skanlite.profile
index 1e60fb083..6b73b2289 100644
--- a/etc/profile-m-z/skanlite.profile
+++ b/etc/profile-m-z/skanlite.profile
@@ -33,3 +33,5 @@ seccomp !ioperm
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/slashem.profile b/etc/profile-m-z/slashem.profile
index 8ec692657..3ad182b9e 100644
--- a/etc/profile-m-z/slashem.profile
+++ b/etc/profile-m-z/slashem.profile
@@ -44,3 +44,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute
+#restrict-namespaces
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 00770798e..0ab398ebd 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -52,3 +52,5 @@ private-tmp
 # problems with KDE
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile
index a3a519511..b617444af 100644
--- a/etc/profile-m-z/smtube.profile
+++ b/etc/profile-m-z/smtube.profile
@@ -45,3 +45,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
index 9c93845f5..ffed9d44c 100644
--- a/etc/profile-m-z/smuxi-frontend-gnome.profile
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -52,3 +52,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index ff8ba38b4..b4658b7af 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -47,3 +47,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/sol.profile b/etc/profile-m-z/sol.profile
index 833b905fe..e2be4e9e0 100644
--- a/etc/profile-m-z/sol.profile
+++ b/etc/profile-m-z/sol.profile
@@ -44,3 +44,4 @@ dbus-user none
 dbus-system none
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/songrec.profile b/etc/profile-m-z/songrec.profile
index 2e26fbb52..9261c1e3f 100644
--- a/etc/profile-m-z/songrec.profile
+++ b/etc/profile-m-z/songrec.profile
@@ -51,3 +51,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/sound-juicer.profile b/etc/profile-m-z/sound-juicer.profile
index f8b87065b..f5ac6c739 100644
--- a/etc/profile-m-z/sound-juicer.profile
+++ b/etc/profile-m-z/sound-juicer.profile
@@ -40,3 +40,5 @@ private-tmp
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/soundconverter.profile b/etc/profile-m-z/soundconverter.profile
index d32ba87fc..843080cc8 100644
--- a/etc/profile-m-z/soundconverter.profile
+++ b/etc/profile-m-z/soundconverter.profile
@@ -47,3 +47,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index 7637eb868..5a1314315 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -65,3 +65,5 @@ dbus-user.talk org.freedesktop.FileManager1
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kglobalaccel
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index f83fe9a17..4bc23fc04 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -53,3 +53,5 @@ dbus-user filter
 # Add the next line to your spectral.local to enable notification support.
 #dbus-user.talk org.freedesktop.Notifications
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/spectre-meltdown-checker.profile b/etc/profile-m-z/spectre-meltdown-checker.profile
index 8c089a5af..d21f49e61 100644
--- a/etc/profile-m-z/spectre-meltdown-checker.profile
+++ b/etc/profile-m-z/spectre-meltdown-checker.profile
@@ -49,3 +49,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index bfa3a805a..721e39cd4 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -53,3 +53,5 @@ private-tmp
 # dbus needed for MPRIS
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index 0808685d1..b6eee5293 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -49,3 +49,4 @@ private-tmp
 # dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 35bcdca7c..76755def4 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -33,3 +33,5 @@ writable-run-user
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index c68b82b54..a7956a76e 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -51,3 +51,4 @@ dbus-system none
 deterministic-shutdown
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index 7a59274bf..868c724d2 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -42,3 +42,5 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostnam
 dbus-user none
 dbus-system none
+# restrict-namespaces
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 5e5a8e9bb..f807afdc7 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -178,7 +178,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl,vulkan
 private-tmp
-# dbus-user none
+#dbus-user none
-# dbus-system none
+#dbus-system none
