384 files changed, 2409 insertions, 1588 deletions

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 000000000..6b329f917
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+/etc/inc/*.inc linguist-language=text
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 0f13afc51..eb485b8a2 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -7,6 +7,13 @@ assignees: ''
 
 ---
 
+<!--
+See the following links for help with formatting:
+
+https://guides.github.com/features/mastering-markdown/
+https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax
+-->
+
 ### Description
 
 _Describe the bug_
@@ -15,7 +22,7 @@ _Describe the bug_
 
 _Steps to reproduce the behavior_
 
-1. Run in bash `LANG=C firejail PROGRAM` (`LANG=C` to get English messages that can be understood by everybody)
+1. Run in bash `LC_ALL=C firejail PROGRAM` (`LC_ALL=C` to get a consistent output in English that can be understood by everybody)
 2. Click on '....'
 3. Scroll down to '....'
 4. See error `ERROR`
@@ -30,7 +37,7 @@ _What actually happened_
 
 ### Behavior without a profile
 
-_What changed calling `firejail --noprofile /path/to/program` in a terminal?_
+_What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_
 
 ### Additional context
 
@@ -44,6 +51,12 @@ _Any other detail that may help to understand/debug the problem_
 
 ### Checklist
 
+<!--
+Note: Items are checked with an "x", like so:
+
+- [x] This is a checked item.
+-->
+
 - [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it).
 - [ ] I can reproduce the issue without custom modifications (e.g. globals.local).
 - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
@@ -55,7 +68,7 @@ _Any other detail that may help to understand/debug the problem_
 ### Log
 
 <details>
-<summary>Output of <code>firejail /path/to/program</code></summary>
+<summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary>
 <p>
 
 ```
@@ -66,7 +79,7 @@ output goes here
 </details>
 
 <details>
-<summary>Output of <code>firejail --debug /path/to/program</code></summary>
+<summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary>
 <p>
 
 ```
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 57ac2e9c4..7cb92a938 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,4 +1,3 @@
-
 If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR.
 
 If you submit a PR for new profiles or changing profiles, please do the following:
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
new file mode 100644
index 000000000..951a8b8cf
--- /dev/null
+++ b/.github/workflows/profile-checks.yml
@@ -0,0 +1,31 @@
+name: Profile Checks
+
+on:
+  push:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+      - 'ci/check/profiles/**'
+      - 'src/firecfg/firecfg.config'
+      - 'contrib/sort.py'
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+      - 'ci/check/profiles/**'
+      - 'src/firecfg/firecfg.config'
+      - 'contrib/sort.py'
+
+jobs:
+  profile-checks:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: sort.py
+      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+    - name: private-etc-always-required.sh
+      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+    - name: sort-disable-programs.sh
+      run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc
+    - name: sort-firecfg.config.sh
+      run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
deleted file mode 100644
index f3ded0f22..000000000
--- a/.github/workflows/sort.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-name: sort.py
-
-on:
-  push:
-    branches: [ master ]
-    paths:
-      - 'etc/**'
-      - 'contrib/sort.py'
-  pull_request:
-    branches: [ master ]
-    paths:
-      - 'etc/**'
-      - 'contrib/sort.py'
-
-jobs:
-  profile-sort:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: check profiles
-      run: ./contrib/sort.py etc/*/{*.inc,*.profile}
-
diff --git a/COPYING b/COPYING
index b6e1c33e0..d159169d1 100644
--- a/COPYING
+++ b/COPYING
@@ -1,12 +1,12 @@
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 2, June 1991
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
 
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
-                            Preamble
+                            Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
+the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
 
   When we speak of free software, we are referring to freedom, not
@@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all.
 
   The precise terms and conditions for copying, distribution and
 modification follow.
-
-                    GNU GENERAL PUBLIC LICENSE
+
+                    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License applies to any program or other work which contains
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
     License.  (Exception: if the Program itself is interactive but
     does not normally print such an announcement, your work based on
     the Program is not required to print an announcement.)
-
+
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
-
+
   4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +225,7 @@ impose that choice.
 
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
-
+
   8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -255,7 +255,7 @@ make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
 
-                            NO WARRANTY
+                            NO WARRANTY
 
   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
@@ -277,4 +277,63 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
-                     END OF TERMS AND CONDITIONS
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
diff --git a/Makefile.in b/Makefile.in
index c94d8c7a4..11193122d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -144,9 +144,13 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR)
         # install apparmor profile
         sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;"
         install -m 0644 etc/apparmor/firejail-default $(DESTDIR)$(sysconfdir)/apparmor.d
-        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
         # install apparmor profile customization file
+        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;"
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default ]; then install -c -m 0644 etc/apparmor/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-default; fi;"
+        # install apparmor base abstraction drop-in
+        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions; fi;"
+        sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/abstractions/base.d; fi;"
+        install -m 0644 etc/apparmor/firejail-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/base.d
 endif
 ifneq ($(HAVE_MAN),no)
         # man pages
diff --git a/README b/README
index a15e493ff..6a260a330 100644
--- a/README
+++ b/README
@@ -1,13 +1,13 @@
-Firejail  is  a  SUID sandbox program that reduces the risk of security
-breaches by restricting the running environment of  untrusted  applications
+Firejail is a SUID sandbox program that reduces the risk of security
+breaches by restricting the running environment of untrusted applications
 using Linux namespaces and seccomp-bpf. It includes sandbox profiles for
 Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission,
 VLC, Audacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent.
 DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove,
 Pidgin, Quassel, and XChat.
 
-Firejail also expands the restricted shell facility found  in  bash  by adding
-Linux  namespace support. It supports sandboxing specific users upon login.
+Firejail also expands the restricted shell facility found in bash by adding
+Linux namespace support. It supports sandboxing specific users upon login.
 
 Download: https://sourceforge.net/projects/firejail/files/
 Build and install: ./configure && make && sudo make install
@@ -68,11 +68,14 @@ Firejail Authors (alphabetical order)
         - fix flameshot raw screenshots
 1dnrr (https://github.com/1dnrr)
         - add pybitmessage profile
+a1346054 (https://github.com/a1346054)
+        - add missing final newlines in various files
 Ádler Jonas Gross (https://github.com/adgross)
         - AppArmor fix
 Adrian L. Shaw (https://github.com/adrianlshaw)
         - add profanity profile
         - add barrirer profile
+        - add profile for Beyond All Reason
 Aidan Gauland (https://github.com/aidalgol)
         - added electron, riot-web and npm profiles
         - whitelist Bohemia Interactive config dir for Steam
@@ -221,6 +224,8 @@ Carlo Abelli (https://github.com/carloabelli)
         - fixed simple-scan
 Cat (https://github.com/ecat3)
         - prevent tmux connecting to an existing session
+cayday (https://github.com/caydey)
+        - added ~/Private blacklist in disable-common.inc
 Christian Pinedo (https://github.com/chrpinedo)
         - added nicotine profile
         - allow python3 in totem profile
@@ -246,6 +251,9 @@ crass (https://github.com/crass)
         - extract_command_name fixes
         - update appimage size calculation to newest code from libappimage
         - firejail should look for processes with names exactly named
+croket (https://github.com/crocket)
+        - fix librewolf profile
+        - added profiles for imv, retroarch, and torbrowser
 curiosity-seeker (https://github.com/curiosity-seeker - old)
 curiosityseeker (https://github.com/curiosityseeker - new)
         - tightening unbound and dnscrypt-proxy profiles
@@ -304,6 +312,8 @@ DiGitHubCap (https://github.com/DiGitHubCap)
         - fix qt5ct colour schemes and QSS
 Disconnect3d (https://github.com/disconnect3d)
         - code cleanup
+dm9pZCAq (https://github.com/dm9pZCAq)
+        - fix for compilation under musl
 dmfreemon (https://github.com/dmfreemon)
         - add sandbox name or name of private directory to the window title when xpra is used
         - handle malloc() failures; use gnu_basename() instead of basenaem()
@@ -454,7 +464,7 @@ hawkey116477 (https://github.com/hawkeye116477)
 Helmut Grohne (https://github.com/helmutg)
         -  compiler support in the build system - Debian bug #869707
 hhzek0014 (https://github.com/hhzek0014)
-        - updated  bibletime.profile
+        - updated bibletime.profile
 hlein (https://github.com/hlein)
         - strip out \r's from jail prober
 Holger Heinz (https://github.com/hheinz)
@@ -490,6 +500,10 @@ James Elford (https://github.com/jelford)
         - removed shell none from ssh-agent configuration, fixing the infinite loop
         - added gcloud profile
         - blacklist sensitive cloud provider files in disable-common
+Jan-Niclas (https://github.com/0x6a61)
+        - moved rules from firefox-common.profile to firefox.profile
+        - blacklist /*firefox* except for firefox itself
+        - fix Firefox 'Profile not found' - whitelist /run/user/xxx/firefox
 Jean Lucas (https://github.com/flacks)
         - fix Discord profile
         - add AnyDesk profile
@@ -526,6 +540,7 @@ John Mullee (https://github.com/jmullee)
 Jonas Heinrich (https://github.com/onny)
         - added signal-desktop profile
         - fixed franz profile
+        - remove /etc/hosts is_link check for NixOS
 Jose Riha (https://github.com/jose1711)
         - added meteo-qt profile
         - created qgis, links, xlinks profiles
@@ -536,6 +551,8 @@ Jose Riha (https://github.com/jose1711)
         - Add profile for udiskie
         - fix udiskie.profile
         - improve hints for allowing browser access to Gnome extensions connector
+        - fix warshow, jumpnbump, tremulous, blobwars profile fixes
+        - drop noinput for games with gampad/joystick support
 jrabe (https://github.com/jrabe)
         - disallow access to kdbx files
         - Epiphany profile
@@ -568,7 +585,7 @@ Kishore96in (https://github.com/Kishore96in)
         - added falkon profile
         - kxmlgui fixes
         - okular profile fixes
-        -  jitsi-meet-desktop profile
+        - jitsi-meet-desktop profile
         - konversatin profile fix
         - added Neochat profile
         - added whitelist-1793-workaround.inc
@@ -595,6 +612,9 @@ Laurent Declercq (https://github.com/nuxwin)
         - fixed test for shell interpreter in chroots
 LaurentGH (https://github.com/LaurentGH)
         - allow private-bin parameters to be absolute paths
+lecso7 (https://github.com/lecso7)
+        - added goldendict profile
+        - allow evince to read .cbz file format
 Loïc Damien (https://github.com/dzamlo)
         - small fixes
 Liorst4 (https://github.com/Liorst4)
@@ -627,6 +647,8 @@ Martin Carpenter (https://github.com/mcarpenter)
 Martin Dosch (spam-debian@mdosch.de)
         - support for gnome-shell integration addon in Firefox
           (Bug-Debian: https://bugs.debian.org/872720)
+Martynas Janonis (https://github.com/mjanonis)
+        - update wrc for Arch Linux
 Matt Parnell (https://github.com/ilikenwf)
         - whitelisting for core firefox related functionality
 Mattias Wadman (https://github.com/wader)
@@ -699,7 +721,7 @@ Ondra Nekola (https://github.com/satai)
 OndrejMalek (https://github.com/OndrejMalek)
         - various manpage fixes
 Ondřej Nový (https://github.com/onovy)
-        -  allow video for Signal profile
+        - allow video for Signal profile
         - added Mattermost desktop profile
         - hardened Zoom profile
         - hardened Signal desktop profile
@@ -716,7 +738,7 @@ Patrick Toomey (https://sourceforge.net/u/ptoomey/profile/)
 Paul Moore <pmoore@redhat.com>
         -src/fsec-print/print.c extracted from libseccomp software package
 Paupiah Yash (https://github.com/CaffeinatedStud)
-        - gzip  profile
+        - gzip profile
 Pawel (https://github.com/grimskies)
         - make --join return exit code of the invoked program
 Peter Millerchip (https://github.com/pmillerchip)
@@ -944,7 +966,7 @@ SYN-cook (https://github.com/SYN-cook)
         - gnome-calculator changes
 startx2017 (https://github.com/startx2017)
         - syscall list update
-        - updated default seccomp filters - added  bpf, clock_settime, personality, process_vm_writev, query_module,
+        - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module,
                       settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old
         - enable/disable join support in /etc/firejail/firejail.config
         - firecfg fix: create ~/.local/share/applications directory if it doesn't exist
@@ -995,10 +1017,11 @@ Topi Miettinen (https://github.com/topimiettinen)
         - improve loading of seccomp filter and memory-deny-write-execute feature
         - private-lib feature
         - make --nodbus block also system D-Bus socket
-Ted Robertson  (https://github.com/tredondo)
+Ted Robertson (https://github.com/tredondo)
         - webstorm profile fixes
         - added bcompare profile
         - various documentation fixes
+        - blacklist Exodus wallet
 user1024 (user1024@tut.by)
         - electron profile whitelisting
         - fixed Rocket.Chat profile
@@ -1054,7 +1077,7 @@ vismir2 (https://github.com/vismir2)
         - feh, ranger, 7z, keepass, keepassx and zathura profiles
         - claws-mail, mutt, git, emacs, vim profiles
         - lots of profile fixes
-        -  support for truecrypt and zuluCrypt
+        - support for truecrypt and zuluCrypt
 viq (https://github.com/viq)
         - discord-canary profile
 Vladimir Gorelov (https://github.com/larkvirtual)
@@ -1062,11 +1085,12 @@ Vladimir Gorelov (https://github.com/larkvirtual)
 Vladimir Schowalter (https://github.com/VladimirSchowalter20)
         - apparmor profile enhancements
         - various KDE profile enhancements
-        read-only kde5 services directory
+        - read-only kde5 services directory
 Vladislav Nepogodin (https://github.com/vnepogodin)
         - added Librewolf profiles
         - added Sway profile
         - fix CLion profile
+        - fixes for disable-programs.inc
 xee5ch (https://github.com/xee5ch)
         - skypeforlinux profile
 Ypnose (https://github.com/Ypnose)
diff --git a/README.md b/README.md
index 0623d9463..c58ef84c0 100644
--- a/README.md
+++ b/README.md
@@ -22,43 +22,23 @@ implemented directly in Linux kernel and available on any Linux computer.
 <table><tr>
 
 <td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=8jfXL0ePV7U
-" target="_blank"><img src="http://img.youtube.com/vi/8jfXL0ePV7U/0.jpg"
-alt="Firejail Introduction" width="240" height="180" border="10" /><br/>Firejail Intro</a>
+<a href="https://www.brighteon.com/1928415c-2bce-40b2-a81f-7861a3734913" target="_blank">
+<img src="https://video.brighteon.com/file/Brighteon-staging/thumbnail/682ae17c-3fd8-4813-9c4e-6917c7cd2a5c.0000001.jpg"
+alt="Introduction" width="240" height="142" border="10" /><br/>Introduction</a>
 </td>
 
 <td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=J1ZsXrpAgBU
-" target="_blank"><img src="http://img.youtube.com/vi/J1ZsXrpAgBU/0.jpg"
-alt="Firejail Demo" width="240" height="180" border="10" /><br/>Firejail Demo</a>
+<a href="https://www.brighteon.com/c20c32ac-1953-438f-8640-a414dcb318d6" target="_blank">
+<img src="https://photos.brighteon.com/thumbnail/ecd8b0ca-7564-4993-a676-bbe4aa21cffc"
+alt="Technology" width="240" height="142" border="10" /><br/>Technology</a>
 </td>
 
 <td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=EyEz65RYfw4
-" target="_blank"><img src="http://img.youtube.com/vi/EyEz65RYfw4/0.jpg"
-alt="Debian Install" width="240" height="180" border="10" /><br/>Debian Install</a>
+<a href="https://www.brighteon.com/94ae1731-2352-4cda-bb48-7cc7a6ad32f8" target="_blank">
+<img src="https://photos.brighteon.com/thumbnail/5c90254c-61f3-4927-ac57-ae279dc543cf"
+alt="Deep Dive" width="240" height="142" border="10" /><br/>Deep Dive</a>
 </td>
 
-
-</tr><tr>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=Uy2ZTHc4s0w
-" target="_blank"><img src="http://img.youtube.com/vi/Uy2ZTHc4s0w/0.jpg"
-alt="Arch Linux Install" width="240" height="180" border="10" /><br/>Arch Linux Install</a>
-
-</td>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=xuMxRx0zSfQ
-" target="_blank"><img src="http://img.youtube.com/vi/xuMxRx0zSfQ/0.jpg"
-alt="Disable Network Access" width="240" height="180" border="10" /><br/>Disable Network Access</a>
-
-</td>
-<td>
-<a href="http://www.youtube.com/watch?feature=player_embedded&v=N-Mso2bSr3o
-" target="_blank"><img src="http://img.youtube.com/vi/N-Mso2bSr3o/0.jpg"
-alt="Firejail Security Deep Dive" width="240" height="180" border="10" /><br/>Firejail Security Deep Dive</a>
-
-</td>
 </tr></table>
 
 Project webpage: https://firejail.wordpress.com/
@@ -116,7 +96,7 @@ https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-loca
 
 Try installing Firejail from your system packages first. Firejail is included in Alpine, ALT Linux, Arch, Artix, Chakra, Debian, Deepin, Devuan, Fedora, Gentoo, Manjaro, Mint, NixOS, Parabola, Parrot, PCLinuxOS, ROSA, Solus, Slackware/SlackBuilds, Trisquel, Ubuntu, Void and possibly others.
 
-The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian buster we recommend to use the [backports](https://packages.debian.org/buster-backports/firejail) package.
+The firejail 0.9.52-LTS version is deprecated. On Ubuntu 18.04 LTS users are advised to use the [PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail). On Debian stable (bullseye) we recommend to use the [backports](https://packages.debian.org/bullseye-backports/firejail) package.
 
 You can also install one of the [released packages](http://sourceforge.net/projects/firejail/files/firejail), or clone Firejail’s source code from our Git repository and compile manually:
 