 read-only ${HOME}/.config/MangoHud
+#restrict-namespaces
diff --git a/etc/profile-m-z/stellarium.profile b/etc/profile-m-z/stellarium.profile
index ecb5201e0..c83ff40f8 100644
--- a/etc/profile-m-z/stellarium.profile
+++ b/etc/profile-m-z/stellarium.profile
@@ -43,3 +43,4 @@ private-bin stellarium
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index a6723e9de..e9d2ca430 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -46,3 +46,5 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostnam
 private-tmp
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/strings.profile b/etc/profile-m-z/strings.profile
index 506a38145..8c14ca51f 100644
--- a/etc/profile-m-z/strings.profile
+++ b/etc/profile-m-z/strings.profile
@@ -54,3 +54,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index b222b5be2..896d4bc3e 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -50,3 +50,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index b082cc761..1f532d76c 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -49,3 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 7616217ff..b4eb70fcb 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -60,3 +60,5 @@ private-srv none
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
index 78432bf43..3508e11b0 100644
--- a/etc/profile-m-z/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -36,3 +36,4 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/sushi.profile b/etc/profile-m-z/sushi.profile
index 46f5348fd..7b6a87b31 100644
--- a/etc/profile-m-z/sushi.profile
+++ b/etc/profile-m-z/sushi.profile
@@ -45,3 +45,4 @@ read-only /media
 read-only /run/mount
 read-only /run/media
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile
index 046d1b4be..f71905150 100644
--- a/etc/profile-m-z/sway.profile
+++ b/etc/profile-m-z/sway.profile
@@ -17,3 +17,5 @@ netfilter
 noroot
 protocol unix,inet,inet6
 seccomp
+restrict-namespaces
diff --git a/etc/profile-m-z/synfigstudio.profile b/etc/profile-m-z/synfigstudio.profile
index 4c290aa01..a2bb7d8e5 100644
--- a/etc/profile-m-z/synfigstudio.profile
+++ b/etc/profile-m-z/synfigstudio.profile
@@ -36,3 +36,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index a0a2ec7bc..cef029401 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -74,3 +74,4 @@ dbus-user.own org.gnome.Sysprof3
 dbus-user.talk ca.desrt.dconf
 # memory-deny-write-execute - breaks on Arch
+restrict-namespaces
diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
index 57301a54d..bc8444efd 100644
--- a/etc/profile-m-z/tcpdump.profile
+++ b/etc/profile-m-z/tcpdump.profile
@@ -44,3 +44,4 @@ private-dev
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/teamspeak3.profile b/etc/profile-m-z/teamspeak3.profile
index 31df5b97c..41da4ee13 100644
--- a/etc/profile-m-z/teamspeak3.profile
+++ b/etc/profile-m-z/teamspeak3.profile
@@ -39,3 +39,4 @@ disable-mnt
 private-dev
 private-tmp
+# restrict-namespaces
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index a253f9a76..f01cc1c74 100644
--- a/etc/profile-m-z/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -43,3 +43,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index bdae44ad0..886d303c8 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -56,3 +56,5 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.freedesktop.ScreenSaver
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/telnet.profile b/etc/profile-m-z/telnet.profile
index 527c3c99f..13a47c958 100644
--- a/etc/profile-m-z/telnet.profile
+++ b/etc/profile-m-z/telnet.profile
@@ -51,3 +51,4 @@ dbus-system none
 memory-deny-write-execute
 noexec ${HOME}
+restrict-namespaces
diff --git a/etc/profile-m-z/terasology.profile b/etc/profile-m-z/terasology.profile
index 4af30acc0..9249e33c8 100644
--- a/etc/profile-m-z/terasology.profile
+++ b/etc/profile-m-z/terasology.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile
index 3dad84480..f49738f2b 100644
--- a/etc/profile-m-z/tilp.profile
+++ b/etc/profile-m-z/tilp.profile
@@ -32,3 +32,4 @@ private-cache
 private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
index 0ca9cc1ce..3cbf90660 100644
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@@ -65,3 +65,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/tmux.profile b/etc/profile-m-z/tmux.profile
index bb710edc3..a855ff839 100644
--- a/etc/profile-m-z/tmux.profile
+++ b/etc/profile-m-z/tmux.profile
@@ -42,3 +42,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile
index ba7672068..275b170ff 100644
--- a/etc/profile-m-z/tor.profile
+++ b/etc/profile-m-z/tor.profile
@@ -48,3 +48,5 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
 private-tmp
 writable-var
+restrict-namespaces
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 9d66c5fa4..fab792826 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -63,3 +63,5 @@ private-tmp
 dbus-user none
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
index dfc20fc00..f83a74e9c 100644
--- a/etc/profile-m-z/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index 9ecc1e5ea..e21d37040 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -57,3 +57,5 @@ private-tmp
 # makes settings immutable
 # dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/tracker.profile b/etc/profile-m-z/tracker.profile
index 6d7751953..f30b0aef6 100644
--- a/etc/profile-m-z/tracker.profile
+++ b/etc/profile-m-z/tracker.profile
@@ -36,3 +36,5 @@ tracelog
 # private-bin tracker
 # private-dev
 # private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index 6dcdf64b6..9937b7c11 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -52,3 +52,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/transmission-common.profile b/etc/profile-m-z/transmission-common.profile
index 78df412d7..0a9029c97 100644
--- a/etc/profile-m-z/transmission-common.profile
+++ b/etc/profile-m-z/transmission-common.profile
@@ -50,3 +50,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index 4bcc0affe..21c09067e 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -50,3 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index eb3ae356a..63e964355 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -61,3 +61,4 @@ dbus-user.talk org.freedesktop.secrets
 dbus-system none
 read-only ${HOME}/.mozilla/firefox/profiles.ini
+restrict-namespaces
diff --git a/etc/profile-m-z/truecraft.profile b/etc/profile-m-z/truecraft.profile
index 58f600259..f02532936 100644
--- a/etc/profile-m-z/truecraft.profile
+++ b/etc/profile-m-z/truecraft.profile
@@ -36,3 +36,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/tuxguitar.profile b/etc/profile-m-z/tuxguitar.profile
index 807d43281..ab2b359e4 100644
--- a/etc/profile-m-z/tuxguitar.profile
+++ b/etc/profile-m-z/tuxguitar.profile
@@ -43,3 +43,5 @@ tracelog
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/tvbrowser.profile b/etc/profile-m-z/tvbrowser.profile
index 6c1dcc603..518dc95c7 100644
--- a/etc/profile-m-z/tvbrowser.profile
+++ b/etc/profile-m-z/tvbrowser.profile
@@ -50,3 +50,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/udiskie.profile b/etc/profile-m-z/udiskie.profile
index e9a2745bf..7e3c7ac5a 100644
--- a/etc/profile-m-z/udiskie.profile
+++ b/etc/profile-m-z/udiskie.profile
@@ -42,3 +42,5 @@ private-cache
 private-dev
 private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/uefitool.profile b/etc/profile-m-z/uefitool.profile
index 3629f66f8..3d8f59df6 100644
--- a/etc/profile-m-z/uefitool.profile
+++ b/etc/profile-m-z/uefitool.profile
@@ -36,3 +36,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/uget-gtk.profile b/etc/profile-m-z/uget-gtk.profile
index 948f61801..d8840fad3 100644
--- a/etc/profile-m-z/uget-gtk.profile
+++ b/etc/profile-m-z/uget-gtk.profile
@@ -36,3 +36,5 @@ seccomp
 private-bin uget-gtk
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/unbound.profile b/etc/profile-m-z/unbound.profile
index d18c9fe94..63d84688c 100644
--- a/etc/profile-m-z/unbound.profile
+++ b/etc/profile-m-z/unbound.profile
@@ -52,3 +52,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index 70c54a6bd..6ec6ea609 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -56,3 +56,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/unknown-horizons.profile b/etc/profile-m-z/unknown-horizons.profile
index 755d087ea..3e2b28dec 100644
--- a/etc/profile-m-z/unknown-horizons.profile
+++ b/etc/profile-m-z/unknown-horizons.profile
@@ -41,3 +41,4 @@ private-tmp
 # doesn't work - maybe all Tcl/Tk programs have this problem
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile
index bb53917cf..f85e52273 100644