@@ -239,32 +219,33 @@ A small tool to print profile statistics. Compile as usual and run in /etc/profi
 $ sudo cp src/profstats/profstats /etc/firejail/.
 $ cd /etc/firejail
 $ ./profstats *.profile
-    profiles                    1150
-    include local profile       1150   (include profile-name.local)
-    include globals             1120   (include globals.local)
-    blacklist ~/.ssh            1026   (include disable-common.inc)
-    seccomp                     1050
-    capabilities                1146
-    noexec                      1030   (include disable-exec.inc)
-    noroot                      959
-    memory-deny-write-execute   253
-    apparmor                    681
-    private-bin                 667
-    private-dev                 1009
-    private-etc                 523
-    private-tmp                 883
-    whitelist home directory    547
-    whitelist var               818   (include whitelist-var-common.inc)
-    whitelist run/user          616   (include whitelist-runuser-common.inc
+    profiles                    1167
+    include local profile       1167   (include profile-name.local)
+    include globals             1136   (include globals.local)
+    blacklist ~/.ssh            1042   (include disable-common.inc)
+    seccomp                     1062
+    capabilities                1163
+    noexec                      1049   (include disable-exec.inc)
+    noroot                      971
+    memory-deny-write-execute   256
+    apparmor                    693
+    private-bin                 677
+    private-dev                 1027
+    private-etc                 532
+    private-tmp                 897
+    whitelist home directory    557
+    whitelist var               836   (include whitelist-var-common.inc)
+    whitelist run/user          1137   (include whitelist-runuser-common.inc
                                         or blacklist ${RUNUSER})
-    whitelist usr/share         591   (include whitelist-usr-share-common.inc
-    net none                    391
-    dbus-user none              641
-    dbus-user filter            105
-    dbus-system none            792
-    dbus-system filter          7
+    whitelist usr/share         609   (include whitelist-usr-share-common.inc
+    net none                    396
+    dbus-user none              656
+    dbus-user filter            108
+    dbus-system none            808
+    dbus-system filter          10
 ```
 
 ### New profiles:
 
-clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp
+clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle,
+cmake, make, meson, pip, codium
diff --git a/RELNOTES b/RELNOTES
index 86c4a6104..3f92c89c7 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,13 +1,16 @@
 firejail (0.9.67) baseline; urgency=low
   * work in progress
+  * exit code: distinguish fatal signals by adding 128
   * deprecated --disable-whitelist at compile time
   * deprecated whitelist=yes/no in /etc/firejail/firejail.config
+  * new condition: ALLOW_TRAY
   * remove (some) environment variables with auth-tokens
   * new includes: whitelist-run-common.inc, disable-X11.inc
   * removed includes: disable-passwordmgr.inc
   * new profiles: microsoft-edge-beta, clion-eap, lifeograph, zim
   * new profiles: io.github.lainsce.Notejot, rednotebook, gallery-dl
-  * new profiles: yt-dlp
+  * new profiles: yt-dlp, goldendict, goldendict, bundle, cmake
+  * new profiles: make, meson, pip, codium
  -- netblue30 <netblue30@yahoo.com>  Thu, 29 Jul 2021 09:00:00 -0500
 
 firejail (0.9.66) baseline; urgency=low
@@ -59,7 +62,7 @@ firejail (0.9.64.4) baseline; urgency=low
 
 firejail (0.9.64.2) baseline; urgency=low
   * allow --tmpfs inside $HOME for unprivileged users
-  * --disable-usertmpfs  compile time option
+  * --disable-usertmpfs compile time option
   * allow AF_BLUETOOTH via --protocol=bluetooth
   * Setup guide for new users: contrib/firejail-welcome.sh
   * implement netns in profiles
@@ -566,7 +569,7 @@ firejail (0.9.44) baseline; urgency=low
   * feature: disable 3D hardware acceleration (--no3d)
   * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
   * feature: move files in sandbox (--put)
-  * feature: accept wildcard patterns in user  name field of restricted
+  * feature: accept wildcard patterns in user name field of restricted
     shell login feature
   * new profiles: qpdfview, mupdf, Luminance HDR, Synfig Studio, Gimp, Inkscape
   * new profiles: feh, ranger, zathura, 7z, keepass, keepassx,
@@ -608,7 +611,7 @@ firejail (0.9.42) baseline; urgency=low
   * compile time: disable whitelisting (--disable-whitelist)
   * compile time: disable global config (--disable-globalcfg)
   * run time: enable/disable overlayfs (overlayfs yes/no)
-  * run time: enable/disable  quiet as default (quiet-by-default yes/no)
+  * run time: enable/disable quiet as default (quiet-by-default yes/no)
   * run time: user-defined network filter (netfilter-default)
   * run time: enable/disable whitelisting (whitelist yes/no)
   * run time: enable/disable remounting of /proc and /sys
@@ -706,7 +709,7 @@ firejail (0.9.38) baseline; urgency=low
  -- netblue30 <netblue30@yahoo.com>  Tue, 2 Feb 2016 10:00:00 -0500
 
 firejail (0.9.36) baseline; urgency=low
-  * added  unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
+  * added unbound, dnscrypt-proxy, BitlBee, HexChat, WeeChat,
      parole and rtorrent profiles
   * Google Chrome profile rework
   * added google-chrome-stable profile
diff --git a/SECURITY.md b/SECURITY.md
index 7ec2940f6..ef9b9b5fb 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,24 +2,24 @@
 
 ## Supported Versions
 
-| Version | Supported by us    | EOL  | Supported by distribution |
-| ------- | ------------------ | ---- | ------------------------- |
-| 0.9.66  | :heavy_check_mark: |      |                           |
-| 0.9.64  | :x:                |      | :white_check_mark: Debian 10 **backports**, Debian 11 **backports**, Debian 12 (testing/unstable) |
-| 0.9.62  | :x:                |      | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10 |
-| 0.9.60  | :x:                | 29 Dec 2019 |                    |
-| 0.9.58  | :x:                |      | :white_check_mark: Debian 9 **backports**, Debian 10 |
-| 0.9.56  | :x:                | 27 Jan 2019 |                    |
-| 0.9.54  | :x:                | 18 Sep 2018 |                    |
-| 0.9.52  | :x:                |      | :white_check_mark: Ubuntu 18.04 LTS |
-| 0.9.50  | :x:                | 12 Dec 2017 |                    |
-| 0.9.48  | :x:                | 09 Sep 2017 |                    |
-| 0.9.46  | :x:                | 12 Jun 2017 |                    |
-| 0.9.44  | :x:                |      | :white_check_mark: Debian 9 |
-| 0.9.42  | :x:                | 22 Oct 2016 |                    |
-| 0.9.40  | :x:                | 09 Sep 2016 |                    |
-| 0.9.38  | :x:                |      | :white_check_mark: Ubuntu 16.04 LTS |
-| <0.9.38 | :x:                | Before 05 Feb 2016 |             |
+| Version | Supported by us    | EOL                | Supported by distribution                                                         |
+| ------- | ------------------ | ------------------ | --------------------------------------------------------------------------------- |
+| 0.9.66  | :heavy_check_mark: |                    | :white_check_mark: Debian 11 **backports**, Debian 12 (testing/unstable)          |
+| 0.9.64  | :x:                |                    | :white_check_mark: Debian 10 **backports**, Debian 11, Ubuntu 21.04, Ubuntu 21.10 |
+| 0.9.62  | :x:                |                    | :white_check_mark: Ubuntu 20.04 LTS, Ubuntu 20.10                                 |
+| 0.9.60  | :x:                | 29 Dec 2019        |                                                                                   |
+| 0.9.58  | :x:                |                    | :white_check_mark: Debian 9 **backports**, Debian 10                              |
+| 0.9.56  | :x:                | 27 Jan 2019        |                                                                                   |
+| 0.9.54  | :x:                | 18 Sep 2018        |                                                                                   |
+| 0.9.52  | :x:                |                    | :white_check_mark: Ubuntu 18.04 LTS                                               |
+| 0.9.50  | :x:                | 12 Dec 2017        |                                                                                   |
+| 0.9.48  | :x:                | 09 Sep 2017        |                                                                                   |
+| 0.9.46  | :x:                | 12 Jun 2017        |                                                                                   |
+| 0.9.44  | :x:                |                    | :white_check_mark: Debian 9                                                       |
+| 0.9.42  | :x:                | 22 Oct 2016        |                                                                                   |
+| 0.9.40  | :x:                | 09 Sep 2016        |                                                                                   |
+| 0.9.38  | :x:                |                    | :white_check_mark: Ubuntu 16.04 LTS                                               |
+| <0.9.38 | :x:                | Before 05 Feb 2016 |                                                                                   |
 
 ## Security vulnerabilities
 
diff --git a/ci/check/profiles/private-etc-always-required.sh b/ci/check/profiles/private-etc-always-required.sh
new file mode 100755
index 000000000..892b15aa4
--- /dev/null
+++ b/ci/check/profiles/private-etc-always-required.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+ALWAYS_REQUIRED=(alternatives ld.so.cache ld.so.preload)
+
+error=0
+while IFS=: read -r profile private_etc; do
+        for required in "${ALWAYS_REQUIRED[@]}"; do
+                if grep -q -v -E "( |,)$required(,|$)" <<<"$private_etc"; then
+                        printf '%s misses %s\n' "$profile" "$required" >&2
+                        error=1
+                fi
+        done
+done < <(grep "^private-etc " "$@")
+
+exit "$error"
diff --git a/ci/check/profiles/sort-disable-programs.sh b/ci/check/profiles/sort-disable-programs.sh
new file mode 100755
index 000000000..d81ee75d7
--- /dev/null
+++ b/ci/check/profiles/sort-disable-programs.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +5 "$1" | LC_ALL=C sort -c -u
diff --git a/ci/check/profiles/sort-firecfg.config.sh b/ci/check/profiles/sort-firecfg.config.sh
new file mode 100755
index 000000000..17a595350
--- /dev/null
+++ b/ci/check/profiles/sort-firecfg.config.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +4 "$1" | sed 's/^# /#/' | LC_ALL=C sort -c -d
diff --git a/ci/check/profiles/sort.py b/ci/check/profiles/sort.py
new file mode 120000
index 000000000..e1f3f5f16
--- /dev/null
+++ b/ci/check/profiles/sort.py
@@ -0,0 +1 @@
+../../../contrib/sort.py
\ No newline at end of file
diff --git a/configure b/configure
index f78bbaded..557f5beb2 100755
--- a/configure
+++ b/configure
@@ -711,6 +711,7 @@ ac_subst_files=''
 ac_user_opts='
 enable_option_checking
 enable_analyzer
+enable_sanitizer
 enable_apparmor
 enable_selinux
 enable_dbusproxy
@@ -1368,6 +1369,8 @@ Optional Features:
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
   --enable-analyzer       enable GCC static analyzer
+  --enable-sanitizer=[address | memory | undefined]
+                          enable a compiler-based sanitizer (debug)
   --enable-apparmor       enable apparmor
   --enable-selinux        SELinux labeling support
   --disable-dbusproxy     disable dbus proxy
@@ -3294,6 +3297,57 @@ if test "x$enable_analyzer" = "xyes"; then :
 
 fi
 
+# Check whether --enable-sanitizer was given.
+if test "${enable_sanitizer+set}" = set; then :
+  enableval=$enable_sanitizer;
+else
+  enable_sanitizer=no
+fi
+
+if test "x$enable_sanitizer" != "xno" ; then :
+  as_CACHEVAR=`$as_echo "ax_cv_check_cflags__-fsanitize=$enable_sanitizer" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fsanitize=$enable_sanitizer" >&5
+$as_echo_n "checking whether C compiler accepts -fsanitize=$enable_sanitizer... " >&6; }
+if eval \${$as_CACHEVAR+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -fsanitize=$enable_sanitizer"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  eval "$as_CACHEVAR=yes"
+else
+  eval "$as_CACHEVAR=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+eval ac_res=\$$as_CACHEVAR
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then :
+
+                EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer"
+                EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer"
+
+else
+  as_fn_error $? "sanitizer not supported: $enable_sanitizer" "$LINENO" 5
+
+fi
+
+fi
+
 HAVE_APPARMOR=""
 # Check whether --enable-apparmor was given.
 if test "${enable_apparmor+set}" = set; then :
@@ -3549,7 +3603,7 @@ if test "x$enable_dbusproxy" != "xno"; then :
 
 fi
 
-# overlayfs features temporarely disabled pending fixes
+# overlayfs features temporarily disabled pending fixes
 HAVE_OVERLAYFS=""
 
 #
diff --git a/configure.ac b/configure.ac
index 7879a5239..fc5823143 100644
--- a/configure.ac
+++ b/configure.ac
@@ -45,6 +45,15 @@ AS_IF([test "x$enable_analyzer" = "xyes"], [
         EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer -Wno-analyzer-malloc-leak"
 ])
 
+AC_ARG_ENABLE([sanitizer],
+    AS_HELP_STRING([--enable-sanitizer=@<:@address | memory | undefined@:>@], [enable a compiler-based sanitizer (debug)]), [], [enable_sanitizer=no])
+AS_IF([test "x$enable_sanitizer" != "xno" ],
+        [AX_CHECK_COMPILE_FLAG([-fsanitize=$enable_sanitizer], [
+                EXTRA_CFLAGS="$EXTRA_CFLAGS -fsanitize=$enable_sanitizer -fno-omit-frame-pointer"
+                EXTRA_LDFLAGS="$EXTRA_LDFLAGS -fsanitize=$enable_sanitizer"
+        ], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])]
+)])
+
 HAVE_APPARMOR=""
 AC_ARG_ENABLE([apparmor],
     AS_HELP_STRING([--enable-apparmor], [enable apparmor]))
@@ -76,7 +85,7 @@ AS_IF([test "x$enable_dbusproxy" != "xno"], [
         AC_SUBST(HAVE_DBUSPROXY)
 ])
 
-# overlayfs features temporarely disabled pending fixes
+# overlayfs features temporarily disabled pending fixes
 HAVE_OVERLAYFS=""
 AC_SUBST(HAVE_OVERLAYFS)
 #
diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py
index 12b596749..961646aa4 100755
--- a/contrib/fix_private-bin.py
+++ b/contrib/fix_private-bin.py
@@ -164,7 +164,7 @@ def printHelp():
 
 
 def main() -> None:
-    """The main function. Parses the commandline args, shows messages and calles the function actually doing the work."""
+    """The main function. Parses the commandline args, shows messages and calls the function actually doing the work."""
     if len(sys.argv) > 2 or (len(sys.argv) == 2 and
                              (sys.argv[1] == "-h" or sys.argv[1] == "--help")):
         printHelp()
diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh
index 941fc45ef..686bdc2c0 100755
--- a/contrib/gdb-firejail.sh
+++ b/contrib/gdb-firejail.sh
@@ -21,4 +21,4 @@ else
 fi
 
 bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" &
-sudo gdb -e  "$FIREJAIL" -p "$!"
+sudo gdb -e "$FIREJAIL" -p "$!"
diff --git a/contrib/sort.py b/contrib/sort.py
index d7a2cd05d..4af9c674c 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -34,7 +34,7 @@ def sort_alphabetical(raw_items):
 
 
 def sort_protocol(protocols):
-    """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
+    """sort the given protocols into this scheme: unix,inet,inet6,netlink,packet,bluetooth"""
 
     # shortcut for common protocol lines
     if protocols in ("unix", "unix,inet,inet6"):
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index d07690ee2..fa80a9c00 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -72,7 +72,7 @@ syn match fjCommandNoCond /quiet$/ contained
 
 " Conditionals grabbed from: src/firejail/profile.c
 " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|'
-syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
+syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
 
 " A line is either a command, a conditional or a comment
 syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment
diff --git a/etc-fixes/0.9.58/atom.profile b/etc-fixes/0.9.58/atom.profile
index 9bc35da5a..1cc9b0116 100644
--- a/etc-fixes/0.9.58/atom.profile
+++ b/etc-fixes/0.9.58/atom.profile
@@ -1,4 +1,3 @@
-
 # Firejail profile for atom
 # Description: A hackable text editor for the 21st Century
 # This file is overwritten after every install/update
diff --git a/etc-fixes/seccomp-join-bug/README b/etc-fixes/seccomp-join-bug/README
index 9f85a0e00..15596eca7 100644
--- a/etc-fixes/seccomp-join-bug/README
+++ b/etc-fixes/seccomp-join-bug/README
@@ -8,4 +8,3 @@ on May 21, 2019:
 
 The original discussion thread: https://github.com/netblue30/firejail/issues/2718
 The fix on mainline: https://github.com/netblue30/firejail/commit/eecf35c2f8249489a1d3e512bb07f0d427183134
-
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base
new file mode 100644
index 000000000..6e286d4af
--- /dev/null
+++ b/etc/apparmor/firejail-base
@@ -0,0 +1,27 @@
+#########################################
+# Firejail base abstraction drop-in
+#
+# Adds basic Firejail support to AppArmor profiles.
+# Please note: Firejail's nonewprivs and seccomp options
+# are not compatible with AppArmor profile transitions.
+# Also there is no support for Firejail chroot options.
+#########################################
+
+# Discovery of process names
+owner /proc/@{pid}/comm r,
+
+##########
+# Following paths only exist inside a Firejail sandbox
+##########
+
+# Library preloading
+/{,var/}run/firejail/lib/*.so mr,
+
+# Supporting seccomp
+owner /{,var/}run/firejail/mnt/seccomp/seccomp.postexec r,
+
+# Supporting trace
+owner /{,var/}run/firejail/mnt/trace w,
+
+# Supporting tracelog
+/{,var/}run/firejail/mnt/fslogger r,
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index ca32f5b0d..a7044152e 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -129,7 +129,7 @@ signal (receive),
 ##########
 # The list of recognized capabilities varies from one apparmor version to another.
 # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
-# We allow all caps by default and remove the  ones we don't like:
+# We allow all caps by default and remove the ones we don't like:
 capability,
 deny capability audit_write,
 deny capability audit_control,
diff --git a/etc/firejail.config b/etc/firejail.config
index 2e355586b..7912b746c 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -2,6 +2,9 @@
 # keyword-argument pairs, one per line. Most features are enabled by default.
 # Use 'yes' or 'no' as configuration values.
 
+# Allow programs to display a tray icon
+# allow-tray no
+
 # Enable AppArmor functionality, default enabled.
 # apparmor yes
 
@@ -63,7 +66,7 @@
 # a file argument, the default filter is hardcoded (see man 1 firejail). This
 # configuration entry allows the user to change the default by specifying
 # a file containing the filter configuration. The filter file format is the
-# format of  iptables-save  and iptable-restore commands. Example:
+# format of iptables-save and iptables-restore commands. Example:
 # netfilter-default /etc/iptables.iptables.rules
 
 # Enable or disable networking features, default enabled.
diff --git a/etc/ids.config b/etc/ids.config
index 09b0ae912..ff55416ca 100644
--- a/etc/ids.config
+++ b/etc/ids.config
@@ -37,6 +37,7 @@ include ids.config.local
 
 ### shells local ###
 # bash
+${HOME}/.bash_aliases
 ${HOME}/.bash_login
 ${HOME}/.bash_logout
 ${HOME}/.bash_profile
@@ -99,10 +100,24 @@ ${HOME}/.xsessionrc
 ### window/desktop manager ###
 ${HOME}/Desktop/*.desktop
 ${HOME}/.config/autostart
+${HOME}/.config/autostart-scripts
 ${HOME}/.config/lxsession/LXDE/autostart
+${HOME}/.config/openbox/autostart
+${HOME}/.config/openbox/environment
+${HOME}/.config/plasma-workspace/env
+${HOME}/.config/plasma-workspace/shutdown
 ${HOME}/.gnomerc
 ${HOME}/.gtkrc
+${HOME}/.kde/Autostart
+${HOME}/.kde/env
+${HOME}/.kde/share/autostart
+${HOME}/.kde/shutdown
+${HOME}/.kde4/Autostart
+${HOME}/.kde4/env
+${HOME}/.kde4/share/autostart
+${HOME}/.kde4/shutdown
 ${HOME}/.kderc
+${HOME}/.local/share/autostart
 
 ### security ###
 /etc/aide
@@ -123,6 +138,7 @@ ${HOME}/.kderc
 /etc/tripwire
 ${HOME}/.config/firejail
 ${HOME}/.gnupg
+${HOME}/.pam_environment
 
 ### network security ###
 /etc/ca-certificates*
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 011bbe226..4e460fc10 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -27,5 +27,8 @@ noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
 
+# Ruby
+noblacklist ${HOME}/.bundle
+
 # Rust
-noblacklist ${HOME}/.cargo/*
+noblacklist ${HOME}/.cargo
diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc
index a8c701219..00276cac7 100644
--- a/etc/inc/allow-ruby.inc
+++ b/etc/inc/allow-ruby.inc
@@ -4,3 +4,4 @@ include allow-ruby.local
 
 noblacklist ${PATH}/ruby
 noblacklist /usr/lib/ruby
+noblacklist /usr/lib64/ruby
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index ae84ee38a..f3d685d18 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -458,7 +458,7 @@ blacklist /sbin
 blacklist /usr/local/sbin
 blacklist /usr/sbin
 
-# system management
+# system management and various SUID executables
 blacklist ${PATH}/at
 blacklist ${PATH}/busybox
 blacklist ${PATH}/chage
@@ -493,6 +493,12 @@ blacklist ${PATH}/umount
 blacklist ${PATH}/unix_chkpwd
 blacklist ${PATH}/xev
 blacklist ${PATH}/xinput
+blacklist /usr/lib/openssh/ssh-keysign
+blacklist ${PATH}/passwd
+blacklist /usr/lib/xorg/Xorg.wrap
+blacklist /usr/lib/policykit-1/polkit-agent-helper-1
+blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper
+blacklist /usr/lib/eject/dmcrypt-get-device
 
 # other SUID binaries
 blacklist /usr/lib/virtualbox
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index e74b1b40b..98bf5ecc8 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -60,9 +60,7 @@ blacklist /usr/lib/tcc
 blacklist ${PATH}/valgrind*
 blacklist /usr/lib/valgrind
 
-
 # Source-Code
-
 blacklist /usr/src
 blacklist /usr/local/src
 blacklist /usr/include
diff --git a/etc/inc/disable-exec.inc b/etc/inc/disable-exec.inc
index 9b5c40a2b..d7dcef7e7 100644
--- a/etc/inc/disable-exec.inc
+++ b/etc/inc/disable-exec.inc
@@ -6,6 +6,7 @@ noexec ${HOME}
 noexec ${RUNUSER}
 noexec /dev/mqueue
 noexec /dev/shm
+noexec /run/shm
 noexec /tmp
 # /var is noexec by default for unprivileged users
 # except there is a writable-var option, so just in case:
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 5d8a236fb..804869e2a 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -48,6 +48,7 @@ blacklist /usr/share/php*
 # Ruby
 blacklist ${PATH}/ruby
 blacklist /usr/lib/ruby
+blacklist /usr/lib64/ruby
 
 # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
 # Python 2
diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc
new file mode 100644
index 000000000..81a8883f3
--- /dev/null
+++ b/etc/inc/disable-proc.inc
@@ -0,0 +1,82 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include disable-proc.local
+
+blacklist /proc/acpi
+blacklist /proc/asound
+blacklist /proc/bootconfig
+blacklist /proc/buddyinfo
+blacklist /proc/cgroups
+blacklist /proc/cmdline
+blacklist /proc/config.gz
+blacklist /proc/consoles
+#blacklist /proc/cpuinfo
+blacklist /proc/crypto
+blacklist /proc/devices
+blacklist /proc/diskstats
+blacklist /proc/dma
+#blacklist /proc/driver
+blacklist /proc/dynamic_debug
+blacklist /proc/execdomains
+blacklist /proc/fb
+#blacklist /proc/filesystems
+blacklist /proc/fs
+blacklist /proc/i8k
+blacklist /proc/interrupts
+blacklist /proc/iomem
+blacklist /proc/ioports
+blacklist /proc/irq
+blacklist /proc/kallsyms
+blacklist /proc/kcore
+blacklist /proc/keys
+blacklist /proc/key-users
+blacklist /proc/kmsg
+blacklist /proc/kpagecgroup
+blacklist /proc/kpagecount
+blacklist /proc/kpageflags
+blacklist /proc/latency_stats
+#blacklist /proc/loadavg
+blacklist /proc/locks
+blacklist /proc/mdstat
+#blacklist /proc/meminfo
+blacklist /proc/misc
+#blacklist /proc/modules
+#blacklist /proc/mounts
+blacklist /proc/mtrr
+#blacklist /proc/net
+blacklist /proc/partitions
+blacklist /proc/pressure
+blacklist /proc/sched_debug
+blacklist /proc/schedstat
+blacklist /proc/scsi
+#blacklist /proc/self
+blacklist /proc/slabinfo
+blacklist /proc/softirqs
+blacklist /proc/spl
+#blacklist /proc/stat
+blacklist /proc/swaps
+#blacklist /proc/sys
+blacklist /proc/sysrq-trigger
+blacklist /proc/sysvipc
+#blacklist /proc/thread-self
+blacklist /proc/timer_list
+blacklist /proc/tty
+#blacklist /proc/uptime
+#blacklist /proc/version
+blacklist /proc/version_signature
+blacklist /proc/vmallocinfo
+#blacklist /proc/vmstat
+#blacklist /proc/zoneinfo
+
+blacklist /proc/sys/abi
+blacklist /proc/sys/crypto
+blacklist /proc/sys/debug
+blacklist /proc/sys/dev
+blacklist /proc/sys/fs
+blacklist /proc/sys/net
+blacklist /proc/sys/user
+blacklist /proc/sys/vm
+
+noblacklist /proc/sys/kernel/osrelease
+noblacklist /proc/sys/kernel/yama
+blacklist /proc/sys/*/*
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 4941630a2..e78f15e10 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -49,11 +49,184 @@ blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
 blacklist ${HOME}/.blobby
 blacklist ${HOME}/.bogofilter
+blacklist ${HOME}/.bundle
 blacklist ${HOME}/.bzf
-blacklist ${HOME}/.cargo/*
+blacklist ${HOME}/.cache/0ad
+blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/Authenticator
+blacklist ${HOME}/.cache/BraveSoftware
+blacklist ${HOME}/.cache/Clementine
+blacklist ${HOME}/.cache/ENCOM/Spectral
+blacklist ${HOME}/.cache/Enox
+blacklist ${HOME}/.cache/Enpass
+blacklist ${HOME}/.cache/Ferdi
+blacklist ${HOME}/.cache/Flavio Tordini
+blacklist ${HOME}/.cache/Franz
+blacklist ${HOME}/.cache/GoldenDict
+blacklist ${HOME}/.cache/INRIA
+blacklist ${HOME}/.cache/INRIA/Natron
+blacklist ${HOME}/.cache/JetBrains/CLion*
+blacklist ${HOME}/.cache/KDE/neochat
+blacklist ${HOME}/.cache/Mendeley Ltd.
+blacklist ${HOME}/.cache/MusicBrainz
+blacklist ${HOME}/.cache/NewsFlashGTK
+blacklist ${HOME}/.cache/Otter
+blacklist ${HOME}/.cache/PawelStolowski
+blacklist ${HOME}/.cache/Psi
+blacklist ${HOME}/.cache/QuiteRss
+blacklist ${HOME}/.cache/Quotient/quaternion
+blacklist ${HOME}/.cache/Shortwave
+blacklist ${HOME}/.cache/Tox
+blacklist ${HOME}/.cache/Zeal
+blacklist ${HOME}/.cache/agenda
+blacklist ${HOME}/.cache/akonadi*
+blacklist ${HOME}/.cache/atril
+blacklist ${HOME}/.cache/attic
+blacklist ${HOME}/.cache/babl
+blacklist ${HOME}/.cache/bnox
+blacklist ${HOME}/.cache/borg
+blacklist ${HOME}/.cache/calibre
+blacklist ${HOME}/.cache/cantata
+blacklist ${HOME}/.cache/champlain
+blacklist ${HOME}/.cache/chromium
+blacklist ${HOME}/.cache/chromium-dev
+blacklist ${HOME}/.cache/cliqz
+blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
+blacklist ${HOME}/.cache/darktable
+blacklist ${HOME}/.cache/deja-dup
+blacklist ${HOME}/.cache/discover
+blacklist ${HOME}/.cache/dnox
+blacklist ${HOME}/.cache/dolphin
+blacklist ${HOME}/.cache/dolphin-emu
+blacklist ${HOME}/.cache/ephemeral
+blacklist ${HOME}/.cache/epiphany
+blacklist ${HOME}/.cache/evolution
+blacklist ${HOME}/.cache/falkon
+blacklist ${HOME}/.cache/feedreader
+blacklist ${HOME}/.cache/firedragon
+blacklist ${HOME}/.cache/flaska.net/trojita
+blacklist ${HOME}/.cache/folks
+blacklist ${HOME}/.cache/font-manager
+blacklist ${HOME}/.cache/fossamail
+blacklist ${HOME}/.cache/fractal
+blacklist ${HOME}/.cache/freecol
+blacklist ${HOME}/.cache/gajim
+blacklist ${HOME}/.cache/geary
+blacklist ${HOME}/.cache/geeqie
+blacklist ${HOME}/.cache/gegl-0.4
+blacklist ${HOME}/.cache/gfeeds
+blacklist ${HOME}/.cache/gimp
+blacklist ${HOME}/.cache/gnome-boxes
+blacklist ${HOME}/.cache/gnome-builder
+blacklist ${HOME}/.cache/gnome-control-center
+blacklist ${HOME}/.cache/gnome-recipes
+blacklist ${HOME}/.cache/gnome-screenshot
+blacklist ${HOME}/.cache/gnome-software
+blacklist ${HOME}/.cache/gnome-twitch
+blacklist ${HOME}/.cache/godot
+blacklist ${HOME}/.cache/google-chrome
+blacklist ${HOME}/.cache/google-chrome-beta
+blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/gradio
+blacklist ${HOME}/.cache/gummi
+blacklist ${HOME}/.cache/icedove
+blacklist ${HOME}/.cache/inkscape
+blacklist ${HOME}/.cache/inox
+blacklist ${HOME}/.cache/io.github.lainsce.Notejot
+blacklist ${HOME}/.cache/iridium
+blacklist ${HOME}/.cache/kcmshell5
+blacklist ${HOME}/.cache/kdenlive
+blacklist ${HOME}/.cache/keepassxc
+blacklist ${HOME}/.cache/kfind
+blacklist ${HOME}/.cache/kinfocenter
+blacklist ${HOME}/.cache/kmail2
+blacklist ${HOME}/.cache/krunner
+blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/kscreenlocker_greet
+blacklist ${HOME}/.cache/ksmserver-logout-greeter
+blacklist ${HOME}/.cache/ksplashqml
+blacklist ${HOME}/.cache/kube
+blacklist ${HOME}/.cache/kwin
+blacklist ${HOME}/.cache/libgweather
+blacklist ${HOME}/.cache/librewolf
+blacklist ${HOME}/.cache/liferea
+blacklist ${HOME}/.cache/lutris
+blacklist ${HOME}/.cache/marker
+blacklist ${HOME}/.cache/matrix-mirage
+blacklist ${HOME}/.cache/microsoft-edge-beta
+blacklist ${HOME}/.cache/microsoft-edge-dev
+blacklist ${HOME}/.cache/midori
+blacklist ${HOME}/.cache/minetest
+blacklist ${HOME}/.cache/mirage
+blacklist ${HOME}/.cache/moonchild productions/basilisk
+blacklist ${HOME}/.cache/moonchild productions/pale moon
+blacklist ${HOME}/.cache/mozilla
+blacklist ${HOME}/.cache/ms-excel-online
+blacklist ${HOME}/.cache/ms-office-online
+blacklist ${HOME}/.cache/ms-onenote-online
+blacklist ${HOME}/.cache/ms-outlook-online
+blacklist ${HOME}/.cache/ms-powerpoint-online
+blacklist ${HOME}/.cache/ms-skype-online
+blacklist ${HOME}/.cache/ms-word-online
+blacklist ${HOME}/.cache/mutt
+blacklist ${HOME}/.cache/mypaint
+blacklist ${HOME}/.cache/netsurf
+blacklist ${HOME}/.cache/nheko
+blacklist ${HOME}/.cache/okular
+blacklist ${HOME}/.cache/opera
+blacklist ${HOME}/.cache/opera-beta
+blacklist ${HOME}/.cache/org.gabmus.gfeeds
+blacklist ${HOME}/.cache/org.gnome.Books
+blacklist ${HOME}/.cache/org.gnome.Maps
+blacklist ${HOME}/.cache/pdfmod
+blacklist ${HOME}/.cache/peek
+blacklist ${HOME}/.cache/pip
+blacklist ${HOME}/.cache/pipe-viewer
+blacklist ${HOME}/.cache/plasmashell
+blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
+blacklist ${HOME}/.cache/psi
+blacklist ${HOME}/.cache/qBittorrent
+blacklist ${HOME}/.cache/quodlibet
+blacklist ${HOME}/.cache/qupzilla
+blacklist ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.cache/rednotebook
+blacklist ${HOME}/.cache/rhythmbox
+blacklist ${HOME}/.cache/shotwell
+blacklist ${HOME}/.cache/simple-scan
+blacklist ${HOME}/.cache/slimjet
+blacklist ${HOME}/.cache/smuxi
+blacklist ${HOME}/.cache/snox
+blacklist ${HOME}/.cache/spotify
+blacklist ${HOME}/.cache/straw-viewer
+blacklist ${HOME}/.cache/strawberry
+blacklist ${HOME}/.cache/supertuxkart
+blacklist ${HOME}/.cache/systemsettings
+blacklist ${HOME}/.cache/telepathy
+blacklist ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.cache/torbrowser
+blacklist ${HOME}/.cache/transmission
+blacklist ${HOME}/.cache/ungoogled-chromium
+blacklist ${HOME}/.cache/vivaldi
+blacklist ${HOME}/.cache/vivaldi-snapshot
+blacklist ${HOME}/.cache/vlc
+blacklist ${HOME}/.cache/vmware
+blacklist ${HOME}/.cache/warsow-2.1
+blacklist ${HOME}/.cache/waterfox
+blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/winetricks
+blacklist ${HOME}/.cache/xmms2
+blacklist ${HOME}/.cache/xournalpp
+blacklist ${HOME}/.cache/xreader
+blacklist ${HOME}/.cache/yandex-browser
+blacklist ${HOME}/.cache/yandex-browser-beta
+blacklist ${HOME}/.cache/youtube-dl
+blacklist ${HOME}/.cache/youtube-viewer
+blacklist ${HOME}/.cache/yt-dlp
+blacklist ${HOME}/.cache/zim
+blacklist ${HOME}/.cargo
 blacklist ${HOME}/.claws-mail
-blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clion*
+blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clonk
 blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/2048-qt
@@ -92,8 +265,8 @@ blacklist ${HOME}/.config/Google Play Music Desktop Player
 blacklist ${HOME}/.config/Gpredict
 blacklist ${HOME}/.config/INRIA
 blacklist ${HOME}/.config/InSilmaril
-blacklist ${HOME}/.config/Jitsi Meet
 blacklist ${HOME}/.config/JetBrains/CLion*
+blacklist ${HOME}/.config/Jitsi Meet
 blacklist ${HOME}/.config/KDE/neochat
 blacklist ${HOME}/.config/KeePass
 blacklist ${HOME}/.config/KeePassXCrc
@@ -142,6 +315,7 @@ blacklist ${HOME}/.config/SubDownloader
 blacklist ${HOME}/.config/Thunar
 blacklist ${HOME}/.config/Twitch
 blacklist ${HOME}/.config/Unknown Organization
+blacklist ${HOME}/.config/VSCodium
 blacklist ${HOME}/.config/VirtualBox
 blacklist ${HOME}/.config/Whalebird
 blacklist ${HOME}/.config/Wire
@@ -496,12 +670,14 @@ blacklist ${HOME}/.frogatto
 blacklist ${HOME}/.frozen-bubble
 blacklist ${HOME}/.funnyboat
 blacklist ${HOME}/.gallery-dl.conf
+blacklist ${HOME}/.geekbench5
 blacklist ${HOME}/.gimp*
 blacklist ${HOME}/.gist
 blacklist ${HOME}/.gitconfig
 blacklist ${HOME}/.gl-117
 blacklist ${HOME}/.glaxiumrc
 blacklist ${HOME}/.gnome/gnome-schedule
+blacklist ${HOME}/.goldendict
 blacklist ${HOME}/.googleearth
 blacklist ${HOME}/.gradle
 blacklist ${HOME}/.gramps
@@ -954,176 +1130,3 @@ blacklist /var/games/slashem
 blacklist /var/games/vulturesclaw
 blacklist /var/games/vultureseye
 blacklist /var/lib/games/Maelstrom-Scores
-
-# ${HOME}/.cache directory
-blacklist ${HOME}/.cache/0ad
-blacklist ${HOME}/.cache/8pecxstudios
-blacklist ${HOME}/.cache/Authenticator
-blacklist ${HOME}/.cache/BraveSoftware
-blacklist ${HOME}/.cache/Clementine
-blacklist ${HOME}/.cache/ENCOM/Spectral
-blacklist ${HOME}/.cache/Enox
-blacklist ${HOME}/.cache/Enpass
-blacklist ${HOME}/.cache/Ferdi
-blacklist ${HOME}/.cache/Flavio Tordini
-blacklist ${HOME}/.cache/Franz
-blacklist ${HOME}/.cache/INRIA
-blacklist ${HOME}/.cache/INRIA/Natron
-blacklist ${HOME}/.cache/KDE/neochat
-blacklist ${HOME}/.cache/Mendeley Ltd.
-blacklist ${HOME}/.cache/MusicBrainz
-blacklist ${HOME}/.cache/NewsFlashGTK
-blacklist ${HOME}/.cache/Otter
-blacklist ${HOME}/.cache/PawelStolowski
-blacklist ${HOME}/.cache/Psi
-blacklist ${HOME}/.cache/QuiteRss
-blacklist ${HOME}/.cache/Quotient/quaternion
-blacklist ${HOME}/.cache/Shortwave
-blacklist ${HOME}/.cache/Tox
-blacklist ${HOME}/.cache/Zeal
-blacklist ${HOME}/.cache/agenda
-blacklist ${HOME}/.cache/akonadi*
-blacklist ${HOME}/.cache/atril
-blacklist ${HOME}/.cache/attic
-blacklist ${HOME}/.cache/babl
-blacklist ${HOME}/.cache/bnox
-blacklist ${HOME}/.cache/borg
-blacklist ${HOME}/.cache/calibre
-blacklist ${HOME}/.cache/cantata
-blacklist ${HOME}/.cache/champlain
-blacklist ${HOME}/.cache/chromium
-blacklist ${HOME}/.cache/chromium-dev
-blacklist ${HOME}/.cache/cliqz
-blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
-blacklist ${HOME}/.cache/darktable
-blacklist ${HOME}/.cache/deja-dup
-blacklist ${HOME}/.cache/discover
-blacklist ${HOME}/.cache/dnox
-blacklist ${HOME}/.cache/dolphin
-blacklist ${HOME}/.cache/dolphin-emu
-blacklist ${HOME}/.cache/ephemeral
-blacklist ${HOME}/.cache/epiphany
-blacklist ${HOME}/.cache/evolution
-blacklist ${HOME}/.cache/falkon
-blacklist ${HOME}/.cache/feedreader
-blacklist ${HOME}/.cache/firedragon
-blacklist ${HOME}/.cache/flaska.net/trojita
-blacklist ${HOME}/.cache/folks
-blacklist ${HOME}/.cache/font-manager
-blacklist ${HOME}/.cache/fossamail
-blacklist ${HOME}/.cache/fractal
-blacklist ${HOME}/.cache/freecol
-blacklist ${HOME}/.cache/gajim
-blacklist ${HOME}/.cache/geary
-blacklist ${HOME}/.cache/geeqie
-blacklist ${HOME}/.cache/gegl-0.4
-blacklist ${HOME}/.cache/gfeeds
-blacklist ${HOME}/.cache/gimp
-blacklist ${HOME}/.cache/gnome-boxes
-blacklist ${HOME}/.cache/gnome-builder
-blacklist ${HOME}/.cache/gnome-control-center
-blacklist ${HOME}/.cache/gnome-recipes
-blacklist ${HOME}/.cache/gnome-screenshot
-blacklist ${HOME}/.cache/gnome-software
-blacklist ${HOME}/.cache/gnome-twitch
-blacklist ${HOME}/.cache/godot
-blacklist ${HOME}/.cache/google-chrome
-blacklist ${HOME}/.cache/google-chrome-beta
-blacklist ${HOME}/.cache/google-chrome-unstable
-blacklist ${HOME}/.cache/gradio
-blacklist ${HOME}/.cache/gummi
-blacklist ${HOME}/.cache/icedove
-blacklist ${HOME}/.cache/inkscape
-blacklist ${HOME}/.cache/inox
-blacklist ${HOME}/.cache/io.github.lainsce.Notejot
-blacklist ${HOME}/.cache/iridium
-blacklist ${HOME}/.cache/JetBrains/CLion*
-blacklist ${HOME}/.cache/kcmshell5
-blacklist ${HOME}/.cache/kdenlive
-blacklist ${HOME}/.cache/keepassxc
-blacklist ${HOME}/.cache/kfind
-blacklist ${HOME}/.cache/kinfocenter
-blacklist ${HOME}/.cache/kmail2
-blacklist ${HOME}/.cache/krunner
-blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/kscreenlocker_greet
-blacklist ${HOME}/.cache/ksmserver-logout-greeter
-blacklist ${HOME}/.cache/ksplashqml
-blacklist ${HOME}/.cache/kube
-blacklist ${HOME}/.cache/kwin
-blacklist ${HOME}/.cache/libgweather
-blacklist ${HOME}/.cache/librewolf
-blacklist ${HOME}/.cache/liferea
-blacklist ${HOME}/.cache/lutris
-blacklist ${HOME}/.cache/marker
-blacklist ${HOME}/.cache/matrix-mirage
-blacklist ${HOME}/.cache/microsoft-edge-beta
-blacklist ${HOME}/.cache/microsoft-edge-dev
-blacklist ${HOME}/.cache/midori
-blacklist ${HOME}/.cache/minetest
-blacklist ${HOME}/.cache/mirage
-blacklist ${HOME}/.cache/moonchild productions/basilisk
-blacklist ${HOME}/.cache/moonchild productions/pale moon
-blacklist ${HOME}/.cache/mozilla
-blacklist ${HOME}/.cache/ms-excel-online
-blacklist ${HOME}/.cache/ms-office-online
-blacklist ${HOME}/.cache/ms-onenote-online
-blacklist ${HOME}/.cache/ms-outlook-online
-blacklist ${HOME}/.cache/ms-powerpoint-online
-blacklist ${HOME}/.cache/ms-skype-online
-blacklist ${HOME}/.cache/ms-word-online
-blacklist ${HOME}/.cache/mutt
-blacklist ${HOME}/.cache/mypaint
-blacklist ${HOME}/.cache/netsurf