--- a/etc/profile-m-z/utox.profile
+++ b/etc/profile-m-z/utox.profile
@@ -46,3 +46,4 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
index 7ac23bcb9..29d88832c 100644
--- a/etc/profile-m-z/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -44,3 +44,5 @@ private-etc alternatives,ld.so.cache,ld.so.preload
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/uzbl-browser.profile b/etc/profile-m-z/uzbl-browser.profile
index dcdae279f..dfda684e3 100644
--- a/etc/profile-m-z/uzbl-browser.profile
+++ b/etc/profile-m-z/uzbl-browser.profile
@@ -39,3 +39,5 @@ notv
 protocol unix,inet,inet6
 seccomp
 tracelog
+restrict-namespaces
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index 6d7fa94e7..cdf615a02 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -50,3 +50,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issues #1803 and #1808)
+restrict-namespaces
diff --git a/etc/profile-m-z/viking.profile b/etc/profile-m-z/viking.profile
index 65f1e2619..6ec74edd8 100644
--- a/etc/profile-m-z/viking.profile
+++ b/etc/profile-m-z/viking.profile
@@ -34,3 +34,4 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/vim.profile b/etc/profile-m-z/vim.profile
index a6e05a32a..6847f1f5e 100644
--- a/etc/profile-m-z/vim.profile
+++ b/etc/profile-m-z/vim.profile
@@ -32,3 +32,5 @@ protocol unix,inet,inet6
 seccomp
 private-dev
+restrict-namespaces
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index b9b40e348..34e580085 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -53,3 +53,5 @@ dbus-user.talk org.freedesktop.ScreenSaver
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user.talk org.mpris.MediaPlayer2.Player
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile
index 1703c95e1..ba4136413 100644
--- a/etc/profile-m-z/vmware-view.profile
+++ b/etc/profile-m-z/vmware-view.profile
@@ -54,3 +54,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/vym.profile b/etc/profile-m-z/vym.profile
index dbfbcca8a..be1ef153b 100644
--- a/etc/profile-m-z/vym.profile
+++ b/etc/profile-m-z/vym.profile
@@ -33,3 +33,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index f5744e52c..fab5315aa 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -68,3 +68,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
index 6b32a1613..37a8f78bb 100644
--- a/etc/profile-m-z/warmux.profile
+++ b/etc/profile-m-z/warmux.profile
@@ -53,3 +53,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index 0e3b88a02..c7f1d4c50 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -54,3 +54,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/warzone2100.profile b/etc/profile-m-z/warzone2100.profile
index 3e2c9b929..50c776412 100644
--- a/etc/profile-m-z/warzone2100.profile
+++ b/etc/profile-m-z/warzone2100.profile
@@ -47,3 +47,5 @@ disable-mnt
 private-bin bash,dash,sh,warzone2100,which
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
index ec6a0d7ab..6e5a63911 100644
--- a/etc/profile-m-z/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
@@ -42,3 +42,5 @@ seccomp
 private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile
index 057e75372..b42d4c380 100644
--- a/etc/profile-m-z/webui-aria2.profile
+++ b/etc/profile-m-z/webui-aria2.profile
@@ -36,3 +36,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile
index 07babd502..b190bf5ff 100644
--- a/etc/profile-m-z/weechat.profile
+++ b/etc/profile-m-z/weechat.profile
@@ -28,3 +28,5 @@ seccomp
 # no private-bin support for various reasons:
 # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc,
 # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins
+restrict-namespaces
diff --git a/etc/profile-m-z/wesnoth.profile b/etc/profile-m-z/wesnoth.profile
index 345b26a2c..b6f29cfbf 100644
--- a/etc/profile-m-z/wesnoth.profile
+++ b/etc/profile-m-z/wesnoth.profile
@@ -36,3 +36,5 @@ seccomp
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index 1258b6fce..5e1823593 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -61,3 +61,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 4891af458..d8c72ac8b 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -54,3 +54,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/widelands.profile b/etc/profile-m-z/widelands.profile
index 99a3fae8c..30a471fac 100644
--- a/etc/profile-m-z/widelands.profile