-blacklist ${HOME}/.cache/nheko
-blacklist ${HOME}/.cache/okular
-blacklist ${HOME}/.cache/opera
-blacklist ${HOME}/.cache/opera-beta
-blacklist ${HOME}/.cache/org.gabmus.gfeeds
-blacklist ${HOME}/.cache/org.gnome.Books
-blacklist ${HOME}/.cache/org.gnome.Maps
-blacklist ${HOME}/.cache/pdfmod
-blacklist ${HOME}/.cache/peek
-blacklist ${HOME}/.cache/pip
-blacklist ${HOME}/.cache/pipe-viewer
-blacklist ${HOME}/.cache/plasmashell
-blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
-blacklist ${HOME}/.cache/psi
-blacklist ${HOME}/.cache/qBittorrent
-blacklist ${HOME}/.cache/quodlibet
-blacklist ${HOME}/.cache/qupzilla
-blacklist ${HOME}/.cache/qutebrowser
-blacklist ${HOME}/.cache/rednotebook
-blacklist ${HOME}/.cache/rhythmbox
-blacklist ${HOME}/.cache/shotwell
-blacklist ${HOME}/.cache/simple-scan
-blacklist ${HOME}/.cache/slimjet
-blacklist ${HOME}/.cache/smuxi
-blacklist ${HOME}/.cache/snox
-blacklist ${HOME}/.cache/spotify
-blacklist ${HOME}/.cache/straw-viewer
-blacklist ${HOME}/.cache/strawberry
-blacklist ${HOME}/.cache/supertuxkart
-blacklist ${HOME}/.cache/systemsettings
-blacklist ${HOME}/.cache/telepathy
-blacklist ${HOME}/.cache/thunderbird
-blacklist ${HOME}/.cache/torbrowser
-blacklist ${HOME}/.cache/transmission
-blacklist ${HOME}/.cache/ungoogled-chromium
-blacklist ${HOME}/.cache/vivaldi
-blacklist ${HOME}/.cache/vivaldi-snapshot
-blacklist ${HOME}/.cache/vlc
-blacklist ${HOME}/.cache/vmware
-blacklist ${HOME}/.cache/warsow-2.1
-blacklist ${HOME}/.cache/waterfox
-blacklist ${HOME}/.cache/wesnoth
-blacklist ${HOME}/.cache/winetricks
-blacklist ${HOME}/.cache/xmms2
-blacklist ${HOME}/.cache/xournalpp
-blacklist ${HOME}/.cache/xreader
-blacklist ${HOME}/.cache/yandex-browser
-blacklist ${HOME}/.cache/yandex-browser-beta
-blacklist ${HOME}/.cache/youtube-dl
-blacklist ${HOME}/.cache/youtube-viewer
-blacklist ${HOME}/.cache/yt-dlp
-blacklist ${HOME}/.cache/zim
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc
index 224d21064..d74655a08 100644
--- a/etc/inc/whitelist-run-common.inc
+++ b/etc/inc/whitelist-run-common.inc
@@ -7,5 +7,9 @@ whitelist /run/cups/cups.sock
 whitelist /run/dbus/system_bus_socket
 whitelist /run/media
 whitelist /run/resolvconf/resolv.conf
+whitelist /run/shm
+whitelist /run/systemd/journal/dev-log
+whitelist /run/systemd/journal/socket
 whitelist /run/systemd/resolve/resolv.conf
 whitelist /run/systemd/resolve/stub-resolv.conf
+whitelist /run/udev/data
diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile
index 76fd21d32..a256e942f 100644
--- a/etc/profile-a-l/Books.profile
+++ b/etc/profile-a-l/Books.profile
@@ -1,5 +1,10 @@
 # Firejail profile for gnome-books
 # This file is overwritten after every install/update
+# Persistent local customizations
+include Books.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
 
 
 # Temporary fix for https://github.com/netblue30/firejail/issues/2624
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile
index 005a502c4..0e7126458 100644
--- a/etc/profile-a-l/abiword.profile
+++ b/etc/profile-a-l/abiword.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin abiword
 private-cache
 private-dev
-private-etc fonts,gtk-3.0,passwd
+private-etc alternatives,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile
index fea25fd58..dd3b2e59b 100644
--- a/etc/profile-a-l/agetpkg.profile
+++ b/etc/profile-a-l/agetpkg.profile
@@ -50,7 +50,7 @@ tracelog
 private-bin agetpkg,python3
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile
index 168e81985..f3fb678d1 100644
--- a/etc/profile-a-l/akonadi_control.profile
+++ b/etc/profile-a-l/akonadi_control.profile
@@ -27,6 +27,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 # disabled options below are not compatible with the apparmor profile for mysqld-akonadi.
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile
index d1e7df37b..39008d67a 100644
--- a/etc/profile-a-l/akregator.profile
+++ b/etc/profile-a-l/akregator.profile
@@ -25,6 +25,7 @@ whitelist ${HOME}/.local/share/akregator
 whitelist ${HOME}/.local/share/kssl
 whitelist ${HOME}/.local/share/kxmlgui5/akregator
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
index 69b499c74..5a528595b 100644
--- a/etc/profile-a-l/alacarte.profile
+++ b/etc/profile-a-l/alacarte.profile
@@ -53,7 +53,7 @@ disable-mnt
 # private-bin alacarte,bash,python*,sh
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile
index 62857a3e2..68512e37b 100644
--- a/etc/profile-a-l/alienarena.profile
+++ b/etc/profile-a-l/alienarena.profile
@@ -29,7 +29,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile
index e7b78f7d0..7d8ec481d 100644
--- a/etc/profile-a-l/amarok.profile
+++ b/etc/profile-a-l/amarok.profile
@@ -39,7 +39,7 @@ dbus-user.own org.kde.amarok
 dbus-user.own org.mpris.amarok
 dbus-user.own org.mpris.MediaPlayer2.amarok
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 # If you're not on kde-plasma add the next lines to your amarok.local.
 #dbus-user.own org.kde.kded
 #dbus-user.own org.kde.klauncher
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile
index 3ce05c5bc..e82c145d1 100644
--- a/etc/profile-a-l/amule.profile
+++ b/etc/profile-a-l/amule.profile
@@ -32,6 +32,7 @@ nosound
 notv
 nou2f
 novideo
+# Add netlink protocol to use UPnP
 protocol unix,inet,inet6
 seccomp
 shell none
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile
index fa4dfbb6f..f6d711b2e 100644
--- a/etc/profile-a-l/anki.profile
+++ b/etc/profile-a-l/anki.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin anki,python*
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf
+private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index 737cf3095..8aef75cd1 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -45,7 +45,7 @@ private-bin aria2c,gzip
 # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
 #private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.cache,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
 private-lib libreadline.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile
index 45071dc62..a26592f3a 100644
--- a/etc/profile-a-l/ark.profile
+++ b/etc/profile-a-l/ark.profile
@@ -16,6 +16,7 @@ include disable-interpreters.inc
 include disable-programs.inc
 
 whitelist /usr/share/ark
+include whitelist-run-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile
index 3253fb586..6676d42e9 100644
--- a/etc/profile-a-l/arm.profile
+++ b/etc/profile-a-l/arm.profile
@@ -43,6 +43,6 @@ tracelog
 disable-mnt
 private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
 private-tmp
 
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile
index 8d74b6ba4..254f3f571 100644
--- a/etc/profile-a-l/artha.profile
+++ b/etc/profile-a-l/artha.profile
@@ -56,7 +56,7 @@ disable-mnt
 private-bin artha,enchant,notify-send
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-lib libnotify.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile
index e377de2c8..6399bc1a3 100644
--- a/etc/profile-a-l/atool.profile
+++ b/etc/profile-a-l/atool.profile
@@ -13,7 +13,7 @@ include allow-perl.inc
 noroot
 
 # without login.defs atool complains and uses UID/GID 1000 by default
-private-etc alternatives,group,login.defs,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd
 private-tmp
 
 # Redirect
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile
index f7c62926f..264bc0215 100644
--- a/etc/profile-a-l/atril.profile
+++ b/etc/profile-a-l/atril.profile
@@ -42,7 +42,7 @@ tracelog
 
 private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote
 private-dev
-private-etc alternatives,fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 # atril uses webkit gtk to display epub files
 # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0
 #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index d71370b7e..e9ecdd72e 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -17,6 +17,7 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile
index 411c5f4d3..a8af1928b 100644
--- a/etc/profile-a-l/authenticator-rs.profile
+++ b/etc/profile-a-l/authenticator-rs.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin authenticator-rs
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile
index 0f0fb7ceb..f9a03ca68 100644
--- a/etc/profile-a-l/authenticator.profile
+++ b/etc/profile-a-l/authenticator.profile
@@ -39,7 +39,7 @@ shell none
 disable-mnt
 # private-bin authenticator,python*
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 
 # makes settings immutable
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile
index 252016bec..55d2453d8 100644
--- a/etc/profile-a-l/baloo_file.profile
+++ b/etc/profile-a-l/baloo_file.profile
@@ -25,6 +25,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
index 197f787ca..be3543b08 100644
--- a/etc/profile-a-l/balsa.profile
+++ b/etc/profile-a-l/balsa.profile
@@ -66,7 +66,7 @@ tracelog
 private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 writable-run-user
 writable-var
@@ -79,4 +79,4 @@ dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.gnome.keyring.SystemPrompter
 dbus-system none
 
-read-only ${HOME}/.mozilla/firefox/profiles.ini
\ No newline at end of file
+read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile
index 0104dc181..be29ce8a7 100644
--- a/etc/profile-a-l/bibletime.profile
+++ b/etc/profile-a-l/bibletime.profile
@@ -52,7 +52,7 @@ disable-mnt
 # private-bin bibletime,qt5ct
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile
index 61cd792b1..b86232860 100644
--- a/etc/profile-a-l/bijiben.profile
+++ b/etc/profile-a-l/bijiben.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin bijiben
 # private-cache -- access to .cache/tracker is required
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile
index ba2eb2ea7..f8114c71b 100644
--- a/etc/profile-a-l/bitwarden.profile
+++ b/etc/profile-a-l/bitwarden.profile
@@ -23,7 +23,7 @@ no3d
 nosound
 
 ?HAS_APPIMAGE: ignore private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 private-opt Bitwarden
 
 # Redirect
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile
index 61d1c3a1e..3e20ed133 100644
--- a/etc/profile-a-l/bless.profile
+++ b/etc/profile-a-l/bless.profile
@@ -35,7 +35,7 @@ shell none
 # private-bin bash,bless,mono,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,mono
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,mono
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile
index 11d705c5b..d7df3bc49 100644
--- a/etc/profile-a-l/blobby.profile
+++ b/etc/profile-a-l/blobby.profile
@@ -41,7 +41,7 @@ tracelog
 disable-mnt
 private-bin blobby
 private-dev
-private-etc alsa,alternatives,asound.conf,drirc,group,hosts,login.defs,machine-id,passwd,pulse
+private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pulse
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile
index 6e3d4256c..cc2fda3f2 100644
--- a/etc/profile-a-l/blobwars.profile
+++ b/etc/profile-a-l/blobwars.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.parallelrealities/blobwars
 whitelist ${HOME}/.parallelrealities/blobwars
 whitelist /usr/share/blobwars
+whitelist /usr/share/games/blobwars
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -28,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
@@ -43,7 +43,7 @@ disable-mnt
 private-bin blobwars
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile
index d731a6a6e..fbc7c9056 100644
--- a/etc/profile-a-l/bsdtar.profile
+++ b/etc/profile-a-l/bsdtar.profile
@@ -6,7 +6,7 @@ include bsdtar.local
 # Persistent global definitions
 include globals.local
 
-private-etc alternatives,group,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
 
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
new file mode 100644
index 000000000..1b199d612
--- /dev/null
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -0,0 +1,66 @@
+# Firejail profile for build-systems-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include build-systems-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+ignore noexec ${HOME}
+ignore noexec /tmp
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+
+# Allow ssh (blacklisted by disable-common.inc)
+#include allow-ssh.inc
+
+blacklist ${RUNUSER}
+
+include disable-common.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+whitelist /usr/share/pkgconfig
+include whitelist-run-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+# net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile
new file mode 100644
index 000000000..bb82022b1
--- /dev/null
+++ b/etc/profile-a-l/bundle.profile
@@ -0,0 +1,23 @@
+# Firejail profile for bundle
+# Description: Ruby Dependency Management
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bundle.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.bundle
+
+# Allow ruby (blacklisted by disable-interpreters.inc)
+include allow-ruby.inc
+
+#whitelist ${HOME}/.bundle
+#whitelist ${HOME}/.gem
+#whitelist ${HOME}/.local/share/gem
+whitelist /usr/share/gems
+whitelist /usr/share/ruby
+whitelist /usr/share/rubygems
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile
index ae9e0f1d2..92c455144 100644
--- a/etc/profile-a-l/cameramonitor.profile
+++ b/etc/profile-a-l/cameramonitor.profile
@@ -46,7 +46,7 @@ tracelog
 disable-mnt
 private-bin cameramonitor,python*
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index ff46cd429..4c8afd895 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -7,66 +7,18 @@ include cargo.local
 # Persistent global definitions
 include globals.local
 
-ignore noexec ${HOME}
-ignore noexec /tmp
-
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+ignore read-only ${HOME}/.cargo/bin
 
 noblacklist ${HOME}/.cargo/credentials
 noblacklist ${HOME}/.cargo/credentials.toml
 
-# Allows files commonly used by IDEs
-include allow-common-devel.inc
-
-# Allow ssh (blacklisted by disable-common.inc)
-#include allow-ssh.inc
-
-include disable-common.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-#mkdir ${HOME}/.cargo
-#whitelist ${HOME}/YOUR_CARGO_PROJECTS
 #whitelist ${HOME}/.cargo
 #whitelist ${HOME}/.rustup
-#include whitelist-common.inc
-whitelist /usr/share/pkgconfig
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
 
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-seccomp.block-secondary
-shell none
-tracelog
-
-disable-mnt
 #private-bin cargo,rustc
-private-cache
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
-private-tmp
-
-dbus-user none
-dbus-system none
 
 memory-deny-write-execute
-read-write ${HOME}/.cargo/bin
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile
index 78df5af83..c7a98250e 100644
--- a/etc/profile-a-l/cawbird.profile
+++ b/etc/profile-a-l/cawbird.profile
@@ -39,7 +39,7 @@ disable-mnt
 private-bin cawbird
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 0beeaafdd..1a9340632 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -53,7 +53,7 @@ tracelog
 
 private-bin celluloid,env,gnome-mpv,python*,youtube-dl
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg
 private-dev
 private-tmp
 
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile
index c2fc064f3..713d8a5e4 100644
--- a/etc/profile-a-l/cheese.profile
+++ b/etc/profile-a-l/cheese.profile
@@ -9,17 +9,23 @@ include globals.local
 noblacklist ${VIDEOS}
 noblacklist ${PICTURES}
 
+include allow-python3.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
+include disable-shell.inc
 include disable-xdg.inc
 
 whitelist ${VIDEOS}
 whitelist ${PICTURES}
+whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
 whitelist /usr/share/gnome-video-effects
+whitelist /usr/share/gstreamer-1.0
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -30,21 +36,26 @@ machine-id
 net none
 nodvd
 nogroups
+noinput
 nonewprivs
 noroot
+nosound
 notv
 nou2f
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 
 disable-mnt
 private-bin cheese
 private-cache
-private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0
+private-dev
+private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user filter
+dbus-user.own org.gnome.Cheese
 dbus-user.talk ca.desrt.dconf
 dbus-system none
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile
index 8ccf67ba1..677d2b7eb 100644
--- a/etc/profile-a-l/clawsker.profile
+++ b/etc/profile-a-l/clawsker.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin bash,clawsker,perl,sh,which
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl*
 private-tmp
 
diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile
new file mode 100644
index 000000000..26cc2a00a
--- /dev/null
+++ b/etc/profile-a-l/cmake.profile
@@ -0,0 +1,13 @@
+# Firejail profile for cargo
+# Description: The Rust package manager
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cargo.local
+# Persistent global definitions
+include globals.local
+
+memory-deny-write-execute
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile
index 19a30e694..7421debe0 100644
--- a/etc/profile-a-l/cmus.profile
+++ b/etc/profile-a-l/cmus.profile
@@ -27,4 +27,4 @@ seccomp
 shell none
 
 private-bin cmus
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
diff --git a/etc/profile-a-l/codium.profile b/etc/profile-a-l/codium.profile
new file mode 100644
index 000000000..9ff87ed8a
--- /dev/null
+++ b/etc/profile-a-l/codium.profile
@@ -0,0 +1,10 @@
+# Firejail profile alias for VSCodium
+# This file is overwritten after every install/update
+# Persistent local customizations
+include codium.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+# Redirect
+include vscodium.profile
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile
index e5debfd82..97bf6d394 100644
--- a/etc/profile-a-l/cola.profile
+++ b/etc/profile-a-l/cola.profile
@@ -7,4 +7,4 @@ include cola.local
 include globals.local
 
 # Redirect
-include git-cola.profile
\ No newline at end of file
+include git-cola.profile
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
index 8d9de93bb..27780b669 100644
--- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin com.github.bleakgrey.tootle
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 
 # Settings are immutable
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index e7aa32be9..0e29d90de 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -52,7 +52,7 @@ disable-mnt
 private-bin com.github.dahenson.agenda
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
index aa9a19fcb..24222164b 100644
--- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
+++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile
@@ -55,7 +55,7 @@ disable-mnt
 private-bin com.github.johnfactotum.Foliate,gjs
 private-cache
 private-dev
-private-etc dconf,fonts,gconf,gtk-3.0
+private-etc alternatives,dconf,fonts,gconf,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 read-only ${HOME}
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile
index 03218d85a..099253b21 100644
--- a/etc/profile-a-l/coyim.profile
+++ b/etc/profile-a-l/coyim.profile
@@ -40,7 +40,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile
index 177abf829..ed1213687 100644
--- a/etc/profile-a-l/crow.profile
+++ b/etc/profile-a-l/crow.profile
@@ -39,7 +39,7 @@ shell none
 disable-mnt
 private-bin crow
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-opt none
 private-tmp
 private-srv none
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile
index 0e4b8d475..c75bc756f 100644
--- a/etc/profile-a-l/d-feet.profile
+++ b/etc/profile-a-l/d-feet.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin d-feet,python*
 private-cache
 private-dev
-private-etc alternatives,dbus-1,fonts,machine-id
+private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 #memory-deny-write-execute - breaks on Arch (see issue #1803)
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
index 768f1ac2c..e1b96f186 100644
--- a/etc/profile-a-l/dbus-send.profile
+++ b/etc/profile-a-l/dbus-send.profile
@@ -51,7 +51,7 @@ private
 private-bin dbus-send
 private-cache
 private-dev
-private-etc alternatives,dbus-1
+private-etc alternatives,dbus-1,ld.so.cache,ld.so.preload
 private-lib libpcre*
 private-tmp
 
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index f57063ab6..8c3c22dcf 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin dconf-editor
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile
index 8b7c86789..b170842c3 100644
--- a/etc/profile-a-l/dconf.profile
+++ b/etc/profile-a-l/dconf.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin dconf,gsettings
 private-cache
 private-dev
-private-etc alternatives,dconf
+private-etc alternatives,dconf,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile
index 701755d93..e9b8f5c47 100644
--- a/etc/profile-a-l/ddgtk.profile
+++ b/etc/profile-a-l/ddgtk.profile
@@ -45,7 +45,7 @@ tracelog
 disable-mnt
 private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile
index a416bc27e..562f6b105 100644
--- a/etc/profile-a-l/devhelp.profile
+++ b/etc/profile-a-l/devhelp.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin devhelp
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl
+private-etc alternatives,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
 private-tmp
 
 # makes settings immutable
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile
index 89c8e1ae8..a0f24c388 100644
--- a/etc/profile-a-l/devilspie.profile
+++ b/etc/profile-a-l/devilspie.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin devilspie
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib gconv
 private-tmp
 
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile
index 2613027ba..c04e38899 100644
--- a/etc/profile-a-l/discord-common.profile
+++ b/etc/profile-a-l/discord-common.profile
@@ -24,7 +24,7 @@ whitelist ${HOME}/.config/BetterDiscord
 whitelist ${HOME}/.local/share/betterdiscordctl
 
 private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl
 
 join-or-start discord
 
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile
index 0f134bd87..8a8d816a3 100644
--- a/etc/profile-a-l/display.profile
+++ b/etc/profile-a-l/display.profile
@@ -40,7 +40,7 @@ shell none
 private-bin display,python*
 private-dev
 # On Debian-based systems, display is a symlink in /etc/alternatives
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile
index 26243ab4e..d5591adfb 100644
--- a/etc/profile-a-l/dragon.profile
+++ b/etc/profile-a-l/dragon.profile
@@ -19,6 +19,7 @@ include disable-shell.inc
 include disable-xdg.inc
 
 whitelist /usr/share/dragonplayer
+include whitelist-run-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile
index 6d5e2501f..df7be55de 100644
--- a/etc/profile-a-l/drawio.profile
+++ b/etc/profile-a-l/drawio.profile
@@ -45,7 +45,7 @@ shell none
 private-bin drawio
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile
index fd7f252b6..20cffae73 100644
--- a/etc/profile-a-l/easystroke.profile
+++ b/etc/profile-a-l/easystroke.profile
@@ -45,7 +45,7 @@ disable-mnt
 #private-bin bash,easystroke,sh
 private-cache
 private-dev
-private-etc alternatives,fonts,group,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd
 # breaks custom shell command functionality
 #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 9aac3f570..09d14045a 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -45,7 +45,7 @@ shell none
 private-bin electron-mail
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
 private-opt ElectronMail
 private-tmp
 
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile
index 1647f2bc4..dfbe5cee4 100644
--- a/etc/profile-a-l/electrum.profile
+++ b/etc/profile-a-l/electrum.profile
@@ -47,7 +47,7 @@ private-bin electrum,python*
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 03fd9033a..ac73f002f 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.signature
 # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local
-# and 'blacklist' it in your disable-common.local too so it is  kept hidden from other applications
+# and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications
 noblacklist ${HOME}/Mail
 
 noblacklist ${DOCUMENTS}
@@ -66,7 +66,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 # encrypting and signing email
 writable-run-user
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile
index dc383984e..eff0f64ea 100644
--- a/etc/profile-a-l/enchant.profile
+++ b/etc/profile-a-l/enchant.profile
@@ -48,7 +48,7 @@ x11 none
 private-bin enchant,enchant-*
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 02112ef20..31f39e210 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -47,6 +47,6 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*
 private-tmp
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index 5892374bd..65e5c6e69 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -18,7 +18,7 @@ whitelist /usr/share/eog
 
 private-bin eog
 
-# broken on Debian 10 (buster) running LXDE got the folowing error:
+# broken on Debian 10 (buster) running LXDE got the following error:
 # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
 #dbus-user filter
 #dbus-user.own org.gnome.eog
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
index 7566f7b50..0c3b790d5 100644
--- a/etc/profile-a-l/equalx.profile
+++ b/etc/profile-a-l/equalx.profile
@@ -54,7 +54,7 @@ disable-mnt
 private-bin equalx,gs,pdflatex,pdftocairo
 private-cache
 private-dev
-private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf
+private-etc alternatives,equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.cache,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 19ad5799c..63e456488 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -54,7 +54,7 @@ tracelog
 private-bin evince,evince-previewer,evince-thumbnailer
 private-cache
 private-dev
-private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
 # private-lib might break two-page-view on some systems
 private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index 49a16f2f2..ae550e842 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -48,7 +48,7 @@ x11 none
 #private-bin exiftool,perl
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile
index 3911a8c75..321cb0145 100644
--- a/etc/profile-a-l/falkon.profile
+++ b/etc/profile-a-l/falkon.profile
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/falkon
 whitelist ${HOME}/.config/falkon
 whitelist /usr/share/falkon
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -46,7 +47,7 @@ disable-mnt
 # private-bin falkon
 private-cache
 private-dev
-private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 private-tmp
 
 # dbus-user filter
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index 25e1082ad..ee775566e 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -42,7 +42,7 @@ private
 private-bin bash,fdns,sh
 private-cache
 #private-dev
-private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
 # private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile
index 690b39171..7293e89a8 100644
--- a/etc/profile-a-l/feh-network.inc.profile
+++ b/etc/profile-a-l/feh-network.inc.profile
@@ -5,4 +5,4 @@ include feh-network.inc.local
 ignore net none
 netfilter
 protocol unix,inet,inet6
-private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 0fdb1d3d3..4b8d41170 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -36,7 +36,7 @@ shell none
 private-bin feh,jpegexiforient,jpegtran
 private-cache
 private-dev
-private-etc alternatives,feh
+private-etc alternatives,feh,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile
index 04134cbf4..52abb99d4 100644
--- a/etc/profile-a-l/ffplay.profile
+++ b/etc/profile-a-l/ffplay.profile
@@ -14,7 +14,7 @@ ignore nogroups
 ignore nosound
 
 private-bin ffplay
-private-etc alsa,asound.conf,group
+private-etc alsa,alternatives,asound.conf,group,ld.so.cache,ld.so.preload
 
 # Redirect
 include ffmpeg.profile
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 434466139..06a8f6170 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
 # private-tmp
 
 dbus-system none
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 20ae039aa..ef647b5a0 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -19,6 +19,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.pki
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index e9241efc3..f80297022 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -52,7 +52,7 @@ tracelog
 disable-mnt
 private-bin flameshot
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl
 private-dev
 #private-tmp
 
@@ -63,6 +63,6 @@ dbus-user.talk org.freedesktop.Notifications
 dbus-user.talk org.freedesktop.portal.Desktop
 dbus-user.talk org.gnome.Shell
 dbus-user.talk org.kde.KWin
-dbus-user.talk org.kde.StatusNotifierWatcher
-dbus-user.own org.kde.*
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.own org.kde.*
 dbus-system none
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile
index 7beb2bcba..cb00ce11b 100644
--- a/etc/profile-a-l/freetube.profile
+++ b/etc/profile-a-l/freetube.profile
@@ -16,7 +16,7 @@ mkdir ${HOME}/.config/FreeTube
 whitelist ${HOME}/.config/FreeTube
 
 private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile
index fa08b4956..8419998de 100644
--- a/etc/profile-a-l/frogatto.profile
+++ b/etc/profile-a-l/frogatto.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin frogatto,sh
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile
index bb35c9447..88943760a 100644
--- a/etc/profile-a-l/frozen-bubble.profile
+++ b/etc/profile-a-l/frozen-bubble.profile
@@ -30,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile
index 1009f345b..4a08fca9b 100644
--- a/etc/profile-a-l/funnyboat.profile
+++ b/etc/profile-a-l/funnyboat.profile
@@ -35,7 +35,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index b0d017db9..6d764a0f9 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -59,7 +59,7 @@ disable-mnt
 private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile
index 50b1c319c..4efe41f8d 100644
--- a/etc/profile-a-l/galculator.profile
+++ b/etc/profile-a-l/galculator.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin galculator
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile
index 9c8200dc4..2947873ef 100644
--- a/etc/profile-a-l/gallery-dl.profile
+++ b/etc/profile-a-l/gallery-dl.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/gallery-dl
 noblacklist ${HOME}/.gallery-dl.conf
 
 private-bin gallery-dl
-private-etc gallery-dl.conf
+private-etc alternatives,gallery-dl.conf,ld.so.cache,ld.so.preload
 
 # Redirect
 include youtube-dl.profile
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index 8263423a0..ec5b733c8 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -49,7 +49,7 @@ private
 private-bin gapplication
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 # Add the next line to your gapplication.local to filter D-Bus names.
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile
index 388f4c0df..297e5d345 100644
--- a/etc/profile-a-l/gcloud.profile
+++ b/etc/profile-a-l/gcloud.profile
@@ -36,7 +36,7 @@ tracelog
 
 disable-mnt
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile
index b01d88f80..a45374d4e 100644
--- a/etc/profile-a-l/gconf.profile
+++ b/etc/profile-a-l/gconf.profile
@@ -54,7 +54,7 @@ disable-mnt
 private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
 private-cache
 private-dev
-private-etc alternatives,fonts,gconf
+private-etc alternatives,fonts,gconf,ld.so.cache,ld.so.preload
 private-lib GConf,libpython*,python2*
 private-tmp
 
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index 29c620556..cececd9e9 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -70,7 +70,7 @@ tracelog
 private-bin geary
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index f0e17963c..243b893b9 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -6,6 +6,10 @@ include geekbench.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.geekbench5
+noblacklist /sbin
+noblacklist /usr/sbin
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -13,6 +17,8 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.geekbench5
+whitelist ${HOME}/.geekbench5
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -39,16 +45,14 @@ shell none
 tracelog
 
 disable-mnt
-private-bin bash,geekbenc*,sh
+#private-bin bash,geekbench*,sh -- #4576
 private-cache
 private-dev
-private-etc alternatives,group,lsb-release,passwd
-private-lib gcc/*/*/libstdc++.so.*
-private-opt none
+private-etc alternatives,group,ld.so.cache,ld.so.preload,lsb-release,passwd
 private-tmp
 
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
+read-write ${HOME}/.geekbench5
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile
index b2adaa8e4..bc1199914 100644
--- a/etc/profile-a-l/gget.profile
+++ b/etc/profile-a-l/gget.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin gget
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index df9c2ac7a..28070cb9c 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -39,6 +39,7 @@ whitelist /usr/share/gegl-0.4
 whitelist /usr/share/gimp
 whitelist /usr/share/mypaint-data
 whitelist /usr/share/lensfun
+include whitelist-run-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile
index 80fa18119..506ab7127 100644
--- a/etc/profile-a-l/gist.profile
+++ b/etc/profile-a-l/gist.profile
@@ -52,7 +52,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index f77adef63..6439c8821 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -70,7 +70,7 @@ tracelog
 private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile
index 5dfb48189..16358d064 100644
--- a/etc/profile-a-l/gitter.profile
+++ b/etc/profile-a-l/gitter.profile
@@ -37,7 +37,7 @@ shell none
 
 disable-mnt
 private-bin bash,env,gitter
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,pulse,resolv.conf,ssl
 private-opt Gitter
 private-dev
 private-tmp
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile
index 35d969e6d..edb85048b 100644
--- a/etc/profile-a-l/gl-117.profile
+++ b/etc/profile-a-l/gl-117.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile
index dec0daef2..b5f98b411 100644
--- a/etc/profile-a-l/glaxium.profile
+++ b/etc/profile-a-l/glaxium.profile
@@ -29,7 +29,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile
index 4aa4b6c20..e53297c06 100644
--- a/etc/profile-a-l/gmpc.profile
+++ b/etc/profile-a-l/gmpc.profile
@@ -44,7 +44,7 @@ tracelog
 disable-mnt
 #private-bin gmpc
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index c8903a991..f9df83e2a 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -45,7 +45,7 @@ private
 private-bin gnome-calendar
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,localtime,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile
index d038d775a..dc9092a93 100644
--- a/etc/profile-a-l/gnome-chess.profile
+++ b/etc/profile-a-l/gnome-chess.profile
@@ -50,5 +50,5 @@ disable-mnt
 private-bin fairymax,gnome-chess,gnuchess,hoichess
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0
+private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile
index 96a39f6ce..90665add6 100644
--- a/etc/profile-a-l/gnome-clocks.profile
+++ b/etc/profile-a-l/gnome-clocks.profile
@@ -42,6 +42,6 @@ disable-mnt
 private-bin gnome-clocks,gsound-play
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile
index 19a4bc5c7..ab6279608 100644
--- a/etc/profile-a-l/gnome-hexgl.profile
+++ b/etc/profile-a-l/gnome-hexgl.profile
@@ -42,7 +42,7 @@ private
 private-bin gnome-hexgl
 private-cache
 private-dev
-private-etc alsa,asound.conf,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile
index 26c2c4409..39a6718a6 100644
--- a/etc/profile-a-l/gnome-latex.profile
+++ b/etc/profile-a-l/gnome-latex.profile
@@ -48,6 +48,6 @@ tracelog
 private-cache
 private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
-private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
+private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive
 
 dbus-system none
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 2c15f7592..7ee4d8b75 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -40,7 +40,7 @@ disable-mnt
 private-bin gnome-logs
 private-cache
 private-dev
-private-etc alternatives,fonts,localtime,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 writable-var-log
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile
index a00edfa37..7b79fa15d 100644
--- a/etc/profile-a-l/gnome-music.profile
+++ b/etc/profile-a-l/gnome-music.profile
@@ -42,6 +42,6 @@ tracelog
 # private-bin calls a file manager - whatever is installed!
 #private-bin env,gio-launch-desktop,gnome-music,python*,yelp
 private-dev
-private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg
+private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index b69899c70..a96ec6f05 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin gnome-passwordsafe,python3*
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,passwd
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile
index 3ab2e4aad..6d30213cb 100644
--- a/etc/profile-a-l/gnome-pie.profile
+++ b/etc/profile-a-l/gnome-pie.profile
@@ -34,7 +34,7 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index 256a0c69f..99d569a04 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin gnome-pomodoro
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile
index 01162b552..b2ce4a92a 100644
--- a/etc/profile-a-l/gnome-recipes.profile
+++ b/etc/profile-a-l/gnome-recipes.profile
@@ -47,7 +47,7 @@ shell none
 disable-mnt
 private-bin gnome-recipes,tar
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,ssl
 private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.*
 private-tmp
 
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index f5afa9fb3..36c6693a9 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private-bin gnome-screenshot
 private-dev
-private-etc dconf,fonts,gtk-3.0,localtime,machine-id
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,machine-id
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile
index 159145b1b..28a0205b9 100644
--- a/etc/profile-a-l/gnome-sound-recorder.profile
+++ b/etc/profile-a-l/gnome-sound-recorder.profile
@@ -40,5 +40,5 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg
 private-tmp
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index 3f9497e80..02b023855 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin gnome-system-log
 private-cache
 private-dev
-private-etc alternatives,fonts,localtime,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id
 private-lib
 private-tmp
 writable-var-log
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 4640f7f43..c6cd12250 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin gnome-todo
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,passwd,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile
index 4ad39a988..9b4f68808 100644
--- a/etc/profile-a-l/gnome_games-common.profile
+++ b/etc/profile-a-l/gnome_games-common.profile
@@ -41,7 +41,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11
+private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pango,passwd,X11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile
index 2d4ce2437..928f2c548 100644
--- a/etc/profile-a-l/gnote.profile
+++ b/etc/profile-a-l/gnote.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin gnote
 private-cache
 private-dev
-private-etc dconf,fonts,gtk-3.0,pango,X11
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pango,X11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile
index 902e76416..c895b4ce9 100644
--- a/etc/profile-a-l/gnubik.profile
+++ b/etc/profile-a-l/gnubik.profile
@@ -43,7 +43,7 @@ private
 private-bin gnubik
 private-cache
 private-dev
-private-etc drirc,fonts,gtk-2.0
+private-etc alternatives,drirc,fonts,gtk-2.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile
index b3c19e97f..46b362db9 100644
--- a/etc/profile-a-l/godot.profile
+++ b/etc/profile-a-l/godot.profile
@@ -38,7 +38,7 @@ tracelog
 # private-bin godot
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.cache,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile
new file mode 100644
index 000000000..5251ed427
--- /dev/null
+++ b/etc/profile-a-l/goldendict.profile
@@ -0,0 +1,57 @@
+# Firejail profile for goldendict
+# This file is overwritten after every install/update
+# Persistent local customizations
+include goldendict.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.goldendict
+noblacklist ${HOME}/.cache/GoldenDict
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.goldendict
+mkdir ${HOME}/.cache/GoldenDict
+whitelist ${HOME}/.goldendict
+whitelist ${HOME}/.cache/GoldenDict
+# The default path of dictionaries
+whitelist /usr/share/stardict/dic
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+# no3d leads to the libGL MESA-LOADER errors
+#no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin goldendict
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile
index b8e2b04df..a35813a09 100644
--- a/etc/profile-a-l/googler-common.profile
+++ b/etc/profile-a-l/googler-common.profile
@@ -54,7 +54,7 @@ disable-mnt
 private-bin env,python3*,sh,w3m
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile
index 9a782b238..26afe6e49 100644
--- a/etc/profile-a-l/gpicview.profile
+++ b/etc/profile-a-l/gpicview.profile
@@ -41,7 +41,7 @@ tracelog
 private-bin gpicview
 private-cache
 private-dev
-private-etc alternatives,fonts,group,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile
index 54e52d695..511be6fcc 100644
--- a/etc/profile-a-l/gpredict.profile
+++ b/etc/profile-a-l/gpredict.profile
@@ -36,6 +36,6 @@ tracelog
 
 private-bin gpredict
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile
index 31f95fb80..9cc25e45c 100644
--- a/etc/profile-a-l/gradio.profile
+++ b/etc/profile-a-l/gradio.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin gradio
 private-cache
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
index c5bcc85f3..d76ca105f 100644
--- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
+++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile
@@ -40,7 +40,7 @@ private
 private-bin gravity-beams-and-evaporating-stars
 private-cache
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile
index 3231374b7..ec8a614fd 100644
--- a/etc/profile-a-l/gtk-update-icon-cache.profile
+++ b/etc/profile-a-l/gtk-update-icon-cache.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin gtk-update-icon-cache
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile
index 8c4453a8b..d98d341ae 100644
--- a/etc/profile-a-l/gwenview.profile
+++ b/etc/profile-a-l/gwenview.profile
@@ -25,6 +25,7 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-shell.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -46,7 +47,7 @@ shell none
 
 private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4
 private-dev
-private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg
+private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,xdg
 
 # dbus-user none
 # dbus-system none
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index f210a264f..74e0faa7f 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -44,7 +44,7 @@ private-bin hyperrogue
 private-cache
 private-cwd ${HOME}
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index c875cad72..200b4c8b1 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -68,5 +68,5 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-a-l/imv.profile b/etc/profile-a-l/imv.profile
new file mode 100644
index 000000000..65e7537bf
--- /dev/null
+++ b/etc/profile-a-l/imv.profile
@@ -0,0 +1,57 @@
+# Firejail profile for imv
+# Description: imv is an image viewer.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include imv.local
+# Persistent global definitions
+include globals.local
+
+include allow-bin-sh.inc
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+# Users may want to view images in ${HOME}
+#include disable-xdg.inc
+
+# Users may want to view images in ${HOME}
+#include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+# Users may want to view images in /usr/share
+#include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin imv,imv-wayland,imv-x11,sh
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
+
+read-only ${HOME}
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile
index 5e54b5441..016a4d6c8 100644
--- a/etc/profile-a-l/inkscape.profile
+++ b/etc/profile-a-l/inkscape.profile
@@ -1,6 +1,7 @@
 # Firejail profile for inkscape
 # Description: Vector-based drawing program
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include inkscape.local
 # Persistent global definitions
@@ -28,6 +29,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 whitelist /usr/share/inkscape
+include whitelist-run-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile
index ea4ee5ae1..6eefd2945 100644
--- a/etc/profile-a-l/ipcalc.profile
+++ b/etc/profile-a-l/ipcalc.profile
@@ -50,7 +50,7 @@ private-bin bash,ipcalc,ipcalc-ng,perl,sh
 # private-cache
 private-dev
 # empty etc directory
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-opt none
 private-tmp
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile
index 1209c5e11..6ca977512 100644
--- a/etc/profile-a-l/jerry.profile
+++ b/etc/profile-a-l/jerry.profile
@@ -34,7 +34,7 @@ tracelog
 
 private-bin bash,jerry,sh,stockfish
 private-dev
-private-etc fonts,gtk-2.0,gtk-3.0
+private-etc alternatives,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile
index 8d391b90f..59d762f55 100644
--- a/etc/profile-a-l/jumpnbump-menu.profile
+++ b/etc/profile-a-l/jumpnbump-menu.profile
@@ -10,7 +10,7 @@ include jumpnbump-menu.local
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python3.inc
 
-private-bin jumpnbump-menu,python3*
+private-bin env,jumpnbump-menu,python3*
 
 # Redirect
 include jumpnbump.profile
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile
index 77d3f6bf4..4a9232344 100644
--- a/etc/profile-a-l/jumpnbump.profile
+++ b/etc/profile-a-l/jumpnbump.profile
@@ -27,7 +27,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
@@ -42,7 +41,7 @@ disable-mnt
 private-bin jumpnbump
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile
index 8799a6f24..e74c57546 100644
--- a/etc/profile-a-l/kaffeine.profile
+++ b/etc/profile-a-l/kaffeine.profile
@@ -22,6 +22,7 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile
index 210b7cf03..6ad50cf14 100644
--- a/etc/profile-a-l/kalgebra.profile
+++ b/etc/profile-a-l/kalgebra.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin kalgebra,kalgebramobile
 private-cache
 private-dev
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile
index d8b2dddb1..8c340d536 100644
--- a/etc/profile-a-l/kate.profile
+++ b/etc/profile-a-l/kate.profile
@@ -29,6 +29,7 @@ include disable-exec.inc
 # include disable-interpreters.inc
 include disable-programs.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 # apparmor
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
index 7b990bf41..277db1c24 100644
--- a/etc/profile-a-l/kazam.profile
+++ b/etc/profile-a-l/kazam.profile
@@ -49,7 +49,7 @@ disable-mnt
 # private-bin kazam,python*
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,X11,xdg
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile
index 46e8ccb82..06978cbf1 100644
--- a/etc/profile-a-l/kcalc.profile
+++ b/etc/profile-a-l/kcalc.profile
@@ -28,6 +28,7 @@ whitelist /usr/share/config.kcfg/kcalc.kcfg
 whitelist /usr/share/kcalc
 whitelist /usr/share/kconf_update/kcalcrc.upd
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -55,7 +56,7 @@ disable-mnt
 private-bin kcalc
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,locale,locale.conf
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.conf
 # private-lib - problems on Arch
 private-tmp
 
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 7c9be2bcc..df7ee31dc 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -23,6 +23,8 @@ include disable-interpreters.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+# Add the next line to your kdiff3.local if you don't need to compare files in /run.
+#include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 # Add the next line to your kdiff3.local if you don't need to compare files in /usr/share.
 #include whitelist-usr-share-common.inc
@@ -48,7 +50,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin  kdiff3
+private-bin kdiff3
 private-cache
 private-dev
 
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile
index 768a3cef0..5e2d6d8df 100644
--- a/etc/profile-a-l/keepassx.profile
+++ b/etc/profile-a-l/keepassx.profile
@@ -41,7 +41,7 @@ tracelog
 
 private-bin keepassx,keepassx2
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index b915f6202..45a707071 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -88,7 +88,7 @@ tracelog
 
 private-bin keepassxc,keepassxc-cli,keepassxc-proxy
 private-dev
-private-etc alternatives,fonts,ld.so.cache,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user filter
@@ -98,11 +98,10 @@ dbus-user.talk org.freedesktop.ScreenSaver
 dbus-user.talk org.gnome.ScreenSaver
 dbus-user.talk org.gnome.SessionManager
 dbus-user.talk org.xfce.ScreenSaver
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.own org.kde.*
 # Add the next line to your keepassxc.local to allow notifications.
 #dbus-user.talk org.freedesktop.Notifications
-# Add the next line to your keepassxc.local to allow the tray menu.
-#dbus-user.talk org.kde.StatusNotifierWatcher
-#dbus-user.own org.kde.*
 dbus-system filter
 dbus-system.talk org.freedesktop.login1
 
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile
index ec315b431..9b6646725 100644
--- a/etc/profile-a-l/kget.profile
+++ b/etc/profile-a-l/kget.profile
@@ -20,6 +20,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile
index e66716eeb..5563aa410 100644
--- a/etc/profile-a-l/kid3.profile
+++ b/etc/profile-a-l/kid3.profile
@@ -37,7 +37,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile
index 968402a8a..837ea9e36 100644
--- a/etc/profile-a-l/kiwix-desktop.profile
+++ b/etc/profile-a-l/kiwix-desktop.profile
@@ -44,7 +44,7 @@ shell none
 disable-mnt
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile
index f733fa42c..46164403b 100644
--- a/etc/profile-a-l/klavaro.profile
+++ b/etc/profile-a-l/klavaro.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin bash,klavaro,sh,tclsh,tclsh*
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile
index 2c645677c..0796e6876 100644
--- a/etc/profile-a-l/kmail.profile
+++ b/etc/profile-a-l/kmail.profile
@@ -37,6 +37,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-programs.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 # apparmor
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile
index 723fef0d2..1121dc8a5 100644
--- a/etc/profile-a-l/konversation.profile
+++ b/etc/profile-a-l/konversation.profile
@@ -20,6 +20,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile
index 9d8aa1bd7..6e3b0c875 100644
--- a/etc/profile-a-l/ktorrent.profile
+++ b/etc/profile-a-l/ktorrent.profile
@@ -37,6 +37,7 @@ whitelist ${HOME}/.kde4/share/config/ktorrentrc
 whitelist ${HOME}/.local/share/ktorrent
 whitelist ${HOME}/.local/share/kxmlgui5/ktorrent
 include whitelist-common.inc
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile
index 051782172..44da8acca 100644
--- a/etc/profile-a-l/ktouch.profile
+++ b/etc/profile-a-l/ktouch.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin ktouch
 private-cache
 private-dev
-private-etc alternatives,fonts,kde5rc,machine-id
+private-etc alternatives,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 262ffb532..718cbbf40 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -68,7 +68,7 @@ tracelog
 private-bin kube,sink_synchronizer
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 writable-run-user
 
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile
index 5bbadfc73..0b8763c29 100644
--- a/etc/profile-a-l/kwin_x11.profile
+++ b/etc/profile-a-l/kwin_x11.profile
@@ -21,6 +21,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
@@ -42,5 +43,5 @@ tracelog
 disable-mnt
 private-bin kwin_x11
 private-dev
-private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg
+private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg
 private-tmp
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile
index 682c7782d..aff6f3181 100644
--- a/etc/profile-a-l/kwrite.profile
+++ b/etc/profile-a-l/kwrite.profile
@@ -24,6 +24,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 apparmor
@@ -46,7 +47,7 @@ tracelog
 
 private-bin kbuildsycoca4,kdeinit4,kwrite
 private-dev
-private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
+private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,pulse,xdg
 private-tmp
 
 # dbus-user none
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index 328307705..12ff79748 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -21,6 +21,7 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-programs.inc
 
+include whitelist-run-common.inc
 include whitelist-var-common.inc
 
 # Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode.
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile
index bd28f25d6..84f5dc50d 100644
--- a/etc/profile-a-l/links-common.profile
+++ b/etc/profile-a-l/links-common.profile
@@ -47,11 +47,11 @@ shell none
 tracelog
 
 disable-mnt
-# Add  'private-bin PROGRAM1,PROGRAM2' to your links-common.local  if you want to use user-configured programs.
+# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs.
 private-bin sh
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 # Add the next line to your links-common.local to allow external media players.
 # private-etc alsa,asound.conf,machine-id,openal,pulse
 private-tmp
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile
index a187ca0fc..fde338ff0 100644
--- a/etc/profile-a-l/lollypop.profile
+++ b/etc/profile-a-l/lollypop.profile
@@ -37,6 +37,6 @@ seccomp
 shell none
 
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile
index fa69463d1..ae2f2d434 100644
--- a/etc/profile-a-l/lyx.profile
+++ b/etc/profile-a-l/lyx.profile
@@ -32,7 +32,7 @@ apparmor
 machine-id
 
 # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex
-private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg
 
 # Redirect
 include latex-common.profile
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile
index 15cb931dd..235640eeb 100644
--- a/etc/profile-m-z/QOwnNotes.profile
+++ b/etc/profile-m-z/QOwnNotes.profile
@@ -50,6 +50,6 @@ tracelog
 disable-mnt
 private-bin gio,QOwnNotes
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-tmp
 
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile
index 866d57e67..89ca53af6 100644
--- a/etc/profile-m-z/Viber.profile
+++ b/etc/profile-m-z/Viber.profile
@@ -33,5 +33,5 @@ shell none
 
 disable-mnt
 private-bin awk,bash,dig,sh,Viber
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11
 private-tmp
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile
index 1acd43023..722e12d9c 100644
--- a/etc/profile-m-z/Xvfb.profile
+++ b/etc/profile-m-z/Xvfb.profile
@@ -43,5 +43,5 @@ private
 # private-bin sh,xkbcomp,Xvfb
 # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb
 private-dev
-private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf
+private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf
 private-tmp
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile
index fc5ae3ee9..47165dd3d 100644
--- a/etc/profile-m-z/magicor.profile
+++ b/etc/profile-m-z/magicor.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin magicor,python2*
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile
new file mode 100644
index 000000000..7e9638fe4
--- /dev/null
+++ b/etc/profile-m-z/make.profile
@@ -0,0 +1,13 @@
+# Firejail profile for make
+# Description: GNU make utility to maintain groups of programs
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include make.local
+# Persistent global definitions
+include globals.local
+
+memory-deny-write-execute
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index b2f761230..9c5959091 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -58,7 +58,7 @@ disable-mnt
 #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
 private-cache
 private-dev
-private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
+private-etc alternatives,fonts,groff,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
 #private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile
index e61578ffe..764d040ab 100644
--- a/etc/profile-m-z/masterpdfeditor.profile
+++ b/etc/profile-m-z/masterpdfeditor.profile
@@ -36,6 +36,6 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile
index 64b184482..2be6b9af1 100644
--- a/etc/profile-m-z/mate-calc.profile
+++ b/etc/profile-m-z/mate-calc.profile
@@ -42,7 +42,7 @@ shell none
 
 disable-mnt
 private-bin mate-calc,mate-calculator
-private-etc alternatives,dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-dev
 private-opt none
 private-tmp
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile
index a6b49315c..e16b0fc6c 100644
--- a/etc/profile-m-z/mate-color-select.profile
+++ b/etc/profile-m-z/mate-color-select.profile
@@ -33,7 +33,7 @@ shell none
 
 disable-mnt
 private-bin mate-color-select
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-dev
 private-lib
 private-tmp
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile
index 3f3d027b9..469416304 100644
--- a/etc/profile-m-z/mate-dictionary.profile
+++ b/etc/profile-m-z/mate-dictionary.profile
@@ -37,7 +37,7 @@ shell none
 
 disable-mnt
 private-bin mate-dictionary
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-opt mate-dictionary
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile
index 7592d879c..4c4a6aa76 100644
--- a/etc/profile-m-z/mcabber.profile
+++ b/etc/profile-m-z/mcabber.profile
@@ -31,4 +31,4 @@ shell none
 
 private-bin mcabber
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile
index 08d56ede5..bcfd59cbb 100644
--- a/etc/profile-m-z/mdr.profile
+++ b/etc/profile-m-z/mdr.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin mdr
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile
index 7597d4067..9bfbaf745 100644
--- a/etc/profile-m-z/mediainfo.profile
+++ b/etc/profile-m-z/mediainfo.profile
@@ -42,7 +42,7 @@ x11 none
 private-bin mediainfo
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
index 4845e9cce..ed0758a49 100644
--- a/etc/profile-m-z/menulibre.profile
+++ b/etc/profile-m-z/menulibre.profile
@@ -52,7 +52,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile
new file mode 100644
index 000000000..b4909a9d8
--- /dev/null
+++ b/etc/profile-m-z/meson.profile
@@ -0,0 +1,14 @@
+# Firejail profile for meson
+# Description: A high productivity build system
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include meson.local
+# Persistent global definitions
+include globals.local
+
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile
index 34d9f470a..095038f08 100644
--- a/etc/profile-m-z/microsoft-edge-beta.profile
+++ b/etc/profile-m-z/microsoft-edge-beta.profile
@@ -17,4 +17,4 @@ whitelist ${HOME}/.config/microsoft-edge-beta
 private-opt microsoft
 
 # Redirect
-include chromium-common.profile
\ No newline at end of file
+include chromium-common.profile
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile
index ad7e40b12..16ace7ce4 100644
--- a/etc/profile-m-z/mindless.profile
+++ b/etc/profile-m-z/mindless.profile
@@ -42,7 +42,7 @@ private
 private-bin mindless
 private-cache
 private-dev
-private-etc fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile
index c47a16ffd..be846ce63 100644
--- a/etc/profile-m-z/mirrormagic.profile
+++ b/etc/profile-m-z/mirrormagic.profile
@@ -44,7 +44,7 @@ private
 private-bin mirrormagic
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile
index dbc3c1d40..313d78030 100644
--- a/etc/profile-m-z/mocp.profile
+++ b/etc/profile-m-z/mocp.profile
@@ -42,7 +42,7 @@ tracelog
 private-bin mocp
 private-cache
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile
index f0063d250..fe3c78b55 100644
--- a/etc/profile-m-z/mp3splt-gtk.profile
+++ b/etc/profile-m-z/mp3splt-gtk.profile
@@ -37,7 +37,7 @@ tracelog
 private-bin mp3splt-gtk
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pulse
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile
index 400d8a6b6..c89c72ce4 100644
--- a/etc/profile-m-z/mp3splt.profile
+++ b/etc/profile-m-z/mp3splt.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin flacsplt,mp3splt,mp3wrap,oggsplt
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile
index 10964ef24..18a839363 100644
--- a/etc/profile-m-z/mpDris2.profile
+++ b/etc/profile-m-z/mpDris2.profile
@@ -49,7 +49,7 @@ shell none
 private-bin mpDris2,notify-send,python*
 private-cache
 private-dev
-private-etc alternatives,hosts,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
 private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3*
 private-tmp
 
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index fa433b672..efb11465b 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,7 +11,7 @@ include globals.local
 # edit ~/.config/mpv/foobar.conf:
 #    screenshot-directory=~/Pictures
 
-# Mpv has a powerfull lua-API, some off these lua-scripts interact
+# Mpv has a powerful lua-API, some off these lua-scripts interact
 # with external resources which are blocked by firejail. In such cases
 # you need to allow these resources by
 #  - adding additional binaries to private-bin
@@ -74,7 +74,7 @@ seccomp.block-secondary
 shell none
 tracelog
 
-private-bin env,mpv,python*,waf,youtube-dl
+private-bin env,mpv,python*,waf,youtube-dl,yt-dlp
 # private-cache causes slow OSD, see #2838
 #private-cache
 private-dev
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile
index 530e779fc..3fe88ec7f 100644
--- a/etc/profile-m-z/mrrescue.profile
+++ b/etc/profile-m-z/mrrescue.profile
@@ -37,7 +37,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
@@ -53,7 +52,7 @@ disable-mnt
 private-bin love,mrrescue,sh
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile
index ad12f53a4..e15b14db7 100644
--- a/etc/profile-m-z/ms-office.profile
+++ b/etc/profile-m-z/ms-office.profile
@@ -35,7 +35,7 @@ tracelog
 
 disable-mnt
 private-bin bash,env,fonts,jak,ms-office,python*,sh
-private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile
index a04d386a2..006f64ba8 100644
--- a/etc/profile-m-z/mupdf-x11-curl.profile
+++ b/etc/profile-m-z/mupdf-x11-curl.profile
@@ -12,7 +12,7 @@ ignore net none
 netfilter
 protocol unix,inet,inet6
 
-private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 
 # Redirect
 include mupdf.profile
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile
index 07661cac8..796d7fbb0 100644
--- a/etc/profile-m-z/musixmatch.profile
+++ b/etc/profile-m-z/musixmatch.profile
@@ -29,9 +29,9 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6,netlink
-seccomp
+seccomp !chroot
 
 disable-mnt
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl
 
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index c4d96711c..d10c55549 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -134,7 +134,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile
index 1b4fc4346..74301df06 100644
--- a/etc/profile-m-z/mypaint.profile
+++ b/etc/profile-m-z/mypaint.profile
@@ -43,7 +43,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile
index 996a1722a..f7c1f0ff7 100644
--- a/etc/profile-m-z/nano.profile
+++ b/etc/profile-m-z/nano.profile
@@ -49,7 +49,7 @@ private-dev
 # Add the next lines to your nano.local if you want to edit files in /etc directly.
 #ignore private-etc
 #writable-etc
-private-etc alternatives,nanorc
+private-etc alternatives,ld.so.cache,ld.so.preload,nanorc
 # Add the next line to your nano.local if you want to edit files in /var directly.
 #writable-var
 
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile
index 58cc716d9..0f55b674f 100644
--- a/etc/profile-m-z/neochat.profile
+++ b/etc/profile-m-z/neochat.profile
@@ -60,6 +60,6 @@ private-tmp
 dbus-user filter
 dbus-user.own org.kde.neochat
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user.talk org.kde.kwalletd5
 dbus-system none
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile
index 7e627a52e..f31cf9dcb 100644
--- a/etc/profile-m-z/neomutt.profile
+++ b/etc/profile-m-z/neomutt.profile
@@ -137,7 +137,7 @@ tracelog
 # disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg
 private-tmp
 writable-run-user
 writable-var
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile
index 1bcc6a962..d6ac8d5bc 100644
--- a/etc/profile-m-z/netactview.profile
+++ b/etc/profile-m-z/netactview.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin netactview,netactview_polkit
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile
index fa4ccea7c..cf72bf802 100644
--- a/etc/profile-m-z/newsboat.profile
+++ b/etc/profile-m-z/newsboat.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin gzip,lynx,newsboat,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile
index 56cedec03..9966a0e1b 100644
--- a/etc/profile-m-z/newsflash.profile
+++ b/etc/profile-m-z/newsflash.profile
@@ -51,7 +51,7 @@ disable-mnt
 private-bin com.gitlab.newsflash,newsflash
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index cb499ba34..354d3351e 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -61,12 +61,11 @@ tracelog
 disable-mnt
 private-bin nextcloud,nextcloud-desktop
 private-cache
-private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 private-dev
 private-tmp
 
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
-# Add the next line to your nextcloud.local for tray icon support
-#dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 035ad086a..89a146a09 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -51,11 +51,9 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
 
-
-# Add the next lines to your nheko.local to enable notification support.
-#ignore dbus-user none
-#dbus-user filter
+dbus-user filter
+dbus-user.talk org.freedesktop.secrets
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# Add the next line to your nheko.local to enable notification support.
 #dbus-user.talk org.freedesktop.Notifications
-#dbus-user.talk org.kde.StatusNotifierWatcher
-dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile
index d5dd4ca95..d6234cd04 100644
--- a/etc/profile-m-z/nitroshare.profile
+++ b/etc/profile-m-z/nitroshare.profile
@@ -42,7 +42,7 @@ disable-mnt
 private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl
+private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,ssl
 # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare
 private-tmp
 
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile
index b044fb879..7ffb09e56 100644
--- a/etc/profile-m-z/nomacs.profile
+++ b/etc/profile-m-z/nomacs.profile
@@ -41,5 +41,5 @@ tracelog
 #private-bin nomacs
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile
new file mode 100644
index 000000000..560ee9db3
--- /dev/null
+++ b/etc/profile-m-z/noprofile.profile
@@ -0,0 +1,28 @@
+# This is the weakest possible firejail profile.
+# If a program still fail with this profile, it is incompatible with firejail.
+# (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)
+#
+# Usage:
+#   1. download
+#   2. firejail --profile=noprofile.profile /path/to/program
+
+# Keep in mind that even with this profile some things are done
+# which can break the program.
+# - some env-vars are cleared
+# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'
+# - a new private pid-namespace is created
+# - a minimal hardcoded blacklist is applied
+# - ...
+
+noblacklist /sys/fs
+noblacklist /sys/module
+
+allow-debuggers
+allusers
+keep-config-pulse
+keep-dev-shm
+keep-var-tmp
+writable-etc
+writable-run-user
+writable-var
+writable-var-log
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
index 5caf3374d..9f23c099d 100644
--- a/etc/profile-m-z/notify-send.profile
+++ b/etc/profile-m-z/notify-send.profile
@@ -49,7 +49,7 @@ private
 private-bin notify-send
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile
index 886403b9e..9f4a6ec46 100644
--- a/etc/profile-m-z/nuclear.profile
+++ b/etc/profile-m-z/nuclear.profile
@@ -18,7 +18,7 @@ whitelist ${HOME}/.config/nuclear
 no3d
 
 # private-bin nuclear
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt nuclear
 
 # Redirect
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile
index 460a580b3..653591482 100644
--- a/etc/profile-m-z/nyx.profile
+++ b/etc/profile-m-z/nyx.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin nyx,python*
 private-cache
 private-dev
-private-etc alternatives,fonts,passwd,tor
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,passwd,tor
 private-opt none
 private-srv none
 private-tmp
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index 8e87f1d5d..0bfb35333 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -45,7 +45,7 @@ tracelog
 private-bin ocenaudio
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse
+private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse
 private-tmp
 
 # breaks preferences
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile
index 22cec475b..de62f4114 100644
--- a/etc/profile-m-z/odt2txt.profile
+++ b/etc/profile-m-z/odt2txt.profile
@@ -38,7 +38,7 @@ x11 none
 private-bin odt2txt
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile
index 84edc65ef..fb28ad89f 100644
--- a/etc/profile-m-z/okular.profile
+++ b/etc/profile-m-z/okular.profile
@@ -36,6 +36,7 @@ whitelist /usr/share/kconf_update/okular.upd
 whitelist /usr/share/kxmlgui5/okular
 whitelist /usr/share/okular
 whitelist /usr/share/poppler
+include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -61,7 +62,7 @@ tracelog
 
 private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar
 private-dev
-private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg
+private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,xdg
 # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients
 
 # dbus-user none
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
index b0ffba19c..e05e58cad 100644
--- a/etc/profile-m-z/onboard.profile
+++ b/etc/profile-m-z/onboard.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-cache
 private-bin onboard,python*,tput
 private-dev
-private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
+private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile
index 12c7ea3d0..c2c22f42d 100644
--- a/etc/profile-m-z/open-invaders.profile
+++ b/etc/profile-m-z/open-invaders.profile
@@ -25,7 +25,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 076a655a1..c3ac097a0 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity
 private-cache
 private-dev
-private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg
+private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile
index 253465991..68362cbc8 100644
--- a/etc/profile-m-z/openclonk.profile
+++ b/etc/profile-m-z/openclonk.profile
@@ -28,7 +28,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile
index 2595d8a8f..c016b5103 100644
--- a/etc/profile-m-z/pandoc.profile
+++ b/etc/profile-m-z/pandoc.profile
@@ -11,6 +11,8 @@ blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -19,6 +21,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 # breaks pdf output
 #include whitelist-var-common.inc
 
@@ -39,15 +42,15 @@ nou2f
 novideo
 protocol unix
 seccomp
+seccomp.block-secondary
 shell none
 tracelog
 x11 none
 
 disable-mnt
-private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf
 private-cache
 private-dev
-private-etc alternatives,texlive,texmf
+private-etc alternatives,ld.so.cache,ld.so.preload,texlive,texmf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile
index 33d75f0d2..3d380542f 100644
--- a/etc/profile-m-z/parole.profile
+++ b/etc/profile-m-z/parole.profile
@@ -27,4 +27,4 @@ shell none
 
 private-bin dbus-launch,parole
 private-cache
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile
index 0bd14e88e..d64aab200 100644
--- a/etc/profile-m-z/pavucontrol.profile
+++ b/etc/profile-m-z/pavucontrol.profile
@@ -45,7 +45,7 @@ disable-mnt
 private-bin pavucontrol
 private-cache
 private-dev
-private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse
+private-etc alternatives,asound.conf,avahi,fonts,ld.so.cache,ld.so.preload,machine-id,pulse
 private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile
index bebd4ba44..41ec98a39 100644
--- a/etc/profile-m-z/pdfchain.profile
+++ b/etc/profile-m-z/pdfchain.profile
@@ -34,7 +34,7 @@ shell none
 
 private-bin pdfchain,pdftk,sh
 private-dev
-private-etc alternatives,dconf,fonts,gtk-3.0,xdg
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile
index 0cb08aa74..9d2f2b95f 100644
--- a/etc/profile-m-z/pdftotext.profile
+++ b/etc/profile-m-z/pdftotext.profile
@@ -48,7 +48,7 @@ x11 none
 private-bin pdftotext
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index a8f925313..f5c295b5d 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -48,7 +48,7 @@ tracelog
 disable-mnt
 private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
 private-dev
-private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11
+private-etc alternatives,dconf,firejail,fonts,gtk-3.0,ld.so.cache,ld.so.preload,login.defs,pango,passwd,X11
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
index c012504c4..80efedec7 100644
--- a/etc/profile-m-z/photoflare.profile
+++ b/etc/profile-m-z/photoflare.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin photoflare
 private-cache
 private-dev
-private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index 5b2d7a5a4..69c78740d 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -50,7 +50,7 @@ disable-mnt
 private-bin pingus,pingus.bin,sh
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile
new file mode 100644
index 000000000..a0926371f
--- /dev/null
+++ b/etc/profile-m-z/pip.profile
@@ -0,0 +1,18 @@
+# Firejail profile for pip
+# Description: package manager for Python packages
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include meson.local
+# Persistent global definitions
+include globals.local
+
+ignore read-only ${HOME}/.local/lib
+
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+
+#whitelist ${HOME}/.local/lib/python*
+
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile
index c2707dac4..69b954f53 100644
--- a/etc/profile-m-z/pkglog.profile
+++ b/etc/profile-m-z/pkglog.profile
@@ -44,7 +44,7 @@ private
 private-bin pkglog,python*
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-opt none
 private-tmp
 writable-var-log
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile
index 80f768170..38ccf72e8 100644
--- a/etc/profile-m-z/plv.profile
+++ b/etc/profile-m-z/plv.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin plv
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-opt none
 private-tmp
 writable-var-log
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile
index 0b3d2b44c..6b989202f 100644
--- a/etc/profile-m-z/pngquant.profile
+++ b/etc/profile-m-z/pngquant.profile
@@ -47,7 +47,7 @@ x11 none
 private-bin pngquant
 private-cache
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile
index bc0ff0e85..fd595c27a 100644
--- a/etc/profile-m-z/pragha.profile
+++ b/etc/profile-m-z/pragha.profile
@@ -33,6 +33,6 @@ seccomp
 shell none
 
 private-dev
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile
index 705af370b..25a248425 100644
--- a/etc/profile-m-z/profanity.profile
+++ b/etc/profile-m-z/profanity.profile
@@ -44,7 +44,7 @@ shell none
 private-bin profanity
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index 450bb10c7..99a72adee 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -71,7 +71,7 @@ disable-mnt
 private-bin getopt,psi
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile
index 3dc232b55..555e1e41b 100644
--- a/etc/profile-m-z/qgis.profile
+++ b/etc/profile-m-z/qgis.profile
@@ -52,7 +52,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile
index 4eee0df5f..4a3ce366e 100644
--- a/etc/profile-m-z/qnapi.profile
+++ b/etc/profile-m-z/qnapi.profile
@@ -47,7 +47,7 @@ tracelog
 private-bin 7z,qnapi
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-opt none
 private-tmp
 
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
index 7ef676068..dd3f24875 100644
--- a/etc/profile-m-z/qrencode.profile
+++ b/etc/profile-m-z/qrencode.profile
@@ -47,7 +47,7 @@ disable-mnt
 private-bin qrencode
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib libpcre*
 private-tmp
 
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile
index bae802cc6..60e1539fa 100644
--- a/etc/profile-m-z/qtox.profile
+++ b/etc/profile-m-z/qtox.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin qtox