+++ b/etc/profile-m-z/widelands.profile
@@ -45,3 +45,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index f30fc971f..1e2b164b9 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -40,3 +40,5 @@ notv
 seccomp
 private-dev
+restrict-namespaces
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index 0a13c25aa..5823a2ad7 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -52,3 +52,5 @@ private-tmp
 dbus-user none
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index 8f9c44d7d..ccc2e8dd0 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -49,3 +49,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile
index 1287faa2c..7f85e1ede 100644
--- a/etc/profile-m-z/wps.profile
+++ b/etc/profile-m-z/wps.profile
@@ -46,3 +46,5 @@ private-tmp
 dbus-user none
 dbus-system none
+#restrict-namespaces
diff --git a/etc/profile-m-z/x-terminal-emulator.profile b/etc/profile-m-z/x-terminal-emulator.profile
index 141d167a8..4b88e8118 100644
--- a/etc/profile-m-z/x-terminal-emulator.profile
+++ b/etc/profile-m-z/x-terminal-emulator.profile
@@ -21,3 +21,4 @@ dbus-user none
 dbus-system none
 noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/x2goclient.profile b/etc/profile-m-z/x2goclient.profile
index b8bbba072..6dd374aac 100644
--- a/etc/profile-m-z/x2goclient.profile
+++ b/etc/profile-m-z/x2goclient.profile
@@ -48,3 +48,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index 72e6d04a0..1b44b63e0 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -51,3 +51,4 @@ dbus-system none
 memory-deny-write-execute
 read-only ${HOME}
+restrict-namespaces
diff --git a/etc/profile-m-z/xcalc.profile b/etc/profile-m-z/xcalc.profile
index fef5613ad..3d808ce1f 100644
--- a/etc/profile-m-z/xcalc.profile
+++ b/etc/profile-m-z/xcalc.profile
@@ -40,3 +40,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/xchat.profile b/etc/profile-m-z/xchat.profile
index a94444aab..4061e26a4 100644
--- a/etc/profile-m-z/xchat.profile
+++ b/etc/profile-m-z/xchat.profile
@@ -21,3 +21,5 @@ protocol unix,inet,inet6
 seccomp
 # private-bin requires perl, python*, etc.
+restrict-namespaces
diff --git a/etc/profile-m-z/xed.profile b/etc/profile-m-z/xed.profile
index f117e96ab..dda803bd5 100644
--- a/etc/profile-m-z/xed.profile
+++ b/etc/profile-m-z/xed.profile
@@ -51,3 +51,4 @@ private-tmp
 # xed uses python plugins, memory-deny-write-execute breaks python
 # memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/xfburn.profile b/etc/profile-m-z/xfburn.profile
index 930d2755b..141fda909 100644
--- a/etc/profile-m-z/xfburn.profile
+++ b/etc/profile-m-z/xfburn.profile
@@ -28,3 +28,5 @@ tracelog
 # private-bin xfburn
 # private-dev
 # private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-dict.profile b/etc/profile-m-z/xfce4-dict.profile
index 7afe69814..633a9967c 100644
--- a/etc/profile-m-z/xfce4-dict.profile
+++ b/etc/profile-m-z/xfce4-dict.profile
@@ -37,3 +37,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 006e1859b..95eb2046e 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -54,3 +54,4 @@ dbus-user.talk org.xfce.Xfconf
 dbus-system none
 # memory-deny-write-execute - breaks on Arch
+restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-notes.profile b/etc/profile-m-z/xfce4-notes.profile
index 4ab8f34f4..f7d890eef 100644
--- a/etc/profile-m-z/xfce4-notes.profile
+++ b/etc/profile-m-z/xfce4-notes.profile
@@ -39,3 +39,4 @@ private-cache
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index ca4d77d73..575acc9b2 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -48,3 +48,4 @@ dbus-user none
 dbus-system none
 # memory-deny-write-execute -- see #3790
+restrict-namespaces
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
index c755632ca..371db722c 100644
--- a/etc/profile-m-z/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -48,3 +48,5 @@ private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/xmms.profile b/etc/profile-m-z/xmms.profile
index e255ad927..ef8fd1d7f 100644
--- a/etc/profile-m-z/xmms.profile
+++ b/etc/profile-m-z/xmms.profile
@@ -29,3 +29,5 @@ seccomp
 private-bin xmms
 private-dev
+restrict-namespaces
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index 64b6bcaeb..ad1ba8ca3 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -43,3 +43,4 @@ private-opt cuda