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile
index 1de59bc7c..f1ce313e7 100644
--- a/etc/profile-m-z/regextester.profile
+++ b/etc/profile-m-z/regextester.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin regextester
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib libgranite.so.*
 private-tmp
 
diff --git a/etc/profile-m-z/retroarch.profile b/etc/profile-m-z/retroarch.profile
new file mode 100644
index 000000000..1887a9b72
--- /dev/null
+++ b/etc/profile-m-z/retroarch.profile
@@ -0,0 +1,54 @@
+# Firejail profile for retroarch
+# Description: retroarch is a frontend to libretro emulator cores.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include retroarch.local
+# Persistent global definitions
+include globals.local
+
+blacklist /usr/libexec
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/retroarch
+whitelist ${HOME}/.config/retroarch
+whitelist /run/udev
+whitelist /usr/share/retroarch
+whitelist /usr/share/libretro
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+# If you need access to cameras, add `ignore novideo` to retroarch.local
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+disable-mnt
+private-bin retroarch
+private-cache
+private-dev
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 23a65f54a..e44e55a12 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin rsync
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile
index 1069c34ea..70b5d844a 100644
--- a/etc/profile-m-z/scorchwentbonkers.profile
+++ b/etc/profile-m-z/scorchwentbonkers.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin scorchwentbonkers
 private-cache
 private-dev
-private-etc alsa,asound.conf,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile
index af7d5eeac..72d6d5cf7 100644
--- a/etc/profile-m-z/seahorse-adventures.profile
+++ b/etc/profile-m-z/seahorse-adventures.profile
@@ -48,7 +48,7 @@ private
 private-bin bash,dash,python*,seahorse-adventures,sh
 private-cache
 private-dev
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile
index 96ff74edf..9ef174606 100644
--- a/etc/profile-m-z/seahorse-tool.profile
+++ b/etc/profile-m-z/seahorse-tool.profile
@@ -8,7 +8,7 @@ include seahorse-tool.local
 #include globals.local
 
 # private-etc workaround for: #2877
-private-etc firejail,login.defs,passwd
+private-etc alternatives,firejail,ld.so.cache,ld.so.preload,login.defs,passwd
 private-tmp
 
 # Redirect
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 94a27da87..7382e4712 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -60,7 +60,7 @@ tracelog
 disable-mnt
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
 writable-run-user
 
 dbus-user filter
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
index b6a828636..3b569eeaf 100644
--- a/etc/profile-m-z/shotwell.profile
+++ b/etc/profile-m-z/shotwell.profile
@@ -49,7 +49,7 @@ tracelog
 private-bin shotwell
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-opt none
 private-tmp
 
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile
index 51f6c8b00..a511ebb1c 100644
--- a/etc/profile-m-z/slack.profile
+++ b/etc/profile-m-z/slack.profile
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Slack
 whitelist ${HOME}/.config/Slack
 
 private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack
-private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
+private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
index 31d14924c..0cdb5537e 100644
--- a/etc/profile-m-z/smuxi-frontend-gnome.profile
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -48,7 +48,7 @@ disable-mnt
 private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile
index ebdd5c1f8..099e6a2ad 100644
--- a/etc/profile-m-z/softmaker-common.profile
+++ b/etc/profile-m-z/softmaker-common.profile
@@ -6,9 +6,9 @@ include softmaker-common.local
 # added by caller profile
 #include globals.local
 
-# The offical packages install the desktop file under /usr/local/share/applications
-# with an absolute Exec line. These files are NOT handelt by firecfg,
-# therefore you must manualy copy them in you home and remove '/usr/bin/'.
+# The official packages install the desktop file under /usr/local/share/applications
+# with an absolute Exec line. These files are NOT handled by firecfg,
+# therefore you must manually copy them in you home and remove '/usr/bin/'.
 
 noblacklist ${HOME}/SoftMaker
 
@@ -43,7 +43,7 @@ tracelog
 private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index d803fa5ce..fc4ae2b04 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -22,7 +22,7 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-mkfile  ${HOME}/.config/spectaclerc
+mkfile ${HOME}/.config/spectaclerc
 whitelist ${HOME}/.config/spectaclerc
 whitelist ${PICTURES}
 whitelist /usr/share/kconf_update/spectacle_newConfig.upd
@@ -56,7 +56,7 @@ disable-mnt
 private-bin spectacle
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d
+private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index 5f17b73dc..3f7f68009 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -49,10 +49,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
 
-dbus-user none
-# Add the next lines to your spectral.local to enable notification support.
-#ignore dbus-user none
-#dbus-user filter
+dbus-user filter
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+# Add the next line to your spectral.local to enable notification support.
 #dbus-user.talk org.freedesktop.Notifications
-#dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index ffee76d23..0ce918161 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -44,7 +44,7 @@ disable-mnt
 private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity
 private-dev
 # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local.
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl
 private-opt spotify
 private-srv none
 private-tmp
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile
index e35f74404..deaf37f52 100644
--- a/etc/profile-m-z/sqlitebrowser.profile
+++ b/etc/profile-m-z/sqlitebrowser.profile
@@ -42,7 +42,7 @@ shell none
 private-bin sqlitebrowser
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,ssl
 private-tmp
 
 # breaks proxy creation
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile
index 11723664f..9d3fe9637 100644
--- a/etc/profile-m-z/ssh-agent.profile
+++ b/etc/profile-m-z/ssh-agent.profile
@@ -11,6 +11,7 @@ include allow-ssh.inc
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+noblacklist /usr/lib/openssh/ssh-keysign
 
 include disable-common.inc
 include disable-programs.inc
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile
index 9295013e7..194b2082c 100644
--- a/etc/profile-m-z/ssh.profile
+++ b/etc/profile-m-z/ssh.profile
@@ -10,6 +10,7 @@ include globals.local
 # nc can be used as ProxyCommand, e.g. when using tor
 noblacklist ${PATH}/nc
 noblacklist ${PATH}/ncat
+noblacklist /usr/lib/openssh/ssh-keysign
 
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile
index d54ddacdd..7a59274bf 100644
--- a/etc/profile-m-z/standardnotes-desktop.profile
+++ b/etc/profile-m-z/standardnotes-desktop.profile
@@ -38,7 +38,7 @@ seccomp !chroot
 disable-mnt
 private-dev
 private-tmp
-private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile
index d73927f2a..513abc21b 100644
--- a/etc/profile-m-z/straw-viewer.profile
+++ b/etc/profile-m-z/straw-viewer.profile
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/straw-viewer
 private-bin gtk-straw-viewer,straw-viewer
 
 # Redirect
-include youtube-viewers-common.profile
\ No newline at end of file
+include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile
index dfb0a3e3b..32e43f079 100644
--- a/etc/profile-m-z/strawberry.profile
+++ b/etc/profile-m-z/strawberry.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin strawberry,strawberry-tagreader
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-system none
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile
index 100ac9d14..a9f22085b 100644
--- a/etc/profile-m-z/subdownloader.profile
+++ b/etc/profile-m-z/subdownloader.profile
@@ -44,7 +44,7 @@ tracelog
 
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile
index 0e9113821..464fa1b08 100644
--- a/etc/profile-m-z/supertux2.profile
+++ b/etc/profile-m-z/supertux2.profile
@@ -30,7 +30,6 @@ caps.drop all
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
@@ -45,7 +44,7 @@ tracelog
 disable-mnt
 # private-bin supertux2
 private-cache
-private-etc machine-id
+private-etc alternatives,ld.so.cache,ld.so.preload,machine-id
 private-dev
 private-tmp
 
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 7ba7e7023..473472251 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -54,7 +54,7 @@ private-bin supertuxkart
 private-cache
 # Add the next line to your supertuxkart.local if you do not need controller support.
 #private-dev
-private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.cache,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl
 private-tmp
 private-opt none
 private-srv none
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile
index 7c092fccc..c04f00cab 100644
--- a/etc/profile-m-z/surf.profile
+++ b/etc/profile-m-z/surf.profile
@@ -34,6 +34,6 @@ tracelog
 disable-mnt
 private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl
 private-tmp
 
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile
index 4637419bf..046d1b4be 100644
--- a/etc/profile-m-z/sway.profile
+++ b/etc/profile-m-z/sway.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Sway
-# Description: i3-compatible Wayland compositor 
+# Description: i3-compatible Wayland compositor
 # This file is overwritten after every install/update
 # Persistent local customizations
 include sway.local
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile
index ac4a380bb..c7119ae0f 100644
--- a/etc/profile-m-z/sysprof.profile
+++ b/etc/profile-m-z/sysprof.profile
@@ -63,7 +63,7 @@ disable-mnt
 #private-bin sysprof - breaks help menu
 private-cache
 private-dev
-private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id,ssl
 # private-lib - breaks help menu
 #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
 private-tmp
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 0d3a900e9..0817adda8 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -14,7 +14,7 @@ ignore include disable-shell.inc
 # all capabilities this is automatically read-only.
 noblacklist /var/lib/pacman
 
-private-etc alternatives,group,localtime,login.defs,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,login.defs,passwd
 #private-lib libfakeroot,liblzma.so.*,libreadline.so.*
 # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic)
 writable-var
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile
index c97921d92..ee19bcd00 100644
--- a/etc/profile-m-z/teams-for-linux.profile
+++ b/etc/profile-m-z/teams-for-linux.profile
@@ -20,7 +20,7 @@ mkdir ${HOME}/.config/teams-for-linux
 whitelist ${HOME}/.config/teams-for-linux
 
 private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
-private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile
index df54fb9ba..d0fb0d43e 100644
--- a/etc/profile-m-z/teeworlds.profile
+++ b/etc/profile-m-z/teeworlds.profile
@@ -26,7 +26,6 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 115be54eb..dc1f77664 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -41,16 +41,16 @@ seccomp.block-secondary
 shell none
 
 disable-mnt
-#private-bin telegram,Telegram,telegram-desktop
+private-bin telegram,Telegram,telegram-desktop
 private-cache
 private-dev
-private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
+private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg
 private-tmp
 
 dbus-user filter
 dbus-user.own org.telegram.desktop.*
 dbus-user.talk org.freedesktop.Notifications
-dbus-user.talk org.kde.StatusNotifierWatcher
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user.talk org.gnome.Mutter.IdleMonitor
 dbus-user.talk org.freedesktop.ScreenSaver
 dbus-system none
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile
index 7c18aab50..d2db44b1c 100644
--- a/etc/profile-m-z/tilp.profile
+++ b/etc/profile-m-z/tilp.profile
@@ -30,6 +30,6 @@ tracelog
 disable-mnt
 private-bin tilp
 private-cache
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
index 039063c1e..1d4ee9370 100644
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@@ -58,7 +58,7 @@ disable-mnt
 private-bin rtin,tin
 private-cache
 private-dev
-private-etc passwd,resolv.conf,terminfo,tin
+private-etc alternatives,ld.so.cache,ld.so.preload,passwd,resolv.conf,terminfo,tin
 private-lib terminfo
 private-tmp
 
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile
index 08e949309..d8cd8eb44 100644
--- a/etc/profile-m-z/tor.profile
+++ b/etc/profile-m-z/tor.profile
@@ -46,6 +46,6 @@ private
 private-bin bash,tor
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
 private-tmp
 writable-var
diff --git a/etc/profile-m-z/torbrowser.profile b/etc/profile-m-z/torbrowser.profile
new file mode 100644
index 000000000..fc579b973
--- /dev/null
+++ b/etc/profile-m-z/torbrowser.profile
@@ -0,0 +1,26 @@
+# Firejail profile for torbrowser
+# Description: This profile was tested with www-client/torbrowser::torbrowser
+# on Gentoo Linux.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include torbrowser.local
+# Persistent global definitions
+include globals.local
+
+ignore dbus-user none
+
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.mozilla
+
+blacklist /usr/libexec
+
+mkdir ${HOME}/.cache/mozilla/torbrowser
+mkdir ${HOME}/.mozilla
+whitelist ${HOME}/.cache/mozilla/torbrowser
+whitelist ${HOME}/.mozilla
+include whitelist-usr-share-common.inc
+
+dbus-user filter
+dbus-user.own org.mozilla.torbrowser.*
+
+include firefox-common.profile
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile
index a7ebaf2af..19e586db4 100644
--- a/etc/profile-m-z/torcs.profile
+++ b/etc/profile-m-z/torcs.profile
@@ -28,7 +28,6 @@ ipc-namespace
 net none
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile
index 2b63f6448..4acb8e7e8 100644
--- a/etc/profile-m-z/transgui.profile
+++ b/etc/profile-m-z/transgui.profile
@@ -45,7 +45,7 @@ tracelog
 private-bin geoiplookup,geoiplookup6,transgui
 private-cache
 private-dev
-private-etc alternatives,fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.*
 private-tmp
 
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile
index 486be5fe6..8a1711e97 100644
--- a/etc/profile-m-z/transmission-cli.profile
+++ b/etc/profile-m-z/transmission-cli.profile
@@ -8,7 +8,7 @@ include transmission-cli.local
 include globals.local
 
 private-bin transmission-cli
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile
index 348d3cb80..5d28f2f10 100644
--- a/etc/profile-m-z/transmission-daemon.profile
+++ b/etc/profile-m-z/transmission-daemon.profile
@@ -17,7 +17,7 @@ caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot
 protocol packet
 
 private-bin transmission-daemon
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 
 read-write /var/lib/transmission
 writable-var-log
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile
index a6400e2c0..6a0f1bde3 100644
--- a/etc/profile-m-z/transmission-remote-gtk.profile
+++ b/etc/profile-m-z/transmission-remote-gtk.profile
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/transmission-remote-gtk
 mkdir ${HOME}/.config/transmission-remote-gtk
 whitelist ${HOME}/.config/transmission-remote-gtk
 
-private-etc fonts,hostname,hosts,resolv.conf
+private-etc alternatives,fonts,hostname,hosts,ld.so.cache,ld.so.preload,resolv.conf
 # Problems with private-lib (see issue #2889)
 ignore private-lib
 
diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile
index fee4999e6..565433d99 100644
--- a/etc/profile-m-z/transmission-remote.profile
+++ b/etc/profile-m-z/transmission-remote.profile
@@ -8,7 +8,7 @@ include transmission-remote.local
 include globals.local
 
 private-bin transmission-remote
-private-etc alternatives,hosts,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
 
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile
index 5a3c83f58..0a5826ec4 100644
--- a/etc/profile-m-z/transmission-show.profile
+++ b/etc/profile-m-z/transmission-show.profile
@@ -8,7 +8,7 @@ include transmission-show.local
 include globals.local
 
 private-bin transmission-show
-private-etc alternatives,hosts,nsswitch.conf
+private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf
 
 # Redirect
 include transmission-common.profile
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile
index 4e16df553..96541ae25 100644
--- a/etc/profile-m-z/tremulous.profile
+++ b/etc/profile-m-z/tremulous.profile
@@ -8,6 +8,9 @@ include globals.local
 
 noblacklist ${HOME}/.tremulous
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -41,7 +44,7 @@ shell none
 tracelog
 
 disable-mnt
-private-bin tremded,tremulous,tremulous-wrapper
+private-bin env,sh,tremded,tremulous,tremulous-wrapper
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index 41426c606..60a192ac1 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -54,7 +54,7 @@ tracelog
 private-bin trojita
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
+private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
index d767b4c9d..987a2b719 100644
--- a/etc/profile-m-z/twitch.profile
+++ b/etc/profile-m-z/twitch.profile
@@ -18,7 +18,7 @@ mkdir ${HOME}/.config/Twitch
 whitelist ${HOME}/.config/Twitch
 
 private-bin electron,electron[0-9],electron[0-9][0-9],twitch
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Twitch
 
 # Redirect
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile
index 212e6d181..1b82ad881 100644
--- a/etc/profile-m-z/unf.profile
+++ b/etc/profile-m-z/unf.profile
@@ -49,7 +49,7 @@ private-bin unf
 private-cache
 ?HAS_APPIMAGE: ignore private-dev
 private-dev
-private-etc alternatives
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-lib gcc/*/*/libgcc_s.so.*
 private-tmp
 
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile
index 9d3d9b40e..443d1f415 100644
--- a/etc/profile-m-z/unrar.profile
+++ b/etc/profile-m-z/unrar.profile
@@ -8,7 +8,7 @@ include unrar.local
 include globals.local
 
 private-bin unrar
-private-etc alternatives,group,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
 private-tmp
 
 # Redirect
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile
index 0231e3dba..97df693ba 100644
--- a/etc/profile-m-z/unzip.profile
+++ b/etc/profile-m-z/unzip.profile
@@ -10,7 +10,7 @@ include globals.local
 # GNOME Shell integration (chrome-gnome-shell)
 noblacklist ${HOME}/.local/share/gnome-shell
 
-private-etc alternatives,group,localtime,passwd
+private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd
 
 # Redirect
 include archiver-common.profile
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile
index b164494fa..5a867a683 100644
--- a/etc/profile-m-z/utox.profile
+++ b/etc/profile-m-z/utox.profile
@@ -43,7 +43,7 @@ disable-mnt
 private-bin utox
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile
index 3b38f16e0..426766e17 100644
--- a/etc/profile-m-z/uudeview.profile
+++ b/etc/profile-m-z/uudeview.profile
@@ -41,7 +41,7 @@ x11 none
 private-bin uudeview
 private-cache
 private-dev
-private-etc alternatives,ld.so.preload
+private-etc alternatives,ld.so.cache,ld.so.preload
 
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile
index 469e65542..585a8eddb 100644
--- a/etc/profile-m-z/viewnior.profile
+++ b/etc/profile-m-z/viewnior.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin viewnior
 private-cache
 private-dev
-private-etc alternatives,fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index 6ab9aa15b..227ad83cc 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -45,7 +45,7 @@ tracelog
 #disable-mnt
 #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami
 private-cache
-private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
+private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index cb85836b7..1e3983f0e 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -38,6 +38,6 @@ tracelog
 #disable-mnt
 # Add the next line to your vmware.local to enable private-bin.
 #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
-private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
+private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
 dbus-user none
 dbus-system none
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile
index a4a4fb7d8..9c0a887b2 100644
--- a/etc/profile-m-z/vscodium.profile
+++ b/etc/profile-m-z/vscodium.profile
@@ -1,4 +1,4 @@
-# Firejail profile alias for Visual Studio Code
+# Firejail profile alias for VSCodium
 # This file is overwritten after every install/update
 # Persistent local customizations
 include vscodium.local
@@ -7,6 +7,8 @@ include vscodium.local
 #include globals.local
 
 noblacklist ${HOME}/.VSCodium
+noblacklist ${HOME}/.config/VSCodium
+noblacklist ${HOME}/.vscode-oss
 
 # Redirect
 include code.profile
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index 81c8a2f5c..c9e209142 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -62,7 +62,7 @@ disable-mnt
 private-bin perl,sh,w3m
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile
index 92e0e7a83..0a6f19b1e 100644
--- a/etc/profile-m-z/warmux.profile
+++ b/etc/profile-m-z/warmux.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin warmux
 private-cache
 private-dev
-private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index 5659ec69c..2f818b733 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -11,6 +11,9 @@ ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/warsow-2.1
 noblacklist ${HOME}/.local/share/warsow-2.1
 
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -34,19 +37,18 @@ ipc-namespace
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
 nou2f
 novideo
-protocol unix,inet,inet6
+protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
 
 disable-mnt
-private-bin warsow
+private-bin basename,bash,dirname,sed,sh,uname,warsow
 private-cache
 private-dev
 private-tmp
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile
index 2f26bf14c..92ebebdae 100644
--- a/etc/profile-m-z/whalebird.profile
+++ b/etc/profile-m-z/whalebird.profile
@@ -21,7 +21,7 @@ whitelist ${HOME}/.config/Whalebird
 no3d
 
 private-bin electron,electron[0-9],electron[0-9][0-9],whalebird
-private-etc fonts,machine-id
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile
index 755e62f60..afff6f587 100644
--- a/etc/profile-m-z/whois.profile
+++ b/etc/profile-m-z/whois.profile
@@ -47,7 +47,7 @@ private
 private-bin bash,sh,whois
 private-cache
 private-dev
-private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf
+private-etc alternatives,hosts,jwhois.conf,ld.so.cache,ld.so.preload,resolv.conf,services,whois.conf
 private-lib gconv
 private-tmp
 
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index 151cd2adb..d8742cd71 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Wire
 whitelist ${HOME}/.config/Wire
 
 private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
-private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl
 
 # Redirect
 include electron.profile
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile
index b2f3341ee..3147c2ac3 100644
--- a/etc/profile-m-z/wordwarvi.profile
+++ b/etc/profile-m-z/wordwarvi.profile
@@ -45,7 +45,7 @@ private
 private-bin wordwarvi
 private-cache
 private-dev
-private-etc alsa,asound.conf,machine-id,pulse
+private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile
index c9e408ccd..bb119996c 100644
--- a/etc/profile-m-z/xbill.profile
+++ b/etc/profile-m-z/xbill.profile
@@ -44,7 +44,7 @@ private
 private-bin xbill
 private-cache
 private-dev
-private-etc none
+private-etc alternatives,ld.so.cache,ld.so.preload
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile
index 05c46dffb..386ef2bd6 100644
--- a/etc/profile-m-z/xfce4-mixer.profile
+++ b/etc/profile-m-z/xfce4-mixer.profile
@@ -46,7 +46,7 @@ disable-mnt
 private-bin xfce4-mixer,xfconf-query
 private-cache
 private-dev
-private-etc alternatives,asound.conf,fonts,machine-id,pulse
+private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id,pulse
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile
index b869ae005..d74ed5754 100644
--- a/etc/profile-m-z/xfce4-screenshooter.profile
+++ b/etc/profile-m-z/xfce4-screenshooter.profile
@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private-bin xfce4-screenshooter,xfconf-query
 private-dev
-private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile
index 070e5e0f7..c7fd0799b 100644
--- a/etc/profile-m-z/xiphos.profile
+++ b/etc/profile-m-z/xiphos.profile
@@ -47,5 +47,5 @@ disable-mnt
 private-bin xiphos
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf
+private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf
 private-tmp
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile
index d5e25cfe7..404baf607 100644
--- a/etc/profile-m-z/xlinks.profile
+++ b/etc/profile-m-z/xlinks.profile
@@ -14,7 +14,7 @@ include whitelist-common.inc
 # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
 # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
 private-bin xlinks
-private-etc fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 
 # Redirect
 include links.profile
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2
index 1ae6a60ca..d7edd3543 100644
--- a/etc/profile-m-z/xlinks2
+++ b/etc/profile-m-z/xlinks2
@@ -14,7 +14,7 @@ include whitelist-common.inc
 # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2'
 # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line
 private-bin xlinks2
-private-etc fonts
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 
 # Redirect
 include links2.profile
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile
index 8179e8d76..e541436a4 100644
--- a/etc/profile-m-z/xmr-stak.profile
+++ b/etc/profile-m-z/xmr-stak.profile
@@ -38,7 +38,7 @@ disable-mnt
 private ${HOME}/.xmr-stak
 private-bin xmr-stak
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl
 #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend
 private-opt cuda
 private-tmp
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 6ffe9ece9..7c2b38d1d 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -32,7 +32,6 @@ caps.drop all
 netfilter
 nodvd
 nogroups
-noinput
 nonewprivs
 noroot
 notv
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile
index e4282a125..a0e77b4e7 100644
--- a/etc/profile-m-z/xournal.profile
+++ b/etc/profile-m-z/xournal.profile
@@ -43,7 +43,7 @@ tracelog
 private-bin xournal
 private-cache
 private-dev
-private-etc alternatives,fonts,group,machine-id,passwd
+private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd
 # TODO should use private-lib
 private-tmp
 
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile
index f59adc6e2..8b880426f 100644
--- a/etc/profile-m-z/xreader.profile
+++ b/etc/profile-m-z/xreader.profile
@@ -39,7 +39,7 @@ tracelog
 
 private-bin xreader,xreader-previewer,xreader-thumbnailer
 private-dev
-private-etc alternatives,fonts,ld.so.cache
+private-etc alternatives,fonts,ld.so.cache,ld.so.preload
 private-tmp
 
 memory-deny-write-execute
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index 2a6dbe1bf..31a51b2c4 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -56,7 +56,7 @@ disable-mnt
 private-bin groff,man,tbl,troff,yelp
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
+private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml
 private-tmp
 
 dbus-user filter
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile
index 5d6fb47c1..94f37a92b 100644
--- a/etc/profile-m-z/youtube-dl-gui.profile
+++ b/etc/profile-m-z/youtube-dl-gui.profile
@@ -49,7 +49,7 @@ disable-mnt
 private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl
+private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,locale,locale.conf,passwd,pki,resolv.conf,ssl
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile
index 145e565fd..71e50ab11 100644
--- a/etc/profile-m-z/youtube-dl.profile
+++ b/etc/profile-m-z/youtube-dl.profile
@@ -58,7 +58,7 @@ tracelog
 private-bin env,ffmpeg,python*,youtube-dl
 private-cache
 private-dev
-private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
+private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,pki,resolv.conf,ssl,youtube-dl.conf
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile
index b54dd37ad..825599fcc 100644
--- a/etc/profile-m-z/youtube-viewer.profile
+++ b/etc/profile-m-z/youtube-viewer.profile
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/youtube-viewer
 private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer
 
 # Redirect
-include youtube-viewers-common.profile
\ No newline at end of file
+include youtube-viewers-common.profile
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile
index a05f05c51..80d551038 100644
--- a/etc/profile-m-z/youtube-viewers-common.profile
+++ b/etc/profile-m-z/youtube-viewers-common.profile
@@ -53,7 +53,7 @@ disable-mnt
 private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp
 private-cache
 private-dev
-private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
index efb001ee6..5c4d697da 100644
--- a/etc/profile-m-z/youtube.profile
+++ b/etc/profile-m-z/youtube.profile
@@ -17,7 +17,7 @@ mkdir ${HOME}/.config/Youtube
 whitelist ${HOME}/.config/Youtube
 
 private-bin electron,electron[0-9],electron[0-9][0-9],youtube
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt Youtube
 
 # Redirect
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
index ce7161a70..2b5ffeaaf 100644
--- a/etc/profile-m-z/youtubemusic-nativefier.profile
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtubemusic-nativefier-040164
 whitelist ${HOME}/.config/youtubemusic-nativefier-040164
 
 private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-opt youtubemusic-nativefier
 
 # Redirect
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile
index 1c3382a08..88e7a0949 100644
--- a/etc/profile-m-z/yt-dlp.profile
+++ b/etc/profile-m-z/yt-dlp.profile
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.config/yt-dlp
 noblacklist ${HOME}/yt-dlp.conf
 
 private-bin yt-dlp
-private-etc yt-dlp.conf
+private-etc alternatives,ld.so.cache,ld.so.preload,yt-dlp.conf
 
 # Redirect
 include youtube-dl.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
index ab46fccc2..59b6e2543 100644
--- a/etc/profile-m-z/ytmdesktop.profile
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtube-music-desktop-app
 whitelist ${HOME}/.config/youtube-music-desktop-app
 
 # private-bin env,ytmdesktop
-private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 # private-opt
 
 # Redirect
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile
index 604da4c8e..8acfdd651 100644
--- a/etc/profile-m-z/zulip.profile
+++ b/etc/profile-m-z/zulip.profile
@@ -44,5 +44,5 @@ disable-mnt
 private-bin locale,zulip
 private-cache
 private-dev
-private-etc asound.conf,fonts,machine-id
+private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index e580a0c0c..44197b547 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -116,6 +116,7 @@ include globals.local
 #include disable-devel.inc
 #include disable-exec.inc
 #include disable-interpreters.inc
+#include disable-proc.inc
 #include disable-programs.inc
 #include disable-shell.inc
 #include disable-write-mnt.inc
@@ -204,7 +205,7 @@ include globals.local
 
 # Since 0.9.63 also a more granular control of dbus is supported.
 # To get the dbus-addresses an application needs access to you can
-# check with flatpak (when the application is distriputed that way):
+# check with flatpak (when the application is distributed that way):
 #    flatpak remote-info --show-metadata flathub <APP-ID>
 # Notes:
 #  - flatpak implicitly allows an app to own <APP-ID> on the session bus
diff --git a/gcov.sh b/gcov.sh
index a9d30b676..61f4b2483 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -24,8 +24,8 @@ gcov_init() {
 }
 
 generate() {
-        lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d  src/fcopy -d  src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
-        lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new  --output-file gcov-file
+        lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new
+        lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file
         rm -fr gcov-dir
         genhtml -q gcov-file --output-directory gcov-dir
         find . -name '*.gcda' -exec sudo rm '{}' +
@@ -35,7 +35,7 @@ generate() {
 
 
 gcov_init
-lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d  src/fcopy -d  src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd  --output-file gcov-file-old
+lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old
 
 #make test-utils
 #generate
diff --git a/linecnt.sh b/linecnt.sh
index 37b4f2a65..c30e175ba 100755
--- a/linecnt.sh
+++ b/linecnt.sh
@@ -26,6 +26,6 @@ gcov_init() {
 rm -fr gcov-dir
 gcov_init
 lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder \
-        -d  src/fcopy -d  src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \
-        -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd  --output-file gcov-file
+        -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp \
+        -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file
 genhtml -q gcov-file --output-directory gcov-dir
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in
index f68edf380..ff411c807 100644
--- a/src/bash_completion/firejail.bash_completion.in
+++ b/src/bash_completion/firejail.bash_completion.in
@@ -5,7 +5,7 @@
 # http://bash-completion.alioth.debian.org
 #*******************************************************************
 
-__interfaces(){
+__interfaces() {
     cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs
 }
 
@@ -90,11 +90,11 @@ _firejail()
             _filedir
             return 0
             ;;
-         --net)
-                comps=$(__interfaces)
+        --net)
+            comps=$(__interfaces)
             COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
             return 0
-                ;;
+            ;;
     esac
 
     $split && return 0
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 019c3ac5a..a1847284c 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -182,12 +182,12 @@ static void var_callback(char *ptr) {
 void build_var(const char *fname, FILE *fp) {
         assert(fname);
 
-        var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "allow /var/");
+        var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/");
         process_files(fname, "/var", var_callback);
 
         // always whitelist /var
         if (var_out)
-                filedb_print(var_out, "allow /var/", fp);
+                filedb_print(var_out, "whitelist /var/", fp);
         fprintf(fp, "include whitelist-var-common.inc\n");
 }
 
@@ -222,12 +222,12 @@ static void share_callback(char *ptr) {
 void build_share(const char *fname, FILE *fp) {
         assert(fname);
 
-        share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "allow /usr/share/");
+        share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/");
         process_files(fname, "/usr/share", share_callback);
 
         // always whitelist /usr/share
         if (share_out)
-                filedb_print(share_out, "allow /usr/share/", fp);
+                filedb_print(share_out, "whitelist /usr/share/", fp);
         fprintf(fp, "include whitelist-usr-share-common.inc\n");
 }
 
@@ -236,9 +236,6 @@ void build_share(const char *fname, FILE *fp) {
 //*******************************************
 static FileDB *tmp_out = NULL;
 static void tmp_callback(char *ptr) {
-        // skip strace file
-        if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0)
-                return;
         if (strncmp(ptr, "/tmp/runtime-", 13) == 0)
                 return;
         if (strcmp(ptr, "/tmp") == 0)
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index c85474779..0fe0ffef6 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -140,7 +140,7 @@ void build_home(const char *fname, FILE *fp) {
         assert(fname);
 
         // load whitelist common
-        db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "allow ${HOME}/");
+        db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/");
 
         // find user home directory
         struct passwd *pw = getpwuid(getuid());
@@ -168,7 +168,7 @@ void build_home(const char *fname, FILE *fp) {
 
         // print the out list if any
         if (db_out) {
-                filedb_print(db_out, "allow ${HOME}/", fp);
+                filedb_print(db_out, "whitelist ${HOME}/", fp);
                 fprintf(fp, "include whitelist-common.inc\n");
         }
         else
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 0b9a99739..c945d7253 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -92,7 +92,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 
         if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
                 if (fp == stdout)
-                        printf("--- Built profile beings after this line ---\n");
+                        printf("--- Built profile begins after this line ---\n");
                 fprintf(fp, "# Save this file as \"application.profile\" (change \"application\" with the\n");
                 fprintf(fp, "# program name) in ~/.config/firejail directory. Firejail will find it\n");
                 fprintf(fp, "# automatically every time you sandbox your application.\n#\n");
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 31810de9a..f279af89f 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -88,7 +88,8 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
                 if (arg_debug)
                         printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
 
-                setfilecon_raw(procfs_path, fcon);
+                if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug)
+                        printf("Cannot relabel %s: %s\n", path, strerror(errno));
         }
         freecon(fcon);
  close:
diff --git a/src/fids/fids.h b/src/fids/fids.h
index a2e2886fe..eaf2bbd29 100644