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 3c5ef1ac0..9128c330b 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -53,3 +53,4 @@ dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.xonotic
+restrict-namespaces
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index 71942edab..a17464a2a 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -48,3 +48,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/xpdf.profile b/etc/profile-m-z/xpdf.profile
index 33803a741..fdfb3bf59 100644
--- a/etc/profile-m-z/xpdf.profile
+++ b/etc/profile-m-z/xpdf.profile
@@ -42,3 +42,4 @@ dbus-user none
 dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index 1087d7cd0..a673d6aa3 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -47,3 +47,5 @@ private-tmp
 # makes settings immutable
 # dbus-user none
 # dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/xpra.profile b/etc/profile-m-z/xpra.profile
index c10ea4a63..05c12b9a2 100644
--- a/etc/profile-m-z/xpra.profile
+++ b/etc/profile-m-z/xpra.profile
@@ -51,3 +51,5 @@ disable-mnt
 private-dev
 # private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,nsswitch.conf,resolv.conf,X11,xpra
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index ec966fc5c..ff5dc619b 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -42,3 +42,4 @@ private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/xviewer.profile b/etc/profile-m-z/xviewer.profile
index e7fa7051e..6c31df4a9 100644
--- a/etc/profile-m-z/xviewer.profile
+++ b/etc/profile-m-z/xviewer.profile
@@ -46,3 +46,4 @@ private-tmp
 # dbus-system none
 memory-deny-write-execute
+restrict-namespaces
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index ae0ccced6..6ea7fdfbd 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -74,3 +74,5 @@ read-write ${HOME}/.cache
 # your yelp.local if you need PDF printing support.
 #noblacklist ${DOCUMENTS}
 #whitelist ${DOCUMENTS}
+restrict-namespaces
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
index 48e18060f..c846893ef 100644
--- a/etc/profile-m-z/youtube-dl-gui.profile
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -53,3 +53,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 19e176877..4f2cc9523 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -64,3 +64,4 @@ dbus-user none
 dbus-system none
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
+restrict-namespaces
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index 28c219377..f66e2938b 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -67,3 +67,5 @@ dbus-user filter
 dbus-user.talk org.mozilla.*
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/zaproxy.profile b/etc/profile-m-z/zaproxy.profile
index 0caca9792..96324ebda 100644
--- a/etc/profile-m-z/zaproxy.profile
+++ b/etc/profile-m-z/zaproxy.profile
@@ -44,3 +44,4 @@ disable-mnt
 private-dev
 private-tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/zart.profile b/etc/profile-m-z/zart.profile
index cd94a3fbd..5816ea5e3 100644
--- a/etc/profile-m-z/zart.profile
+++ b/etc/profile-m-z/zart.profile
@@ -35,3 +35,5 @@ private-dev
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/zathura.profile b/etc/profile-m-z/zathura.profile
index 12b090d35..1daf89c84 100644
--- a/etc/profile-m-z/zathura.profile
+++ b/etc/profile-m-z/zathura.profile
@@ -59,3 +59,4 @@ dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.config/zathura
 read-write ${HOME}/.local/share/zathura
+restrict-namespaces
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile
index 84f6d52dd..453f40e73 100644
--- a/etc/profile-m-z/zeal.profile
+++ b/etc/profile-m-z/zeal.profile
@@ -69,3 +69,4 @@ dbus-user.talk org.mozilla.*
 dbus-system none
 # memory-deny-write-execute - breaks on Arch
+restrict-namespaces
diff --git a/etc/profile-m-z/zim.profile b/etc/profile-m-z/zim.profile
index 7350ed5a6..a9e5aa5c3 100644
--- a/etc/profile-m-z/zim.profile
+++ b/etc/profile-m-z/zim.profile
@@ -68,3 +68,5 @@ private-tmp
 dbus-user none
 dbus-system none
+restrict-namespaces
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
index 5f7d83a7c..b69de3be1 100644
--- a/etc/profile-m-z/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -45,3 +45,5 @@ private-cache
 private-dev
 private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
+restrict-namespaces