--- a/src/fids/fids.h
+++ b/src/fids/fids.h
@@ -48,4 +48,4 @@ int db_exclude_check(const char *fname);
 //#define KEY_SIZE 512
 int blake2b(void *out, size_t outlen, const void *in, size_t inlen);
 
-#endif
\ No newline at end of file
+#endif
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 698630180..0f4c1b18b 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -1,7 +1,6 @@
 # /usr/lib/firejail/firecfg.config - firecfg utility configuration file
 # This is the list of programs in alphabetical order handled by firecfg utility
 #
-#qemu-system-x86_64
 0ad
 2048-qt
 Books
@@ -139,8 +138,8 @@ clamdscan
 clamdtop
 clamscan
 clamtk
-claws-mail
 clawsker
+claws-mail
 clementine
 clion
 clion-eap
@@ -151,6 +150,7 @@ clocks
 cmus
 code
 code-oss
+codium
 cola
 colorful
 com.github.bleakgrey.tootle
@@ -169,7 +169,6 @@ crow
 cryptocat
 cvlc
 cyberfox
-d-feet
 darktable
 dconf-editor
 ddgr
@@ -179,6 +178,7 @@ deluge
 desktopeditors
 devhelp
 dex2jar
+d-feet
 dia
 dig
 digikam
@@ -255,8 +255,8 @@ flacsplt
 flameshot
 flashpeak-slimjet
 flowblade
-font-manager
 fontforge
+font-manager
 fossamail
 four-in-a-row
 fractal
@@ -348,6 +348,7 @@ gnome-weather
 gnote
 gnubik
 godot
+goldendict
 goobox
 google-chrome
 google-chrome-beta
@@ -364,11 +365,11 @@ gradio
 gramps
 gravity-beams-and-evaporating-stars
 gthumb
+gtk2-youtube-viewer
+gtk3-youtube-viewer
 gtk-pipe-viewer
 gtk-straw-viewer
 gtk-youtube-viewer
-gtk2-youtube-viewer
-gtk3-youtube-viewer
 guayadeque
 gucharmap
 gummi
@@ -389,11 +390,12 @@ icecat
 icedove
 iceweasel
 idea
-idea.sh
 ideaIC
+idea.sh
 imagej
 img2txt
 impressive
+imv
 inkscape
 inkview
 inox
@@ -530,6 +532,7 @@ mp3wrap
 mpDris2
 mpg123
 mpg123-alsa
+mpg123.bin
 mpg123-id3dump
 mpg123-jack
 mpg123-nas
@@ -538,7 +541,6 @@ mpg123-oss
 mpg123-portaudio
 mpg123-pulse
 mpg123-strip
-mpg123.bin
 mplayer
 mpsyt
 mpv
@@ -603,11 +605,11 @@ onboard
 onionshare-gui
 ooffice
 ooviewdoc
-open-invaders
 openarena
 openarena_ded
 opencity
 openclonk
+open-invaders
 openmw
 openmw-launcher
 openoffice.org
@@ -666,6 +668,7 @@ pybitmessage
 qbittorrent
 qcomicbook
 qemu-launcher
+#qemu-system-x86_64
 qgis
 qlipper
 qmmp
@@ -685,6 +688,7 @@ rednotebook
 redshift
 regextester
 remmina
+retroarch
 rhythmbox
 rhythmbox-client
 ricochet
@@ -728,8 +732,8 @@ smuxi-frontend-gnome
 snox
 soffice
 sol
-sound-juicer
 soundconverter
+sound-juicer
 spectacle
 spectral
 spotify
@@ -742,8 +746,8 @@ steam
 steam-native
 steam-runtime
 stellarium
-straw-viewer
 strawberry
+straw-viewer
 strings
 studio.sh
 subdownloader
@@ -771,6 +775,7 @@ thunderbird-beta
 thunderbird-wayland
 tilp
 tor-browser
+torbrowser
 tor-browser-ar
 tor-browser-ca
 tor-browser-cs
@@ -792,6 +797,7 @@ tor-browser-it
 tor-browser-ja
 tor-browser-ka
 tor-browser-ko
+torbrowser-launcher
 tor-browser-nb
 tor-browser-nl
 tor-browser-pl
@@ -802,7 +808,6 @@ tor-browser-tr
 tor-browser-vi
 tor-browser-zh-cn
 tor-browser-zh-tw
-torbrowser-launcher
 torcs
 totem
 tracker
@@ -908,8 +913,8 @@ yelp
 youtube
 youtube-dl
 youtube-dl-gui
-youtube-viewer
 youtubemusic-nativefier
+youtube-viewer
 yt-dlp
 ytmdesktop
 zaproxy
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index e7ffbca36..38b3c32d3 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -18,7 +18,8 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
-#include <sys/stat.h>
+#include <sys/wait.h>
+#include <errno.h>
 
 #define MAXBUF 4096
 
@@ -68,52 +69,60 @@ errout:
                 fclose(fp);
 }
 
+static int is_cgroup_path(const char *fname) {
+        // path starts with /sys/fs/cgroup
+        if (strncmp(fname, "/sys/fs/cgroup", 14) != 0)
+                return 0;
 
-void set_cgroup(const char *path) {
-        EUID_ASSERT();
+        // no .. traversal
+        char *ptr = strstr(fname, "..");
+        if (ptr)
+                return 0;
 
-        invalid_filename(path, 0); // no globbing
+        return 1;
+}
 
-        // path starts with /sys/fs/cgroup
-        if (strncmp(path, "/sys/fs/cgroup", 14) != 0)
-                goto errout;
+void check_cgroup_file(const char *fname) {
+        assert(fname);
+        invalid_filename(fname, 0); // no globbing
 
-        // path ends in tasks
-        char *ptr = strstr(path, "tasks");
-        if (!ptr)
-                goto errout;
-        if (*(ptr + 5) != '\0')
+        if (!is_cgroup_path(fname))
                 goto errout;
 
-        // no .. traversal
-        ptr = strstr(path, "..");
-        if (ptr)
+        const char *base = gnu_basename(fname);
+        if (strcmp(base, "tasks") != 0 &&  // cgroup v1
+            strcmp(base, "cgroup.procs") != 0)
                 goto errout;
 
-        // tasks file exists
-        FILE *fp = fopen(path, "ae");
-        if (!fp)
-                goto errout;
-        // task file belongs to the user running the sandbox
-        int fd = fileno(fp);
-        if (fd == -1)
-                errExit("fileno");
-        struct stat s;
-        if (fstat(fd, &s) == -1)
-                errExit("fstat");
-        if (s.st_uid != getuid() && s.st_gid != getgid())
-                goto errout2;
-        // add the task to cgroup
-        pid_t pid = getpid();
-        int rv = fprintf(fp, "%d\n", pid);
-        (void) rv;
-        fclose(fp);
-        return;
+        if (access(fname, W_OK) == 0)
+                return;
 
 errout:
         fprintf(stderr, "Error: invalid cgroup\n");
         exit(1);
-errout2:
-        fprintf(stderr, "Error: you don't have permissions to use this control group\n");
-        exit(1);
+}
+
+static void do_set_cgroup(const char *fname, pid_t pid) {
+        FILE *fp = fopen(fname, "ae");
+        if (!fp) {
+                fwarning("cannot open %s for writing: %s\n", fname, strerror(errno));
+                return;
+        }
+
+        int rv = fprintf(fp, "%d\n", pid);
+        (void) rv;
+        fclose(fp);
+}
+
+void set_cgroup(const char *fname, pid_t pid) {
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                drop_privs(0);
+
+                do_set_cgroup(fname, pid);
+                _exit(0);
+        }
+        waitpid(child, NULL, 0);
 }
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 06e6f0ccb..e5d837bbb 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -58,6 +58,7 @@ int checkcfg(int val) {
                 cfg_val[CFG_XPRA_ATTACH] = 0;
                 cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1;
                 cfg_val[CFG_BROWSER_ALLOW_DRM] = 0;
+                cfg_val[CFG_ALLOW_TRAY] = 0;
 
                 // open configuration file
                 const char *fname = SYSCONFDIR "/firejail.config";
@@ -122,6 +123,7 @@ int checkcfg(int val) {
                         PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
                         PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
                         PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
+                        PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray")
 #undef PARSE_YESNO
 
                         // netfilter
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index 37ec22117..9425638ea 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -86,7 +86,7 @@ static void update_file(int parentfd, const char *relpath) {
         if (arg_debug)
                 printf("Updating chroot /%s\n", relpath);
         unlinkat(parentfd, relpath, 0);
-        int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        int out = openat(parentfd, relpath, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (out == -1) {
                 close(in);
                 goto errout;
diff --git a/src/firejail/env.c b/src/firejail/env.c
index f5e9dd980..4c0d729a1 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -22,6 +22,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <dirent.h>
+#include <limits.h>
 
 typedef struct env_t {
         struct env_t *next;
@@ -262,7 +263,7 @@ static const char * const env_whitelist[] = {
         "LANG",
         "LANGUAGE",
         "LC_MESSAGES",
-        "PATH",
+        // "PATH",
         "DISPLAY"       // required by X11
 };
 
@@ -311,6 +312,10 @@ void env_apply_whitelist(void) {
                 errExit("clearenv");
 
         env_apply_list(env_whitelist, ARRAY_SIZE(env_whitelist));
+
+        // hardcoding PATH
+        if (setenv("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin", 1) < 0)
+                errExit("setenv");
 }
 
 // Filter env variables for a sbox app
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2a7d88575..ec789cd63 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -22,6 +22,7 @@
 #include "../include/common.h"
 #include "../include/euid_common.h"
 #include "../include/rundefs.h"
+#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
 #include <stdarg.h>
 #include <sys/stat.h>
 
@@ -433,13 +434,15 @@ void fs_proc_sys_dev_boot(void);
 void disable_config(void);
 // build a basic read-only filesystem
 void fs_basic_fs(void);
-// mount overlayfs on top of / directory
-char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
-void fs_overlayfs(void);
 void fs_private_tmp(void);
 void fs_private_cache(void);
 void fs_mnt(const int enforce);
 
+// fs_overlayfs.c
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse);
+void fs_overlayfs(void);
+int remove_overlay_directory(void);
+
 // chroot.c
 // chroot into an existing directory; mount existing /dev and update /etc/resolv.conf
 void fs_check_chroot_dir(void);
@@ -516,6 +519,7 @@ void touch_file_as_user(const char *fname, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
 char *realpath_as_user(const char *fname);
+ssize_t readlink_as_user(const char *fname, char *buf, size_t sz);
 int stat_as_user(const char *fname, struct stat *s);
 int lstat_as_user(const char *fname, struct stat *s);
 void trim_trailing_slash_or_dot(char *path);
@@ -529,8 +533,7 @@ void update_map(char *mapping, char *map_file);
 void wait_for_other(int fd);
 void notify_other(int fd);
 uid_t pid_get_uid(pid_t pid);
-uid_t get_group_id(const char *group);
-int remove_overlay_directory(void);
+gid_t get_group_id(const char *groupname);
 void flush_stdin(void);
 int create_empty_dir_as_user(const char *dir, mode_t mode);
 void create_empty_dir_as_root(const char *dir, mode_t mode);
@@ -563,8 +566,8 @@ typedef struct {
 
 // mountinfo.c
 MountData *get_last_mount(void);
-int get_mount_id(const char *path);
-char **build_mount_array(const int mount_id, const char *path);
+int get_mount_id(int fd);
+char **build_mount_array(const int mountid, const char *path);
 
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
@@ -621,7 +624,8 @@ void caps_print_filter(pid_t pid) __attribute__((noreturn));
 void caps_drop_dac_override(void);
 
 // fs_trace.c
-void fs_trace_preload(void);
+void fs_trace_touch_preload(void);
+void fs_trace_touch_or_store_preload(void);
 void fs_tracefile(void);
 void fs_trace(void);
 
@@ -644,7 +648,8 @@ void cpu_print_filter(pid_t pid) __attribute__((noreturn));
 // cgroup.c
 void save_cgroup(void);
 void load_cgroup(const char *fname);
-void set_cgroup(const char *path);
+void check_cgroup_file(const char *fname);
+void set_cgroup(const char *fname, pid_t pid);
 
 // output.c
 void check_output(int argc, char **argv);
@@ -704,6 +709,8 @@ void pulseaudio_disable(void);
 void fs_private_bin_list(void);
 
 // fs_lib.c
+int is_firejail_link(const char *fname);
+char *find_in_path(const char *program);
 void fs_private_lib(void);
 
 // protocol.c
@@ -801,6 +808,7 @@ enum {
         CFG_NAME_CHANGE,
         CFG_SECCOMP_ERROR_ACTION,
         // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
+        CFG_ALLOW_TRAY,
         CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 5ac2da164..9c1b889ed 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -20,10 +20,7 @@
 #include "firejail.h"
 #include "../include/gcov_wrapper.h"
 #include <sys/mount.h>
-#include <sys/stat.h>
 #include <sys/statvfs.h>
-#include <sys/wait.h>
-#include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
@@ -35,7 +32,7 @@
 #endif
 
 #define MAX_BUF 4096
-#define EMPTY_STRING ("")
+
 // check noblacklist statements not matched by a proper blacklist in disable-*.inc files
 //#define TEST_NO_BLACKLIST_MATCHING
 
@@ -108,7 +105,7 @@ static void disable_file(OPERATION op, const char *filename) {
         }
 
         // check for firejail executable
-        // we migth have a file found in ${PATH} pointing to /usr/bin/firejail
+        // we might have a file found in ${PATH} pointing to /usr/bin/firejail
         // blacklisting it here will end up breaking situations like user clicks on a link in Thunderbird
         //     and expects Firefox to open in the same sandbox
         if (strcmp(BINDIR "/firejail", fname) == 0) {
@@ -200,8 +197,6 @@ static void disable_file(OPERATION op, const char *filename) {
                 }
 
                 fs_tmpfs(fname, uid);
-                EUID_USER(); // fs_tmpfs returns with EUID 0
-
                 selinux_relabel_path(fname, fname);
         }
         else
@@ -282,6 +277,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
 
 // blacklist files or directories by mounting empty files on top of them
 void fs_blacklist(void) {
+        EUID_ASSERT();
+
         ProfileEntry *entry = cfg.profile;
         if (!entry)
                 return;
@@ -293,7 +290,6 @@ void fs_blacklist(void) {
         if (noblacklist == NULL)
                 errExit("failed allocating memory for noblacklist entries");
 
-        EUID_USER();
         while (entry) {
                 OPERATION op = OPERATION_MAX;
                 char *ptr;
@@ -469,8 +465,6 @@ void fs_blacklist(void) {
         for (i = 0; i < noblacklist_c; i++)
                 free(noblacklist[i]);
         free(noblacklist);
-
-        EUID_ROOT();
 }
 
 //***********************************************
@@ -479,7 +473,7 @@ void fs_blacklist(void) {
 
 // mount a writable tmpfs on directory; requires a resolved path
 void fs_tmpfs(const char *dir, unsigned check_owner) {
-        EUID_USER();
+        EUID_ASSERT();
         assert(dir);
         if (arg_debug)
                 printf("Mounting tmpfs on %s, check owner: %s\n", dir, (check_owner)? "yes": "no");
@@ -504,12 +498,13 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
                 errExit("fstatvfs");
         unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT);
         // mount via the symbolic link in /proc/self/fd
-        EUID_ROOT();
         char *proc;
         if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
                 errExit("asprintf");
+        EUID_ROOT();
         if (mount("tmpfs", proc, "tmpfs", flags|MS_NOSUID|MS_NODEV, options) < 0)
                 errExit("mounting tmpfs");
+        EUID_USER();
         // check the last mount operation
         MountData *mdata = get_last_mount();
         if (strcmp(mdata->fstype, "tmpfs") != 0 || strcmp(mdata->dir, dir) != 0)
@@ -635,40 +630,37 @@ out:
 }
 
 // remount recursively; requires a resolved path
-static void fs_remount_rec(const char *dir, OPERATION op) {
+static void fs_remount_rec(const char *path, OPERATION op) {
         EUID_ASSERT();
-        assert(dir);
+        assert(op < OPERATION_MAX);
+        assert(path);
 
-        struct stat s;
-        if (stat(dir, &s) != 0)
-                return;
-        if (!S_ISDIR(s.st_mode)) {
-                // no need to search in /proc/self/mountinfo for submounts if not a directory
-                fs_remount_simple(dir, op);
+        // no need to search /proc/self/mountinfo for submounts if not a directory
+        int fd = open(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        if (fd < 0) {
+                fs_remount_simple(path, op);
                 return;
         }
-        // get mount point of the directory
-        int mountid = get_mount_id(dir);
-        if (mountid == -1)
-                return;
-        if (mountid == -2) {
-                // falling back to a simple remount on old kernels
-                static int mount_warning = 0;
-                if (!mount_warning) {
-                        fwarning("read-only, read-write and noexec options are not applied recursively\n");
-                        mount_warning = 1;
-                }
-                fs_remount_simple(dir, op);
+
+        // get mount id of the directory
+        int mountid = get_mount_id(fd);
+        close(fd);
+        if (mountid < 0) {
+                // falling back to a simple remount
+                fwarning("%s %s not applied recursively\n", opstr[op], path);
+                fs_remount_simple(path, op);
                 return;
         }
+
         // build array with all mount points that need to get remounted
-        char **arr = build_mount_array(mountid, dir);
-        assert(arr);
+        char **arr = build_mount_array(mountid, path);
+        if (!arr)
+                return;
         // remount
-        char **tmp = arr;
-        while (*tmp) {
-                fs_remount_simple(*tmp, op);
-                free(*tmp++);
+        int i;
+        for (i = 0; arr[i]; i++) {
+                fs_remount_simple(arr[i], op);
+                free(arr[i]);
         }
         free(arr);
 }
@@ -903,367 +895,6 @@ void fs_basic_fs(void) {
 }
 
 
-
-#ifdef HAVE_OVERLAYFS
-char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
-        assert(subdirname);
-        EUID_ASSERT();
-        struct stat s;
-        char *dirname;
-
-        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
-                errExit("asprintf");
-        // check if ~/.firejail already exists
-        if (lstat(dirname, &s) == 0) {
-                if (!S_ISDIR(s.st_mode)) {
-                        if (S_ISLNK(s.st_mode))
-                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
-                        else
-                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
-                        exit(1);
-                }
-                if (s.st_uid != getuid()) {
-                        fprintf(stderr, "Error: %s is not owned by the current user\n", dirname);
-                        exit(1);
-                }
-        }
-        else {
-                // create ~/.firejail directory
-                create_empty_dir_as_user(dirname, 0700);
-                if (stat(dirname, &s) == -1) {
-                        fprintf(stderr, "Error: cannot create directory %s\n", dirname);
-                        exit(1);
-                }
-        }
-        free(dirname);
-
-        // check overlay directory
-        if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
-                errExit("asprintf");
-        if (lstat(dirname, &s) == 0) {
-                if (!S_ISDIR(s.st_mode)) {
-                        if (S_ISLNK(s.st_mode))
-                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
-                        else
-                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
-                        exit(1);
-                }
-                if (s.st_uid != 0) {
-                        fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname);
-                        exit(1);
-                }
-                if (allow_reuse == 0) {
-                        fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
-                        exit(1);
-                }
-        }
-
-        return dirname;
-}
-
-
-
-// mount overlayfs on top of / directory
-// mounting an overlay and chrooting into it:
-//
-// Old Ubuntu kernel
-// # cd ~
-// # mkdir -p overlay/root
-// # mkdir -p overlay/diff
-// # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root
-// # chroot /root/overlay/root
-// to shutdown, first exit the chroot and then  unmount the overlay
-// # exit
-// # umount /root/overlay/root
-//
-// Kernels 3.18+
-// # cd ~
-// # mkdir -p overlay/root
-// # mkdir -p overlay/diff
-// # mkdir -p overlay/work
-// # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root
-// # cat /etc/mtab | grep overlay
-// /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0
-// # chroot /root/overlay/root
-// to shutdown, first exit the chroot and then  unmount the overlay
-// # exit
-// # umount /root/overlay/root
-
-
-// to do: fix the code below; also, it might work without /dev, but consider keeping /dev/shm; add locking mechanism for overlay-clean
-#include <sys/utsname.h>
-void fs_overlayfs(void) {
-        struct stat s;
-
-        // check kernel version
-        struct utsname u;
-        int rv = uname(&u);
-        if (rv != 0)
-                errExit("uname");
-        int major;
-        int minor;
-        if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
-                fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
-                exit(1);
-        }
-
-        if (arg_debug)
-                printf("Linux kernel version %d.%d\n", major, minor);
-        int oldkernel = 0;
-        if (major < 3) {
-                fprintf(stderr, "Error: minimum kernel version required 3.x\n");
-                exit(1);
-        }
-        if (major == 3 && minor < 18)
-                oldkernel = 1;
-
-        // mounting an overlayfs on top of / seems to be broken for kernels > 4.19
-        // we disable overlayfs for now, pending fixing
-        if (major >= 4 &&minor >= 19) {
-                fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n");
-                exit(1);
-        }
-
-        char *oroot = RUN_OVERLAY_ROOT;
-        mkdir_attr(oroot, 0755, 0, 0);
-
-        // set base for working and diff directories
-        char *basedir = RUN_MNT_DIR;
-        int basefd = -1;
-
-        if (arg_overlay_keep) {
-                basedir = cfg.overlay_dir;
-                assert(basedir);
-                // get a file descriptor for ~/.firejail, fails if there is any symlink
-                char *firejail;
-                if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1)
-                        errExit("asprintf");
-                int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                if (fd == -1)
-                        errExit("safer_openat");
-                free(firejail);
-                // create basedir if it doesn't exist
-                // the new directory will be owned by root
-                const char *dirname = gnu_basename(basedir);
-                if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) {
-                        perror("mkdir");
-                        fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir);
-                        exit(1);
-                }
-                // open basedir
-                basefd = openat(fd, dirname, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-                close(fd);
-        }
-        else {
-                basefd = open(basedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-        }
-        if (basefd == -1) {
-                perror("open");
-                fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir);
-                exit(1);
-        }
-
-        // confirm once more base is owned by root
-        if (fstat(basefd, &s) == -1)
-                errExit("fstat");
-        if (s.st_uid != 0) {
-                fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir);
-                exit(1);
-        }
-        // confirm permissions of base are 0755
-        if (((S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) & s.st_mode) != (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) {
-                fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir);
-                exit(1);
-        }
-
-        // create diff and work directories inside base
-        // no need to check arg_overlay_reuse
-        char *odiff;
-        if (asprintf(&odiff, "%s/odiff", basedir) == -1)
-                errExit("asprintf");
-        // the new directory will be owned by root
-        if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) {
-                perror("mkdir");
-                fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff);
-                exit(1);
-        }
-        ASSERT_PERMS(odiff, 0, 0, 0755);
-
-        char *owork;
-        if (asprintf(&owork, "%s/owork", basedir) == -1)
-                errExit("asprintf");
-        // the new directory will be owned by root
-        if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) {
-                perror("mkdir");
-                fprintf(stderr, "Error: cannot create overlay directory %s\n", owork);
-                exit(1);
-        }
-        ASSERT_PERMS(owork, 0, 0, 0755);
-
-        // mount overlayfs
-        if (arg_debug)
-                printf("Mounting OverlayFS\n");
-        char *option;
-        if (oldkernel) { // old Ubuntu/OpenSUSE kernels
-                if (arg_overlay_keep) {
-                        fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n");
-                        exit(1);
-                }
-                if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1)
-                        errExit("asprintf");
-                if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0)
-                        errExit("mounting overlayfs");
-        }
-        else { // kernel 3.18 or newer
-                if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)
-                        errExit("asprintf");
-                if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) {
-                        fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor);
-                        errExit("mounting overlayfs");
-                }
-
-                //***************************
-                // issue #263 start code
-                // My setup has a separate mount point for /home. When the overlay is mounted,
-                // the overlay does not contain the original /home contents.
-                // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work
-                // @dshmgh, Jan 2016
-                {
-                        char *overlayhome;
-                        struct stat s;
-                        char *hroot;
-                        char *hdiff;
-                        char *hwork;
-
-                        // dons add debug
-                        if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s  odiff %s  owork %s\n",oroot,odiff,owork);
-
-                        // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it?
-                        // must create var for oroot/cfg.homedir
-                        if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1)
-                                errExit("asprintf");
-                        if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome);
-
-                        // if no homedir in overlay -- create another overlay for /home
-                        if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) {
-
-                                // no need to check arg_overlay_reuse
-                                if (asprintf(&hdiff, "%s/hdiff", basedir) == -1)
-                                        errExit("asprintf");
-                                // the new directory will be owned by root
-                                if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) {
-                                        perror("mkdir");
-                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff);
-                                        exit(1);
-                                }
-                                ASSERT_PERMS(hdiff, 0, 0, 0755);
-
-                                // no need to check arg_overlay_reuse
-                                if (asprintf(&hwork, "%s/hwork", basedir) == -1)
-                                        errExit("asprintf");
-                                // the new directory will be owned by root
-                                if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) {
-                                        perror("mkdir");
-                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork);
-                                        exit(1);
-                                }
-                                ASSERT_PERMS(hwork, 0, 0, 0755);
-
-                                // no homedir in overlay so now mount another overlay for /home
-                                if (asprintf(&hroot, "%s/home", oroot) == -1)
-                                        errExit("asprintf");
-                                if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
-                                        errExit("asprintf");
-                                if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0)
-                                        errExit("mounting overlayfs for mounted home directory");
-
-                                printf("OverlayFS for /home configured in %s directory\n", basedir);
-                                free(hroot);
-                                free(hdiff);
-                                free(hwork);
-
-                        } // stat(overlayhome)
-                        free(overlayhome);
-                }
-                // issue #263 end code
-                //***************************
-        }
-        fmessage("OverlayFS configured in %s directory\n", basedir);
-        close(basefd);
-
-        // /dev, /run and /tmp are not covered by the overlay
-        // mount-bind dev directory
-        if (arg_debug)
-                printf("Mounting /dev\n");
-        char *dev;
-        if (asprintf(&dev, "%s/dev", oroot) == -1)
-                errExit("asprintf");
-        if (mount("/dev", dev, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mounting /dev");
-        fs_logger("whitelist /dev");
-
-        // mount-bind run directory
-        if (arg_debug)
-                printf("Mounting /run\n");
-        char *run;
-        if (asprintf(&run, "%s/run", oroot) == -1)
-                errExit("asprintf");
-        if (mount("/run", run, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mounting /run");
-        fs_logger("whitelist /run");
-
-        // mount-bind tmp directory
-        if (arg_debug)
-                printf("Mounting /tmp\n");
-        char *tmp;
-        if (asprintf(&tmp, "%s/tmp", oroot) == -1)
-                errExit("asprintf");
-        if (mount("/tmp", tmp, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mounting /tmp");
-        fs_logger("whitelist /tmp");
-
-        // chroot in the new filesystem
-        __gcov_flush();
-
-        if (chroot(oroot) == -1)
-                errExit("chroot");
-
-        // mount a new proc filesystem
-        if (arg_debug)
-                printf("Mounting /proc filesystem representing the PID namespace\n");
-        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
-                errExit("mounting /proc");
-
-        // update /var directory in order to support multiple sandboxes running on the same root directory
-//      if (!arg_private_dev)
-//              fs_dev_shm();
-        fs_var_lock();
-        if (!arg_keep_var_tmp)
-                fs_var_tmp();
-        if (!arg_writable_var_log)
-                fs_var_log();
-        fs_var_lib();
-        fs_var_cache();
-        fs_var_utmp();
-        fs_machineid();
-
-        // don't leak user information
-        restrict_users();
-
-        // when starting as root, firejail config is not disabled;
-        if (getuid() != 0)
-                disable_config();
-
-        // cleanup and exit
-        free(option);
-        free(odiff);
-        free(owork);
-        free(dev);
-        free(run);
-        free(tmp);
-}
-#endif
-
 // this function is called from sandbox.c before blacklist/whitelist functions
 void fs_private_tmp(void) {
         EUID_ASSERT();
@@ -1287,7 +918,6 @@ void fs_private_tmp(void) {
 
         // whitelist x11 directory
         profile_add("whitelist /tmp/.X11-unix");
-        // read-only x11 directory
         profile_add("read-only /tmp/.X11-unix");
 
         // whitelist sndio directory
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 61398f12b..4c9dac0c2 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -41,9 +41,9 @@ static char *paths[] = {
 
 // return 1 if found, 0 if not found
 static char *check_dir_or_file(const char *name) {
+        EUID_ASSERT();
         assert(name);
         struct stat s;
-        char *fname = NULL;
 
         int i = 0;
         while (paths[i]) {
@@ -54,50 +54,34 @@ static char *check_dir_or_file(const char *name) {
                 }
 
                 // check file
+                char *fname;
                 if (asprintf(&fname, "%s/%s", paths[i], name) == -1)
                         errExit("asprintf");
                 if (arg_debug)
                         printf("Checking %s/%s\n", paths[i], name);
-                if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories
-                        // check symlink to firejail executable in /usr/local/bin
-                        if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) {
-                                /* coverity[toctou] */
-                                char *actual_path = realpath(fname, NULL);
-                                if (actual_path) {
-                                        char *ptr = strstr(actual_path, "/firejail");
-                                        if (ptr && strlen(ptr) == strlen("/firejail")) {
-                                                if (arg_debug)
-                                                        printf("firejail exec symlink detected\n");
-                                                free(actual_path);
-                                                free(fname);
-                                                fname = NULL;
-                                                i++;
-                                                continue;
-                                        }
-                                        free(actual_path);
-                                }
-
-                        }
+                if (stat(fname, &s) == 0 &&
+                    !S_ISDIR(s.st_mode) &&      // do not allow directories
+                    !is_firejail_link(fname)) { // skip symlinks to firejail executable, as created by firecfg
+                        free(fname);
                         break; // file found
                 }
 
                 free(fname);
-                fname = NULL;
                 i++;
         }
 
-        if (!fname) {
+        if (!paths[i]) {
                 if (arg_debug)
                         fwarning("file %s not found\n", name);
                 return NULL;
         }
 
-        free(fname);
         return paths[i];
 }
 
 // return 1 if the file is in paths[]
 static int valid_full_path_file(const char *name) {
+        EUID_ASSERT();
         assert(name);
 
         if (*name != '/')
@@ -149,6 +133,7 @@ static void report_duplication(const char *fname) {
 }
 
 static void duplicate(char *fname) {
+        EUID_ASSERT();
         assert(fname);
 
         if (*fname == '~' || strstr(fname, "..")) {
@@ -220,6 +205,7 @@ static void duplicate(char *fname) {
 }
 
 static void globbing(char *fname) {
+        EUID_ASSERT();
         assert(fname);
 
         // go directly to duplicate() if no globbing char is present - see man 7 glob
@@ -256,6 +242,9 @@ static void globbing(char *fname) {
                         // testing for GLOB_NOCHECK - no pattern matched returns the original pattern
                         if (strcmp(globbuf.gl_pathv[j], pattern) == 0)
                                 continue;
+                        // skip symlinks to firejail executable, as created by firecfg
+                        if (is_firejail_link(globbuf.gl_pathv[j]))
+                                continue;
 
                         duplicate(globbuf.gl_pathv[j]);
                 }
@@ -267,6 +256,7 @@ static void globbing(char *fname) {
 }
 
 void fs_private_bin_list(void) {
+        EUID_ASSERT();
         char *private_list = cfg.bin_private_keep;
         assert(private_list);
 
@@ -274,7 +264,9 @@ void fs_private_bin_list(void) {
         timetrace_start();
 
         // create /run/firejail/mnt/bin directory
+        EUID_ROOT();
         mkdir_attr(RUN_BIN_DIR, 0755, 0, 0);
+        EUID_USER();
 
         if (arg_debug)
                 printf("Copying files in the new bin directory\n");
@@ -293,9 +285,9 @@ void fs_private_bin_list(void) {
         while ((ptr = strtok(NULL, ",")) != NULL)
                 globbing(ptr);
         free(dlist);
-        fs_logger_print();
 
         // mount-bind
+        EUID_ROOT();
         int i = 0;
         while (paths[i]) {
                 struct stat s;
@@ -309,6 +301,9 @@ void fs_private_bin_list(void) {
                 }
                 i++;
         }
+        fs_logger_print();
+        EUID_USER();
+
         selinux_relabel_path(RUN_BIN_DIR, "/bin");
         fmessage("%d %s installed in %0.2f ms\n", prog_cnt, (prog_cnt == 1)? "program": "programs", timetrace_end());
 }
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 8cc3ecc62..694d0a379 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
@@ -330,8 +329,10 @@ void fs_dev_disable_sound(void) {
         }
 
         // disable all jack sockets in /dev/shm
+        EUID_USER();
         glob_t globbuf;
         int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf);
+        EUID_ROOT();
         if (globerr)
                 return;
 
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 0ed476063..230e9186c 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -19,7 +19,6 @@
 */
 #include "firejail.h"
 #include <sys/mount.h>
-#include <linux/limits.h>
 #include <dirent.h>
 #include <errno.h>
 #include <sys/stat.h>
@@ -381,12 +380,14 @@ void fs_private(void) {
                 selinux_relabel_path("/home", "/home");
                 fs_logger("tmpfs /home");
         }
+        EUID_USER();
 
         if (u != 0) {
                 if (!arg_allusers && strncmp(homedir, "/home/", 6) == 0) {
                         // create new empty /home/user directory
                         if (arg_debug)
                                 printf("Create a new user directory\n");
+                        EUID_ROOT();
                         if (mkdir(homedir, S_IRWXU) == -1) {
                                 if (mkpath_as_root(homedir) == -1)
                                         errExit("mkpath");
@@ -395,7 +396,7 @@ void fs_private(void) {
                         }
                         if (chown(homedir, u, g) < 0)
                                 errExit("chown");
-
+                        EUID_USER();
                         fs_logger2("mkdir", homedir);
                         fs_logger2("tmpfs", homedir);
                 }
@@ -406,7 +407,6 @@ void fs_private(void) {
 
                 selinux_relabel_path(homedir, homedir);
         }
-        EUID_USER();
 
         skel(homedir);
         if (xflag)
@@ -564,12 +564,13 @@ void fs_private_home_list(void) {
         int xflag = store_xauthority();
         int aflag = store_asoundrc();
 
-        // create /run/firejail/mnt/home directory
         EUID_ROOT();
+        // create /run/firejail/mnt/home directory
         mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
         selinux_relabel_path(RUN_HOME_DIR, homedir);
 
-        fs_logger_print();      // save the current log
+        // save the current log
+        fs_logger_print();
         EUID_USER();
 
         // copy the list of files in the new home directory
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 1a9a78ceb..8b7e94f51 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
@@ -33,7 +32,7 @@ void fs_hostname(const char *hostname) {
                 if (arg_debug)
                         printf("Creating a new /etc/hostname file\n");
 
-                create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+                create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
 
                 // bind-mount the file on top of /etc/hostname
                 if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0)
@@ -75,7 +74,7 @@ void fs_hostname(const char *hostname) {
                 }
                 fclose(fp1);
                 // mode and owner
-                SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+                SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
                 fclose(fp2);
 
                 // bind-mount the file on top of /etc/hostname
@@ -93,10 +92,6 @@ char *fs_check_hosts_file(const char *fname) {
         invalid_filename(fname, 0); // no globbing
         char *rv = expand_macros(fname);
 
-        // no a link
-        if (is_link(rv))
-                goto errexit;
-
         // the user has read access to the file
         if (access(rv, R_OK))
                 goto errexit;
@@ -119,9 +114,6 @@ void fs_mount_hosts_file(void) {
         struct stat s;
         if (stat("/etc/hosts", &s) == -1)
                 goto errexit;
-        // not a link
-        if (is_link("/etc/hosts"))
-                goto errexit;
         // owned by root
         if (s.st_uid != 0)
                 goto errexit;
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 9d7a17cf3..03af7f8fb 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -61,17 +61,31 @@ static int valid_full_path(const char *full_path) {
         return 0;
 }
 
+// return 1 if symlink to firejail executable
+int is_firejail_link(const char *fname) {
+        EUID_ASSERT();
+
+        if (!is_link(fname))
+                return 0;
+
+        char *rp = realpath(fname, NULL);
+        if (!rp)
+                return 0;
+
+        int rv = 0;
+        const char *base = gnu_basename(rp);
+        if (strcmp(base, "firejail") == 0)
+                rv = 1;
+
+        free(rp);
+        return rv;
+}
+
 char *find_in_path(const char *program) {
         EUID_ASSERT();
         if (arg_debug)
                 printf("Searching $PATH for %s\n", program);
 
-        char self[MAXBUF];
-        ssize_t len = readlink("/proc/self/exe", self, MAXBUF - 1);
-        if (len < 0)
-                errExit("readlink");
-        self[len] = '\0';
-
         const char *path = env_get("PATH");
         if (!path)
                 return NULL;
@@ -88,18 +102,12 @@ char *find_in_path(const char *program) {
                 if (arg_debug)
                         printf("trying #%s#\n", fname);
                 struct stat s;
-                if (stat(fname, &s) == 0) {
-                        // but skip links created by firecfg
-                        char *rp = realpath(fname, NULL);
-                        if (!rp)
-                                errExit("realpath");
-                        if (strcmp(self, rp) != 0) {
-                                free(rp);
-                                free(dup);
-                                return fname;
-                        }
-                        free(rp);
+                if (stat(fname, &s) == 0 &&
+                    !is_firejail_link(fname)) { // skip links created by firecfg
+                        free(dup);
+                        return fname;
                 }
+
                 free(fname);
                 tok = strtok(NULL, ":");
         }
@@ -195,6 +203,11 @@ void fslib_mount_libs(const char *full_path, unsigned user) {
         assert(full_path);
         // if library/executable does not exist or the user does not have read access to it
         // print a warning and exit the function.
+        if (access(full_path, F_OK)) {
+                if (arg_debug || arg_debug_private_lib)
+                        printf("Cannot find %s, skipping...\n", full_path);
+                return;
+        }
         if (user && access(full_path, R_OK)) {
                 if (arg_debug || arg_debug_private_lib)
                         printf("Cannot read %s, skipping...\n", full_path);
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index c69bf7c98..a347b380c 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -143,7 +143,7 @@ static void fdir(void) {
                 NULL,
         };
 
-        // need to parse as root user, unprivileged users have no read permission on executables
+        // need to parse as root user, unprivileged users have no read permission on some of these binaries
         int i;
         for (i = 0; fbin[i]; i++)
                 fslib_mount_libs(fbin[i], 0);
@@ -153,7 +153,9 @@ void fslib_install_firejail(void) {
         timetrace_start();
         // bring in firejail executable libraries, in case we are redirected here
         // by a firejail symlink from /usr/local/bin/firejail
-        fslib_mount_libs(PATH_FIREJAIL, 1); // parse as user
+        // fldd might have no read permission on the firejail executable
+        // parse as root in order to support these setups
+        fslib_mount_libs(PATH_FIREJAIL, 0);
 
         // bring in firejail directory
         fdir();
diff --git a/src/firejail/fs_overlayfs.c b/src/firejail/fs_overlayfs.c
new file mode 100644
index 000000000..fe3761cb6
--- /dev/null
+++ b/src/firejail/fs_overlayfs.c
@@ -0,0 +1,470 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#ifdef HAVE_OVERLAYFS
+#include "firejail.h"
+#include "../include/gcov_wrapper.h"
+#include <sys/mount.h>
+#include <sys/wait.h>
+#include <ftw.h>
+#include <errno.h>
+
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
+
+char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
+        assert(subdirname);
+        EUID_ASSERT();
+        struct stat s;
+        char *dirname;
+
+        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+        // check if ~/.firejail already exists
+        if (lstat(dirname, &s) == 0) {
+                if (!S_ISDIR(s.st_mode)) {
+                        if (S_ISLNK(s.st_mode))
+                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
+                        else
+                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
+                        exit(1);
+                }
+                if (s.st_uid != getuid()) {
+                        fprintf(stderr, "Error: %s is not owned by the current user\n", dirname);
+                        exit(1);
+                }
+        }
+        else {
+                // create ~/.firejail directory
+                create_empty_dir_as_user(dirname, 0700);
+                if (stat(dirname, &s) == -1) {
+                        fprintf(stderr, "Error: cannot create directory %s\n", dirname);
+                        exit(1);
+                }
+        }
+        free(dirname);
+
+        // check overlay directory
+        if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1)
+                errExit("asprintf");
+        if (lstat(dirname, &s) == 0) {
+                if (!S_ISDIR(s.st_mode)) {
+                        if (S_ISLNK(s.st_mode))
+                                fprintf(stderr, "Error: %s is a symbolic link\n", dirname);
+                        else
+                                fprintf(stderr, "Error: %s is not a directory\n", dirname);
+                        exit(1);
+                }
+                if (s.st_uid != 0) {
+                        fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", dirname);
+                        exit(1);
+                }
+                if (allow_reuse == 0) {
+                        fprintf(stderr, "Error: overlay directory exists, but reuse is not allowed\n");
+                        exit(1);
+                }
+        }
+
+        return dirname;
+}
+
+
+// mount overlayfs on top of / directory
+// mounting an overlay and chrooting into it:
+//
+// Old Ubuntu kernel
+// # cd ~
+// # mkdir -p overlay/root
+// # mkdir -p overlay/diff
+// # mount -t overlayfs -o lowerdir=/,upperdir=/root/overlay/diff overlayfs /root/overlay/root
+// # chroot /root/overlay/root
+// to shutdown, first exit the chroot and then  unmount the overlay
+// # exit
+// # umount /root/overlay/root
+//
+// Kernels 3.18+
+// # cd ~
+// # mkdir -p overlay/root
+// # mkdir -p overlay/diff
+// # mkdir -p overlay/work
+// # mount -t overlay -o lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work overlay /root/overlay/root
+// # cat /etc/mtab | grep overlay
+// /root/overlay /root/overlay/root overlay rw,relatime,lowerdir=/,upperdir=/root/overlay/diff,workdir=/root/overlay/work 0 0
+// # chroot /root/overlay/root
+// to shutdown, first exit the chroot and then  unmount the overlay
+// # exit
+// # umount /root/overlay/root
+
+// to do: fix the code below
+#include <sys/utsname.h>
+void fs_overlayfs(void) {
+        struct stat s;
+
+        // check kernel version
+        struct utsname u;
+        int rv = uname(&u);
+        if (rv != 0)
+                errExit("uname");
+        int major;
+        int minor;
+        if (2 != sscanf(u.release, "%d.%d", &major, &minor)) {
+                fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
+                exit(1);
+        }
+
+        if (arg_debug)
+                printf("Linux kernel version %d.%d\n", major, minor);
+        int oldkernel = 0;
+        if (major < 3) {
+                fprintf(stderr, "Error: minimum kernel version required 3.x\n");
+                exit(1);
+        }
+        if (major == 3 && minor < 18)
+                oldkernel = 1;
+
+        // mounting an overlayfs on top of / seems to be broken for kernels > 4.19
+        // we disable overlayfs for now, pending fixing
+        if (major >= 4 &&minor >= 19) {
+                fprintf(stderr, "Error: OverlayFS disabled for Linux kernels 4.19 and newer, pending fixing.\n");
+                exit(1);
+        }
+
+        char *oroot = RUN_OVERLAY_ROOT;
+        mkdir_attr(oroot, 0755, 0, 0);
+
+        // set base for working and diff directories
+        char *basedir = RUN_MNT_DIR;
+        int basefd = -1;
+
+        if (arg_overlay_keep) {
+                basedir = cfg.overlay_dir;
+                assert(basedir);
+                // get a file descriptor for ~/.firejail, fails if there is any symlink
+                char *firejail;
+                if (asprintf(&firejail, "%s/.firejail", cfg.homedir) == -1)
+                        errExit("asprintf");
+                int fd = safer_openat(-1, firejail, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                if (fd == -1)
+                        errExit("safer_openat");
+                free(firejail);
+                // create basedir if it doesn't exist
+                // the new directory will be owned by root
+                const char *dirname = gnu_basename(basedir);
+                if (mkdirat(fd, dirname, 0755) == -1 && errno != EEXIST) {
+                        perror("mkdir");
+                        fprintf(stderr, "Error: cannot create overlay directory %s\n", basedir);
+                        exit(1);
+                }
+                // open basedir
+                basefd = openat(fd, dirname, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+                close(fd);
+        }
+        else {
+                basefd = open(basedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        }
+        if (basefd == -1) {
+                perror("open");
+                fprintf(stderr, "Error: cannot open overlay directory %s\n", basedir);
+                exit(1);
+        }
+
+        // confirm once more base is owned by root
+        if (fstat(basefd, &s) == -1)
+                errExit("fstat");
+        if (s.st_uid != 0) {
+                fprintf(stderr, "Error: overlay directory %s is not owned by the root user\n", basedir);
+                exit(1);
+        }
+        // confirm permissions of base are 0755
+        if (((S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) & s.st_mode) != (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) {
+                fprintf(stderr, "Error: invalid permissions on overlay directory %s\n", basedir);
+                exit(1);
+        }
+
+        // create diff and work directories inside base
+        // no need to check arg_overlay_reuse
+        char *odiff;
+        if (asprintf(&odiff, "%s/odiff", basedir) == -1)
+                errExit("asprintf");
+        // the new directory will be owned by root
+        if (mkdirat(basefd, "odiff", 0755) == -1 && errno != EEXIST) {
+                perror("mkdir");
+                fprintf(stderr, "Error: cannot create overlay directory %s\n", odiff);
+                exit(1);
+        }
+        ASSERT_PERMS(odiff, 0, 0, 0755);
+
+        char *owork;
+        if (asprintf(&owork, "%s/owork", basedir) == -1)
+                errExit("asprintf");
+        // the new directory will be owned by root
+        if (mkdirat(basefd, "owork", 0755) == -1 && errno != EEXIST) {
+                perror("mkdir");
+                fprintf(stderr, "Error: cannot create overlay directory %s\n", owork);
+                exit(1);
+        }
+        ASSERT_PERMS(owork, 0, 0, 0755);
+
+        // mount overlayfs
+        if (arg_debug)
+                printf("Mounting OverlayFS\n");
+        char *option;
+        if (oldkernel) { // old Ubuntu/OpenSUSE kernels
+                if (arg_overlay_keep) {
+                        fprintf(stderr, "Error: option --overlay= not available for kernels older than 3.18\n");
+                        exit(1);
+                }
+                if (asprintf(&option, "lowerdir=/,upperdir=%s", odiff) == -1)
+                        errExit("asprintf");
+                if (mount("overlayfs", oroot, "overlayfs", MS_MGC_VAL, option) < 0)
+                        errExit("mounting overlayfs");
+        }
+        else { // kernel 3.18 or newer
+                if (asprintf(&option, "lowerdir=/,upperdir=%s,workdir=%s", odiff, owork) == -1)
+                        errExit("asprintf");
+                if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) {
+                        fprintf(stderr, "Debug: running on kernel version %d.%d\n", major, minor);
+                        errExit("mounting overlayfs");
+                }
+
+                //***************************
+                // issue #263 start code
+                // My setup has a separate mount point for /home. When the overlay is mounted,
+                // the overlay does not contain the original /home contents.
+                // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work
+                // @dshmgh, Jan 2016
+                {
+                        char *overlayhome;
+                        struct stat s;
+                        char *hroot;
+                        char *hdiff;
+                        char *hwork;
+
+                        // dons add debug
+                        if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s  odiff %s  owork %s\n",oroot,odiff,owork);
+
+                        // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it?
+                        // must create var for oroot/cfg.homedir
+                        if (asprintf(&overlayhome, "%s%s", oroot, cfg.homedir) == -1)
+                                errExit("asprintf");
+                        if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n", overlayhome);
+
+                        // if no homedir in overlay -- create another overlay for /home
+                        if (stat(cfg.homedir, &s) == 0 && stat(overlayhome, &s) == -1) {
+
+                                // no need to check arg_overlay_reuse
+                                if (asprintf(&hdiff, "%s/hdiff", basedir) == -1)
+                                        errExit("asprintf");
+                                // the new directory will be owned by root
+                                if (mkdirat(basefd, "hdiff", 0755) == -1 && errno != EEXIST) {
+                                        perror("mkdir");
+                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hdiff);
+                                        exit(1);
+                                }
+                                ASSERT_PERMS(hdiff, 0, 0, 0755);
+
+                                // no need to check arg_overlay_reuse
+                                if (asprintf(&hwork, "%s/hwork", basedir) == -1)
+                                        errExit("asprintf");
+                                // the new directory will be owned by root
+                                if (mkdirat(basefd, "hwork", 0755) == -1 && errno != EEXIST) {
+                                        perror("mkdir");
+                                        fprintf(stderr, "Error: cannot create overlay directory %s\n", hwork);
+                                        exit(1);
+                                }
+                                ASSERT_PERMS(hwork, 0, 0, 0755);
+
+                                // no homedir in overlay so now mount another overlay for /home
+                                if (asprintf(&hroot, "%s/home", oroot) == -1)
+                                        errExit("asprintf");
+                                if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
+                                        errExit("asprintf");
+                                if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0)
+                                        errExit("mounting overlayfs for mounted home directory");
+
+                                printf("OverlayFS for /home configured in %s directory\n", basedir);
+                                free(hroot);
+                                free(hdiff);
+                                free(hwork);
+
+                        } // stat(overlayhome)
+                        free(overlayhome);
+                }
+                // issue #263 end code
+                //***************************
+        }
+        fmessage("OverlayFS configured in %s directory\n", basedir);
+        close(basefd);
+
+        // /dev, /run and /tmp are not covered by the overlay
+        // mount-bind dev directory
+        if (arg_debug)
+                printf("Mounting /dev\n");
+        char *dev;
+        if (asprintf(&dev, "%s/dev", oroot) == -1)
+                errExit("asprintf");
+        if (mount("/dev", dev, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mounting /dev");
+        fs_logger("whitelist /dev");
+
+        // mount-bind run directory
+        if (arg_debug)
+                printf("Mounting /run\n");
+        char *run;
+        if (asprintf(&run, "%s/run", oroot) == -1)
+                errExit("asprintf");
+        if (mount("/run", run, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mounting /run");
+        fs_logger("whitelist /run");
+
+        // mount-bind tmp directory
+        if (arg_debug)
+                printf("Mounting /tmp\n");
+        char *tmp;
+        if (asprintf(&tmp, "%s/tmp", oroot) == -1)
+                errExit("asprintf");
+        if (mount("/tmp", tmp, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mounting /tmp");
+        fs_logger("whitelist /tmp");
+
+        // chroot in the new filesystem
+        __gcov_flush();
+
+        if (chroot(oroot) == -1)
+                errExit("chroot");
+
+        // mount a new proc filesystem
+        if (arg_debug)
+                printf("Mounting /proc filesystem representing the PID namespace\n");
+        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
+                errExit("mounting /proc");
+
+        // update /var directory in order to support multiple sandboxes running on the same root directory
+//      if (!arg_private_dev)
+//              fs_dev_shm();
+        fs_var_lock();
+        if (!arg_keep_var_tmp)
+                fs_var_tmp();
+        if (!arg_writable_var_log)
+                fs_var_log();
+        fs_var_lib();
+        fs_var_cache();
+        fs_var_utmp();
+        fs_machineid();
+
+        // don't leak user information
+        restrict_users();
+
+        // when starting as root, firejail config is not disabled;
+        if (getuid() != 0)
+                disable_config();
+
+        // cleanup and exit
+        free(option);
+        free(odiff);
+        free(owork);
+        free(dev);
+        free(run);
+        free(tmp);
+}
+
+
+static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
+        (void) sb;
+        (void) typeflag;
+        (void) ftwbuf;
+        assert(fpath);
+
+        if (strcmp(fpath, ".") == 0)    // rmdir would fail with EINVAL
+                return 0;
+
+        if (remove(fpath)) {    // removes the link not the actual file
+                fprintf(stderr, "Error: cannot remove file: %s\n", strerror(errno));
+                exit(1);
+        }
+
+        return 0;
+}
+
+int remove_overlay_directory(void) {
+        EUID_ASSERT();
+        sleep(1);
+
+        char *path;
+        if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
+                errExit("asprintf");
+
+        if (access(path, F_OK) == 0) {
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // open ~/.firejail
+                        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
+                        if (fd == -1) {
+                                fprintf(stderr, "Error: cannot open %s\n", path);
+                                exit(1);
+                        }
+                        struct stat s;
+                        if (fstat(fd, &s) == -1)
+                                errExit("fstat");
+                        if (!S_ISDIR(s.st_mode)) {
+                                if (S_ISLNK(s.st_mode))
+                                        fprintf(stderr, "Error: %s is a symbolic link\n", path);
+                                else
+                                        fprintf(stderr, "Error: %s is not a directory\n", path);
+                                exit(1);
+                        }
+                        if (s.st_uid != getuid()) {
+                                fprintf(stderr, "Error: %s is not owned by the current user\n", path);
+                                exit(1);
+                        }
+                        // chdir to ~/.firejail
+                        if (fchdir(fd) == -1)
+                                errExit("fchdir");
+                        close(fd);
+
+                        EUID_ROOT();
+                        // FTW_PHYS - do not follow symbolic links
+                        if (nftw(".", remove_callback, 64, FTW_DEPTH | FTW_PHYS) == -1)
+                                errExit("nftw");
+
+                        EUID_USER();
+                        // remove ~/.firejail
+                        if (rmdir(path) == -1)
+                                errExit("rmdir");
+
+                        __gcov_flush();
+
+                        _exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
+                // check if ~/.firejail was deleted
+                if (access(path, F_OK) == 0)
+                        return 1;
+        }
+        return 0;
+}
+
+#endif // HAVE_OVERLAYFS
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 475a391ec..17a7b3d23 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -20,25 +20,31 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
 #include <pwd.h>
 
-void fs_trace_preload(void) {
+// create an empty /etc/ld.so.preload
+void fs_trace_touch_preload(void) {
+        create_empty_file_as_root("/etc/ld.so.preload", S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+}
+
+void fs_trace_touch_or_store_preload(void) {
         struct stat s;
 
-        // create an empty /etc/ld.so.preload
-        if (stat("/etc/ld.so.preload", &s)) {
-                if (arg_debug)
-                        printf("Creating an empty /etc/ld.so.preload file\n");
-                FILE *fp = fopen("/etc/ld.so.preload", "wxe");
-                if (!fp)
-                        errExit("fopen");
-                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
-                fclose(fp);
-                fs_logger("touch /etc/ld.so.preload");
+        if (stat("/etc/ld.so.preload", &s) != 0) {
+                fs_trace_touch_preload();
+                return;
+        }
+
+        if (s.st_size == 0)
+                return;
+
+        // create a copy of /etc/ld.so.preload
+        if (copy_file("/etc/ld.so.preload", RUN_LDPRELOAD_FILE, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)) {
+                fprintf(stderr, "Error: cannot copy /etc/ld.so.preload file\n");
+                exit(1);
         }
 }
 
@@ -47,7 +53,7 @@ void fs_tracefile(void) {
         if (arg_debug)
                 printf("Creating an empty trace log file: %s\n", arg_tracefile);
         EUID_USER();
-        int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        int fd = open(arg_tracefile, O_CREAT|O_WRONLY|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (fd == -1) {
                 perror("open");
                 fprintf(stderr, "Error: cannot open trace log file %s for writing\n", arg_tracefile);
@@ -83,7 +89,7 @@ void fs_trace(void) {
         if (arg_debug)
                 printf("Create the new ld.so.preload file\n");
 
-        FILE *fp = fopen(RUN_LDPRELOAD_FILE, "we");
+        FILE *fp = fopen(RUN_LDPRELOAD_FILE, "ae");
         if (!fp)
                 errExit("fopen");
         const char *prefix = RUN_FIREJAIL_LIB_DIR;
@@ -100,7 +106,7 @@ void fs_trace(void) {
                 fmessage("Post-exec seccomp protector enabled\n");
         }
 
-        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         fclose(fp);
 
         // mount the new preload file
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 20e262d80..e19d0df96 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <glob.h>
 #include <dirent.h>
 #include <fcntl.h>
@@ -129,7 +128,7 @@ void fs_var_log(void) {
                 /* coverity[toctou] */
                 FILE *fp = fopen("/var/log/wtmp", "wxe");
                 if (fp) {
-                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
+                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
                         fclose(fp);
                 }
                 fs_logger("touch /var/log/wtmp");
@@ -137,7 +136,7 @@ void fs_var_log(void) {
                 // create an empty /var/log/btmp file
                 fp = fopen("/var/log/btmp", "wxe");
                 if (fp) {
-                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP);
+                        SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
                         fclose(fp);
                 }
                 fs_logger("touch /var/log/btmp");
@@ -314,7 +313,7 @@ void fs_var_utmp(void) {
         // save new utmp file
         int rv = fwrite(&u_boot, sizeof(u_boot), 1, fp);
         (void) rv;
-        SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
+        SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
         fclose(fp);
 
         // mount the new utmp file
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 943f275de..7afebed1f 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -105,6 +105,7 @@ static int whitelist_mkpath(const char* path, mode_t mode) {
 }
 
 static void whitelist_file(int dirfd, const char *relpath, const char *path) {
+        EUID_ASSERT();
         assert(relpath && path);
 
         // open mount source, using a file descriptor that refers to the
@@ -130,12 +131,9 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
         }
 
         // create mount target as root, except if inside home or run/user/$UID directory
-        int userprivs = 0;
-        if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') ||
-            (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) {
-                EUID_USER();
-                userprivs = 1;
-        }
+        if ((strncmp(path, cfg.homedir, homedir_len) != 0 || path[homedir_len] != '/') &&
+            (strncmp(path, runuser, runuser_len) != 0 || path[runuser_len] != '/'))
+                EUID_ROOT();
 
         // create path of the mount target
         int fd2 = whitelist_mkpath(path, 0755);
@@ -146,8 +144,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
                 if (arg_debug || arg_debug_whitelists)
                         printf("Debug %d: skip whitelist %s\n", __LINE__, path);
                 close(fd);
-                if (userprivs)
-                        EUID_ROOT();
+                EUID_USER();
                 return;
         }
 
@@ -166,8 +163,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
                         }
                         close(fd);
                         close(fd2);
-                        if (userprivs)
-                                EUID_ROOT();
+                        EUID_USER();
                         return;
                 }
                 fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
@@ -184,19 +180,17 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
                 }
                 close(fd);
                 close(fd2);
-                if (userprivs)
-                        EUID_ROOT();
+                EUID_USER();
                 return;
         }
-
         close(fd2);
-        if (userprivs)
-                EUID_ROOT();
 
         if (arg_debug || arg_debug_whitelists)
                 printf("Whitelisting %s\n", path);
+        EUID_ROOT();
         if (bind_mount_by_fd(fd, fd3))
                 errExit("mount bind");
+        EUID_USER();
         // check the last mount operation
         MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
 #ifdef TEST_MOUNTINFO
@@ -219,22 +213,19 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) {
 }
 
 static void whitelist_symlink(const char *link, const char *target) {
+        EUID_ASSERT();
         assert(link && target);
 
         // create files as root, except if inside home or run/user/$UID directory
-        int userprivs = 0;
-        if ((strncmp(link, cfg.homedir, homedir_len) == 0 && link[homedir_len] == '/') ||
-            (strncmp(link, runuser, runuser_len) == 0 && link[runuser_len] == '/')) {
-                EUID_USER();
-                userprivs = 1;
-        }
+        if ((strncmp(link, cfg.homedir, homedir_len) != 0 || link[homedir_len] != '/') &&
+            (strncmp(link, runuser, runuser_len) != 0 || link[runuser_len] != '/'))
+                EUID_ROOT();
 
         int fd = whitelist_mkpath(link, 0755);
         if (fd == -1) {
                 if (arg_debug || arg_debug_whitelists)
                         printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link);
-                if (userprivs)
-                        EUID_ROOT();
+                EUID_USER();
                 return;
         }
 
@@ -252,8 +243,7 @@ static void whitelist_symlink(const char *link, const char *target) {
                 printf("Created symbolic link %s -> %s\n", link, target);
 
         close(fd);
-        if (userprivs)
-                EUID_ROOT();
+        EUID_USER();
 }
 
 static void globbing(const char *pattern) {
@@ -330,10 +320,11 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
                 // init tmpfs
                 if (strcmp(topdirs[i].path, "/run") == 0) {
                         // restore /run/firejail directory
-                        if (mkdir(RUN_FIREJAIL_DIR, 0755) == -1)
-                                errExit("mkdir");
+                        EUID_ROOT();
+                        mkdir_attr(RUN_FIREJAIL_DIR, 0755, 0, 0);
                         if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR))
                                 errExit("mount bind");
+                        EUID_USER();
                         close(fd);
                         fs_logger2("whitelist", RUN_FIREJAIL_DIR);
 
@@ -351,12 +342,14 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
                                         errExit("asprintf");
                                 if (strcmp(env, pamtmpdir) == 0) {
                                         // create empty user-owned /tmp/user/$UID directory
+                                        EUID_ROOT();
                                         mkdir_attr("/tmp/user", 0711, 0, 0);
                                         selinux_relabel_path("/tmp/user", "/tmp/user");
                                         fs_logger("mkdir /tmp/user");
                                         mkdir_attr(pamtmpdir, 0700, getuid(), 0);
                                         selinux_relabel_path(pamtmpdir, pamtmpdir);
                                         fs_logger2("mkdir", pamtmpdir);
+                                        EUID_USER();
                                 }
                                 free(pamtmpdir);
                         }
@@ -374,11 +367,8 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
         }
 
         // user home directory
-        if (tmpfs_home) {
-                EUID_USER();
+        if (tmpfs_home)
                 fs_private(); // checks owner if outside /home
-                EUID_ROOT();
-        }
 
         // /run/user/$UID directory
         if (tmpfs_runuser) {
@@ -402,6 +392,7 @@ static int reject_topdir(const char *dir) {
 // keep track of whitelist top level directories by adding them to an array
 // open each directory
 static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) {
+        EUID_ASSERT();
         assert(dir && path);
 
         // /proc and /sys are not allowed
@@ -516,6 +507,8 @@ static char *extract_topdir(const char *path) {
 }
 
 void fs_whitelist(void) {
+        EUID_ASSERT();
+
         ProfileEntry *entry = cfg.profile;
         if (!entry)
                 return;
@@ -536,7 +529,6 @@ void fs_whitelist(void) {
                 errExit("calloc");
 
         // verify whitelist files, extract symbolic links, etc.
-        EUID_USER();
         while (entry) {
                 int nowhitelist_flag = 0;
 
@@ -630,7 +622,7 @@ void fs_whitelist(void) {
                 if (!fname) {
                         if (arg_debug || arg_debug_whitelists) {
                                 printf("Removed path: %s\n", entry->data);
-                                printf("\texpanded: %s\n", new_name);
+                                printf("\tnew_name: %s\n", new_name);
                                 printf("\trealpath: (null)\n");
                                 printf("\t%s\n", strerror(errno));
                         }
@@ -712,7 +704,6 @@ void fs_whitelist(void) {
         free(nowhitelist);
 
         // mount tmpfs on all top level directories
-        EUID_ROOT();
         tmpfs_topdirs(topdirs);
 
         // go through profile rules again, and interpret whitelist commands
diff --git a/src/firejail/ids.c b/src/firejail/ids.c
index 59acdb1fe..a9ff59be4 100644
--- a/src/firejail/ids.c
+++ b/src/firejail/ids.c
@@ -86,4 +86,4 @@ void run_ids(int argc, char **argv) {
                 fprintf(stderr, "Error: unrecognized IDS command\n");
 
         exit(0);
-}
\ No newline at end of file
+}
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 99fbfdd0a..0e76fd944 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -431,7 +431,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
 
         // set cgroup
         if (cfg.cgroup) // not available for uid 0
-                set_cgroup(cfg.cgroup);
+                set_cgroup(cfg.cgroup, getpid());
 
         // join namespaces
         if (arg_join_network) {
@@ -551,10 +551,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 if (cfg.cpus)   // not available for uid 0
                         set_cpu_affinity();
 
-                // set nice value
-                if (arg_nice)
-                        set_nice(cfg.nice);
-
                 // add x11 display
                 if (display) {
                         char *display_str;
@@ -573,6 +569,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
                         dbus_set_system_bus_env();
 #endif
 
+                // set nice and rlimits
+                if (arg_nice)
+                        set_nice(cfg.nice);
+                set_rlimits();
+
                 start_application(0, shfd, NULL);
 
                 __builtin_unreachable();
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 70985ba9e..53e918dde 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -305,7 +305,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                 }
                 // create destination file if necessary
                 EUID_ASSERT();
-                int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWRITE);
+                int fd = open(dest_fname, O_WRONLY|O_CREAT|O_CLOEXEC, S_IRUSR | S_IWUSR);
                 if (fd == -1) {
                         fprintf(stderr, "Error: cannot open %s for writing\n", dest_fname);
                         exit(1);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 81d148257..e765d1d8d 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -32,7 +32,8 @@
 #include <dirent.h>
 #include <pwd.h>
 #include <errno.h>
-//#include <limits.h>
+
+#include <limits.h>
 #include <sys/file.h>
 #include <sys/prctl.h>
 #include <signal.h>
@@ -870,7 +871,7 @@ char *guess_shell(void) {
         if (shell) {
                 invalid_filename(shell, 0); // no globbing
                 if (access(shell, X_OK) == 0 && !is_dir(shell) && strstr(shell, "..") == NULL &&
-                    strcmp(shell, PATH_FIREJAIL) != 0)
+                    strcmp(gnu_basename(shell), "firejail") != 0)
                         goto found;
         }
 
@@ -1528,15 +1529,16 @@ int main(int argc, char **argv, char **envp) {
                 else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
                         if (checkcfg(CFG_CGROUP)) {
                                 if (option_cgroup) {
-                                        fprintf(stderr, "Error: only a cgroup can be defined\n");
+                                        fprintf(stderr, "Error: only one cgroup can be defined\n");
                                         exit(1);
                                 }
-
-                                option_cgroup = 1;
                                 cfg.cgroup = strdup(argv[i] + 9);
                                 if (!cfg.cgroup)
                                         errExit("strdup");
-                                set_cgroup(cfg.cgroup);
+
+                                check_cgroup_file(cfg.cgroup);
+                                set_cgroup(cfg.cgroup, getpid());
+                                option_cgroup = 1;
                         }
                         else
                                 exit_err_feature("cgroup");
@@ -2154,6 +2156,10 @@ int main(int argc, char **argv, char **envp) {
                         arg_novideo = 1;
                 else if (strcmp(argv[i], "--no3d") == 0)
                         arg_no3d = 1;
+                else if (strcmp(argv[i], "--noprinters") == 0) {
+                        profile_add("blacklist /dev/lp*");
+                        profile_add("blacklist /run/cups/cups.sock");
+                }
                 else if (strcmp(argv[i], "--notv") == 0)
                         arg_notv = 1;
                 else if (strcmp(argv[i], "--nodvd") == 0)
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index 64a94bd84..ee437e10b 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -19,6 +19,7 @@
 */
 
 #include "firejail.h"
+#include <errno.h>
 
 #include <fcntl.h>
 #ifndef O_PATH
@@ -32,43 +33,38 @@ static MountData mdata;
 
 
 // Convert octal escape sequence to decimal value
-static int read_oct(const char *path) {
-        int dec = 0;
-        int digit, i;
-        // there are always exactly three octal digits
-        for (i = 1; i < 4; i++) {
-                digit = *(path + i);
-                if (digit < '0' || digit > '7') {
-                        fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
-                        exit(1);
-                }
-                dec = (dec << 3) + (digit - '0');
-        }
-        return dec;
+static unsigned read_oct(char *s) {
+        assert(s[0] == '\\');
+        s++;
+
+        int i;
+        for (i = 0; i < 3; i++)
+                assert(s[i] >= '0' && s[i] <= '7');
+
+        return ((s[0] - '0') << 6 |
+                (s[1] - '0') << 3 |
+                (s[2] - '0') << 0);
 }
 
 // Restore empty spaces in pathnames extracted from /proc/self/mountinfo
 static void unmangle_path(char *path) {
-        char *p = strchr(path, '\\');
-        if (p && read_oct(p) == ' ') {
-                *p = ' ';
-                int i = 3;
-                do {
-                        p++;
-                        if (*(p + i) == '\\' && read_oct(p + i) == ' ') {
-                                *p = ' ';
-                                i += 3;
-                        }
-                        else
-                                *p = *(p + i);
-                } while (*p);
-        }
+        char *r = strchr(path, '\\');
+        if (!r)
+                return;
+
+        char *w = r;
+        do {
+                while (*r == '\\') {
+                        *w++ = read_oct(r);
+                        r += 4;
+                }
+                *w++ = *r;
+        } while (*r++);
 }
 
 // Parse a line from /proc/self/mountinfo,
 // the function does an exit(1) if anything goes wrong.
 static void parse_line(char *line, MountData *output) {
-        assert(line && output);
         memset(output, 0, sizeof(*output));
         // extract mount id, filesystem name, directory and filesystem types
         // examples:
@@ -86,8 +82,6 @@ static void parse_line(char *line, MountData *output) {
         char *ptr = strtok(line, " ");
         if (!ptr)
                 goto errexit;
-        if (ptr != line)
-                goto errexit;
         output->mountid = atoi(ptr);
         int cnt = 1;
 
@@ -108,10 +102,9 @@ static void parse_line(char *line, MountData *output) {
         ptr = strtok(NULL, " ");
         if (!ptr)
                 goto errexit;
-        output->fstype = ptr++;
-
+        output->fstype = ptr;
 
-        if (output->mountid == 0 ||
+        if (output->mountid < 0 ||
             output->fsname == NULL ||
             output->dir == NULL ||
             output->fstype == NULL)
@@ -151,111 +144,117 @@ MountData *get_last_mount(void) {
         return &mdata;
 }
 
-// Extract the mount id from /proc/self/fdinfo and return it.
-int get_mount_id(const char *path) {
+// Returns mount id, or -1 if fd refers to a procfs or sysfs file
+static int get_mount_id_from_handle(int fd) {
         EUID_ASSERT();
-        assert(path);
 
-        int fd = open(path, O_PATH|O_CLOEXEC);
-        if (fd == -1)
-                return -1;
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+                errExit("asprintf");
+        struct file_handle *fh = malloc(sizeof *fh);
+        if (!fh)
+                errExit("malloc");
+        fh->handle_bytes = 0;
+
+        int rv = -1;
+        int tmp;
+        if (name_to_handle_at(-1, proc, fh, &tmp, AT_SYMLINK_FOLLOW) != -1) {
+                fprintf(stderr, "Error: unexpected result from name_to_handle_at\n");
+                exit(1);
+        }
+        if (errno == EOVERFLOW && fh->handle_bytes)
+                rv = tmp;
+
+        free(proc);
+        free(fh);
+        return rv;
+}
+
+// Returns mount id, or -1 on kernels < 3.15
+static int get_mount_id_from_fdinfo(int fd) {
+        EUID_ASSERT();
+        int rv = -1;
 
-        char *fdinfo;
-        if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1)
+        char *proc;
+        if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1)
                 errExit("asprintf");
         EUID_ROOT();
-        FILE *fp = fopen(fdinfo, "re");
+        FILE *fp = fopen(proc, "re");
         EUID_USER();
-        free(fdinfo);
         if (!fp)
                 goto errexit;
 
-        // read the file
         char buf[MAX_BUF];
-        if (fgets(buf, MAX_BUF, fp) == NULL)
-                goto errexit;
-        do {
+        while (fgets(buf, MAX_BUF, fp)) {
                 if (strncmp(buf, "mnt_id:", 7) == 0) {
-                        char *ptr = buf + 7;
-                        while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
-                                ptr++;
-                        }
-                        if (*ptr == '\0')
-                                goto errexit;
-                        fclose(fp);
-                        close(fd);
-                        return atoi(ptr);
+                        if (sscanf(buf + 7, "%d", &rv) == 1)
+                                break;
+                        goto errexit;
                 }
-        } while (fgets(buf, MAX_BUF, fp));
+        }
 
-        // fallback, kernels older than 3.15 don't expose the mount id in this place
+        free(proc);
         fclose(fp);
-        close(fd);
-        return -2;
+        return rv;
 
 errexit:
         fprintf(stderr, "Error: cannot read proc file\n");
         exit(1);
 }
 
+int get_mount_id(int fd) {
+        int rv = get_mount_id_from_fdinfo(fd);
+        if (rv < 0)
+                rv = get_mount_id_from_handle(fd);
+        return rv;
+}
+
 // Check /proc/self/mountinfo if path contains any mounts points.
 // Returns an array that can be iterated over for recursive remounting.
-char **build_mount_array(const int mount_id, const char *path) {
+char **build_mount_array(const int mountid, const char *path) {
         assert(path);
 
-        // open /proc/self/mountinfo
         FILE *fp = fopen("/proc/self/mountinfo", "re");
         if (!fp) {
                 fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
                 exit(1);
         }
 
-        // array to be returned
-        size_t cnt = 0;
+        // try to find line with mount id
+        int found = 0;
+        MountData mntp;
+        char line[MAX_BUF];
+        while (fgets(line, MAX_BUF, fp)) {
+                parse_line(line, &mntp);
+                if (mntp.mountid == mountid) {
+                        found = 1;
+                        break;
+                }
+        }
+
+        if (!found) {
+                fclose(fp);
+                return NULL;
+        }
+
+        // allocate array
         size_t size = 32;
         char **rv = malloc(size * sizeof(*rv));
         if (!rv)
                 errExit("malloc");
 
-        // read /proc/self/mountinfo
-        size_t pathlen = strlen(path);
-        char buf[MAX_BUF];
-        MountData mntp;
-        int found = 0;
+        // add directory itself
+        size_t cnt = 0;
+        rv[cnt] = strdup(path);
+        if (rv[cnt] == NULL)
+                errExit("strdup");
 
-        if (fgets(buf, MAX_BUF, fp) == NULL) {
-                fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n");
-                exit(1);
-        }
-        do {
-                parse_line(buf, &mntp);
-                // find mount point with mount id
-                if (!found) {
-                        if (mntp.mountid == mount_id) {
-                                // give up if mount id has been reassigned,
-                                // don't remount blacklisted path
-                                if (strncmp(mntp.dir, path, strlen(mntp.dir)) ||
-                                    strstr(mntp.fsname, "firejail.ro.dir") ||
-                                    strstr(mntp.fsname, "firejail.ro.file"))
-                                            break;
-
-                                rv[cnt] = strdup(path);
-                                if (rv[cnt] == NULL)
-                                        errExit("strdup");
-                                cnt++;
-                                found = 1;
-                                continue;
-                        }
-                        continue;
-                }
-                // from here on add all mount points below path,
-                // don't remount blacklisted paths
-                if (strncmp(mntp.dir, path, pathlen) == 0 &&
-                    mntp.dir[pathlen] == '/' &&
-                    strstr(mntp.fsname, "firejail.ro.dir") == NULL &&
-                    strstr(mntp.fsname, "firejail.ro.file") == NULL) {
-
-                        if (cnt == size) {
+        // and add all following mountpoints contained in this directory
+        size_t pathlen = strlen(path);
+        while (fgets(line, MAX_BUF, fp)) {
+                parse_line(line, &mntp);
+                if (strncmp(mntp.dir, path, pathlen) == 0 && mntp.dir[pathlen] == '/') {
+                        if (++cnt == size) {
                                 size *= 2;
                                 rv = realloc(rv, size * sizeof(*rv));
                                 if (!rv)
@@ -264,18 +263,17 @@ char **build_mount_array(const int mount_id, const char *path) {
                         rv[cnt] = strdup(mntp.dir);
                         if (rv[cnt] == NULL)
                                 errExit("strdup");
-                        cnt++;
                 }
-        } while (fgets(buf, MAX_BUF, fp));
+        }
+        fclose(fp);
 
-        if (cnt == size) {
-                size++;
+        // end of array
+        if (++cnt == size) {
+                ++size;
                 rv = realloc(rv, size * sizeof(*rv));
                 if (!rv)
                         errExit("realloc");
         }
-        rv[cnt] = NULL; // end of the array
-
-        fclose(fp);
+        rv[cnt] = NULL;
         return rv;
 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index b7c7185a6..babc3941e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -175,6 +175,10 @@ static int check_allow_drm(void) {
         return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0;
 }
 
+static int check_allow_tray(void) {
+        return checkcfg(CFG_ALLOW_TRAY) != 0;
+}
+
 Cond conditionals[] = {
         {"HAS_APPIMAGE", check_appimage},
         {"HAS_NET", check_netoptions},
@@ -184,6 +188,7 @@ Cond conditionals[] = {
         {"HAS_X11", check_x11},
         {"BROWSER_DISABLE_U2F", check_disable_u2f},
         {"BROWSER_ALLOW_DRM", check_allow_drm},
+        {"ALLOW_TRAY", check_allow_tray},
         { NULL, NULL }
 };
 
@@ -444,6 +449,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_no3d = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "noprinters") == 0) {
+                profile_add("blacklist /dev/lp*");
+                profile_add("blacklist /run/cups/cups.sock");
+                return 0;
+        }
         else if (strcmp(ptr, "noinput") == 0) {
                 arg_noinput = 1;
                 return 0;
@@ -630,7 +640,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                 return 0;
         }
-        else if (strncmp(ptr, "netns  ", 6) == 0) {
+        else if (strncmp(ptr, "netns ", 6) == 0) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK)) {
                         arg_netns = ptr + 6;
@@ -981,10 +991,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         warning_feature_disabled("seccomp");
                 return 0;
         }
-        if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) {
+        if (strncmp(ptr, "seccomp.32.drop ", 16) == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
-                        cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13);
+                        cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 16);
                 }
                 else
                         warning_feature_disabled("seccomp");
@@ -1001,10 +1011,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         warning_feature_disabled("seccomp");
                 return 0;
         }
-        if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) {
+        if (strncmp(ptr, "seccomp.32.keep ", 16) == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
-                        cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13);
+                        cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 16);
                 }
                 else
                         warning_feature_disabled("seccomp");
@@ -1124,8 +1134,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // cgroup
         if (strncmp(ptr, "cgroup ", 7) == 0) {
-                if (checkcfg(CFG_CGROUP))
-                        set_cgroup(ptr + 7);
+                if (checkcfg(CFG_CGROUP)) {
+                        cfg.cgroup = strdup(ptr + 7);
+                        if (!cfg.cgroup)
+                                errExit("strdup");
+
+                        check_cgroup_file(cfg.cgroup);
+                        set_cgroup(cfg.cgroup, getpid());
+                }
                 else
                         warning_feature_disabled("cgroup");
                 return 0;
@@ -1938,7 +1954,7 @@ char *profile_list_compress(char *list)
                         /* Include non-empty item */
                         if (!*item)
                                 in[i] = 0;
-                        /* Remove all allready included items */
+                        /* Remove all already included items */
                         for (k = 0; k < i; ++k)
                                 in[k] = 0;
                         break;
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 6f17231a4..59077dada 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -21,7 +21,6 @@
 #include "../include/firejail_user.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
-#include <linux/limits.h>
 #include <fnmatch.h>
 #include <glob.h>
 #include <dirent.h>
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index 77fac5438..6397418d1 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -22,7 +22,6 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
-extern char *find_in_path(const char *program);
 
 void run_symlink(int argc, char **argv, int run_as_is) {
         EUID_ASSERT();
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 995827fb7..efa21c34b 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -204,7 +204,7 @@ static void save_umask(void) {
 }
 
 static char *create_join_file(void) {
-        int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
+        int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
         if (fd == -1)
                 errExit("open");
         if (ftruncate(fd, 1) == -1)
@@ -798,7 +798,7 @@ int sandbox(void* sandbox_arg) {
 
         // trace pre-install
         if (need_preload)
-                fs_trace_preload();
+                fs_trace_touch_or_store_preload();
 
         // store hosts file
         if (cfg.hosts_file)
@@ -814,8 +814,11 @@ int sandbox(void* sandbox_arg) {
                 //****************************
                 // trace pre-install, this time inside chroot
                 //****************************
-                if (need_preload)
-                        fs_trace_preload();
+                if (need_preload) {
+                        int rv = unlink(RUN_LDPRELOAD_FILE);
+                        (void) rv;
+                        fs_trace_touch_or_store_preload();
+                }
         }
         else
 #endif
@@ -887,16 +890,16 @@ int sandbox(void* sandbox_arg) {
                 else if (arg_overlay)
                         fwarning("private-bin feature is disabled in overlay\n");
                 else {
+                        EUID_USER();
                         // for --x11=xorg we need to add xauth command
                         if (arg_x11_xorg) {
-                                EUID_USER();
                                 char *tmp;
                                 if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1)
                                         errExit("asprintf");
                                 cfg.bin_private_keep = tmp;
-                                EUID_ROOT();
                         }
                         fs_private_bin_list();
+                        EUID_ROOT();
                 }
         }
 
@@ -992,7 +995,7 @@ int sandbox(void* sandbox_arg) {
 
                         // create /etc/ld.so.preload file again
                         if (need_preload)
-                                fs_trace_preload();
+                                fs_trace_touch_preload();
 
                         // openSUSE configuration is split between /etc and /usr/etc
                         // process private-etc a second time
@@ -1004,10 +1007,12 @@ int sandbox(void* sandbox_arg) {
         // apply the profile file
         //****************************
         // apply all whitelist commands ...
+        EUID_USER();
         fs_whitelist();
 
         // ... followed by blacklist commands
         fs_blacklist(); // mkdir and mkfile are processed all over again
+        EUID_ROOT();
 
         //****************************
         // nosound/no3d/notv/novideo and fix for pulseaudio 7.0
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
index 6969e7a3d..fa59882ed 100644
--- a/src/firejail/selinux.c
+++ b/src/firejail/selinux.c
@@ -21,6 +21,7 @@
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <errno.h>
 
 #include <fcntl.h>
 #ifndef O_PATH
@@ -57,7 +58,17 @@ void selinux_relabel_path(const char *path, const char *inside_path)
 
         /* Open the file as O_PATH, to pin it while we determine and adjust the label
          * Defeat symlink races by not allowing symbolic links */
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+        if (called_as_root)
+                EUID_USER();
+
         fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+
+        if (called_as_root)
+                EUID_ROOT();
+
         if (fd < 0)
                 return;
         if (fstat(fd, &st) < 0)
@@ -68,8 +79,16 @@ void selinux_relabel_path(const char *path, const char *inside_path)
                 if (arg_debug)
                         printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
 
-                setfilecon_raw(procfs_path, fcon);
+                if (!called_as_root)
+                        EUID_ROOT();
+
+                if (setfilecon_raw(procfs_path, fcon) != 0 && arg_debug)
+                        printf("Cannot relabel %s: %s\n", path, strerror(errno));
+
+                if (!called_as_root)
+                        EUID_USER();
         }
+
         freecon(fcon);
  close:
         close(fd);
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 094a68c60..86977cecf 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -20,8 +20,6 @@
 #define _XOPEN_SOURCE 500
 #include "firejail.h"
 #include "../include/gcov_wrapper.h"
-#include <ftw.h>
-#include <sys/stat.h>
 #include <sys/mount.h>
 #include <syslog.h>
 #include <errno.h>
@@ -32,9 +30,6 @@
 #include <sys/wait.h>
 #include <limits.h>
 
-#include <string.h>
-#include <ctype.h>
-
 #include <fcntl.h>
 #ifndef O_PATH
 #define O_PATH 010000000
@@ -459,31 +454,21 @@ int is_dir(const char *fname) {
         if (*fname == '\0')
                 return 0;
 
-        int called_as_root = 0;
-        if (geteuid() == 0)
-                called_as_root = 1;
-
-        if (called_as_root)
-                EUID_USER();
-
         // if fname doesn't end in '/', add one
         int rv;
         struct stat s;
         if (fname[strlen(fname) - 1] == '/')
-                rv = stat(fname, &s);
+                rv = stat_as_user(fname, &s);
         else {
                 char *tmp;
                 if (asprintf(&tmp, "%s/", fname) == -1) {
                         fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__);
                         errExit("asprintf");
                 }
-                rv = stat(tmp, &s);
+                rv = stat_as_user(tmp, &s);
                 free(tmp);
         }
 
-        if (called_as_root)
-                EUID_ROOT();
-
         if (rv == -1)
                 return 0;
 
@@ -499,13 +484,6 @@ int is_link(const char *fname) {
         if (*fname == '\0')
                 return 0;
 
-        int called_as_root = 0;
-        if (geteuid() == 0)
-                called_as_root = 1;
-
-        if (called_as_root)
-                EUID_USER();
-
         // remove trailing '/' if any
         char *tmp = strdup(fname);
         if (!tmp)
@@ -513,12 +491,9 @@ int is_link(const char *fname) {
         trim_trailing_slash_or_dot(tmp);
 
         char c;
-        ssize_t rv = readlink(tmp, &c, 1);
+        ssize_t rv = readlink_as_user(tmp, &c, 1);
         free(tmp);
 
-        if (called_as_root)
-                EUID_ROOT();
-
         return (rv != -1);
 }
 
@@ -540,6 +515,24 @@ char *realpath_as_user(const char *fname) {
         return rv;
 }
 
+ssize_t readlink_as_user(const char *fname, char *buf, size_t sz) {
+        assert(fname && buf && sz);
+
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+
+        if (called_as_root)
+                EUID_USER();
+
+        ssize_t rv = readlink(fname, buf, sz);
+
+        if (called_as_root)
+                EUID_ROOT();
+
+        return rv;
+}
+
 int stat_as_user(const char *fname, struct stat *s) {
         assert(fname);
 
@@ -974,12 +967,9 @@ uid_t pid_get_uid(pid_t pid) {
 }
 
 
-
-
-uid_t get_group_id(const char *group) {
-        // find tty group id
+gid_t get_group_id(const char *groupname) {
         gid_t gid = 0;
-        struct group *g = getgrnam(group);
+        struct group *g = getgrnam(groupname);
         if (g)
                 gid = g->gr_gid;
 
@@ -987,86 +977,6 @@ uid_t get_group_id(const char *group) {
 }
 
 
-static int remove_callback(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) {
-        (void) sb;
-        (void) typeflag;
-        (void) ftwbuf;
-        assert(fpath);
-
-        if (strcmp(fpath, ".") == 0)
-                return 0;
-
-        if (remove(fpath)) {    // removes the link not the actual file
-                perror("remove");
-                fprintf(stderr, "Error: cannot remove file from user .firejail directory: %s\n", fpath);
-                exit(1);
-        }
-
-        return 0;
-}
-
-
-int remove_overlay_directory(void) {
-        EUID_ASSERT();
-        sleep(1);
-
-        char *path;
-        if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
-                errExit("asprintf");
-
-        if (access(path, F_OK) == 0) {
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // open ~/.firejail
-                        int fd = safer_openat(-1, path, O_PATH|O_NOFOLLOW|O_CLOEXEC);
-                        if (fd == -1) {
-                                fprintf(stderr, "Error: cannot open %s\n", path);
-                                exit(1);
-                        }
-                        struct stat s;
-                        if (fstat(fd, &s) == -1)
-                                errExit("fstat");
-                        if (!S_ISDIR(s.st_mode)) {
-                                if (S_ISLNK(s.st_mode))
-                                        fprintf(stderr, "Error: %s is a symbolic link\n", path);
-                                else
-                                        fprintf(stderr, "Error: %s is not a directory\n", path);
-                                exit(1);
-                        }
-                        if (s.st_uid != getuid()) {
-                                fprintf(stderr, "Error: %s is not owned by the current user\n", path);
-                                exit(1);
-                        }
-                        // chdir to ~/.firejail
-                        if (fchdir(fd) == -1)
-                                errExit("fchdir");
-                        close(fd);
-
-                        EUID_ROOT();
-                        // FTW_PHYS - do not follow symbolic links
-                        if (nftw(".", remove_callback, 64, FTW_DEPTH | FTW_PHYS) == -1)
-                                errExit("nftw");
-
-                        EUID_USER();
-                        // remove ~/.firejail
-                        if (rmdir(path) == -1)
-                                errExit("rmdir");
-
-                        __gcov_flush();
-
-                        _exit(0);
-                }
-                // wait for the child to finish
-                waitpid(child, NULL, 0);
-                // check if ~/.firejail was deleted
-                if (access(path, F_OK) == 0)
-                        return 1;
-        }
-        return 0;
-}
-
 // flush stdin if it is connected to a tty and has input
 void flush_stdin(void) {
         if (!isatty(STDIN_FILENO))
@@ -1095,31 +1005,33 @@ int create_empty_dir_as_user(const char *dir, mode_t mode) {
         assert(dir);
         mode &= 07777;
 
-        if (access(dir, F_OK) != 0) {
+        if (access(dir, F_OK) == 0)
+                return 0;
+
+        pid_t child = fork();
+        if (child < 0)
+                errExit("fork");
+        if (child == 0) {
+                // drop privileges
+                drop_privs(0);
+
                 if (arg_debug)
                         printf("Creating empty %s directory\n", dir);
-                pid_t child = fork();
-                if (child < 0)
-                        errExit("fork");
-                if (child == 0) {
-                        // drop privileges
-                        drop_privs(0);
-
-                        if (mkdir(dir, mode) == 0) {
-                                int err = chmod(dir, mode);
-                                (void) err;
-                        }
-                        else if (arg_debug)
-                                printf("Directory %s not created: %s\n", dir, strerror(errno));
+                if (mkdir(dir, mode) == 0) {
+                        int err = chmod(dir, mode);
+                        (void) err;
+                }
+                else if (arg_debug)
+                        printf("Directory %s not created: %s\n", dir, strerror(errno));
 
-                        __gcov_flush();
+                __gcov_flush();
 
-                        _exit(0);
-                }
-                waitpid(child, NULL, 0);
-                if (access(dir, F_OK) == 0)
-                        return 1;
+                _exit(0);
         }
+        waitpid(child, NULL, 0);
+
+        if (access(dir, F_OK) == 0)
+                return 1;
         return 0;
 }
 
@@ -1509,7 +1421,7 @@ static int has_link(const char *dir) {
 void check_homedir(const char *dir) {
         assert(dir);
         if (dir[0] != '/') {
-                fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir);
+                fprintf(stderr, "Error: invalid user directory \"%s\"\n", dir);
                 exit(1);
         }
         // symlinks are rejected in many places
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h
index be3104da3..3f8c89bfb 100644
--- a/src/jailcheck/jailcheck.h
+++ b/src/jailcheck/jailcheck.h
@@ -61,4 +61,4 @@ char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
 int find_child(pid_t pid);
 pid_t switch_to_child(pid_t pid);
 
-#endif
\ No newline at end of file
+#endif
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c
index 7f994d6a1..be18ac109 100644
--- a/src/jailcheck/noexec.c
+++ b/src/jailcheck/noexec.c
@@ -110,4 +110,4 @@ void noexec_test(const char *path) {
         wait(&status);
         int rv = unlink(fname);
         (void) rv;
-}
\ No newline at end of file
+}
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index d88512b0a..319902ff7 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -18,12 +18,12 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #define _GNU_SOURCE
+#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <dlfcn.h>
 #include <sys/types.h>
-#include <limits.h>
 #include <unistd.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -706,10 +706,14 @@ __attribute__((constructor))
 static void log_exec(int argc, char** argv) {
         (void) argc;
         (void) argv;
-        static char buf[PATH_MAX + 1];
-        int rv = readlink("/proc/self/exe", buf, PATH_MAX);
-        if (rv != -1) {
-                buf[rv] = '\0'; // readlink does not add a '\0' at the end
+        char *buf = realpath("/proc/self/exe", NULL);
+        if (buf == NULL) {
+                if (errno == ENOMEM) {
+                        tprintf(ftty, "realpath: %s\n", strerror(errno));
+                        exit(1);
+                }
+        } else {
                 tprintf(ftty, "%u:%s:exec %s:0\n", mypid, myname, buf);
+                free(buf);
         }
 }
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index d0d3c25e8..a1eccaa5e 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -78,7 +78,7 @@ in your desktop environment copy the profile file in ~/.config/firejail director
 Several command line options can be passed to the program using
 profile files. Firejail chooses the profile file as follows:
 
-\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in  /etc/firejail directory. Profile names do not include the .profile suffix.
+\fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix.
 Example:
 .PP
 .RS
@@ -174,7 +174,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
 
-Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
+Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
 can be enabled or disabled globally in Firejail's configuration file.
 
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
@@ -324,16 +324,16 @@ Remount the file or the directory noexec, nodev and nosuid.
 #ifdef HAVE_OVERLAYFS
 .TP
 \fBoverlay
-Mount  a  filesystem  overlay  on top of the current filesystem.
-The overlay is stored in $HOME/.firejail/<PID>  directory.
+Mount a filesystem overlay on top of the current filesystem.
+The overlay is stored in $HOME/.firejail/<PID> directory.
 .TP
 \fBoverlay-named name
-Mount  a  filesystem  overlay  on top of the current filesystem.
-The overlay is stored in $HOME/.firejail/name  directory.
+Mount a filesystem overlay on top of the current filesystem.
+The overlay is stored in $HOME/.firejail/name directory.
 .TP
 \fBoverlay-tmpfs
-Mount  a  filesystem  overlay  on top of the current filesystem.
-All filesystem  modifications are discarded when the sandbox is closed.
+Mount a filesystem overlay on top of the current filesystem.
+All filesystem modifications are discarded when the sandbox is closed.
 #endif
 .TP
 \fBprivate
@@ -487,12 +487,12 @@ does not result in an increase of privilege.
 #ifdef HAVE_USERNS
 .TP
 \fBnoroot
-Use this command  to enable an user namespace. The namespace has only one user, the current user.
+Use this command to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
 #endif
 .TP
 \fBprotocol protocol1,protocol2,protocol3
-Enable protocol filter. The filter is based on seccomp and  checks the
+Enable protocol filter. The filter is based on seccomp and checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
 .TP
@@ -606,7 +606,7 @@ Allow the application to see but not talk to the name org.freedesktop.Notificati
 Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
-Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
+Allow the application to receive broadcast signals from the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.
 .TP
 \fBdbus-user filter
 Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
@@ -873,8 +873,8 @@ a DHCP client and releasing the lease manually.
 
 .TP
 \fBiprange address,address
-Assign  an  IP address in the provided range to the last network
-interface defined by  a  net command.  A  default  gateway  is assigned by default.
+Assign an IP address in the provided range to the last network
+interface defined by a net command.  A default gateway is assigned by default.
 .br
 
 .br
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 0462705c0..e724e4bb9 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -45,7 +45,7 @@ firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-deb
 #ifdef HAVE_LTS
 This is Firejail long-term support (LTS), an enterprise focused version of the software,
 LTS is usually supported for two or three years.
-During this time  only bugs and the occasional documentation problems are fixed.
+During this time only bugs and the occasional documentation problems are fixed.
 The attack surface of the SUID executable was greatly reduced by removing some of the features.
 .br
 
@@ -109,7 +109,7 @@ ptrace system call allows a full bypass of the seccomp filter.
 .br
 Example:
 .br
-$ firejail  --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
+$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
@@ -290,8 +290,8 @@ $ firejail \-\-caps.print=3272
 Print content of file from sandbox container, see FILE TRANSFER section for more details.
 #endif
 .TP
-\fB\-\-cgroup=tasks-file
-Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file.
+\fB\-\-cgroup=file
+Place the sandbox in the specified control group. file is the full path of a tasks or cgroup.procs file.
 .br
 
 .br
@@ -310,6 +310,11 @@ regular user, nonewprivs and a default capabilities filter are enabled.
 Example:
 .br
 $ firejail \-\-chroot=/media/ubuntu warzone2100
+.br
+
+.br
+For automatic mounting of X11 and PulseAudio sockets set environment variables
+FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE.
 #endif
 .TP
 \fB\-\-cpu=cpu-number,cpu-number,cpu-number
@@ -947,7 +952,7 @@ $ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150
 
 .TP
 \fB\-\-ipc-namespace
-Enable  a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
+Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
 for sandboxes started as root.
 .br
 
@@ -1014,7 +1019,7 @@ $ sudo firejail --join-network=browser /sbin/iptables -vL
 .br
 
 .br
-# verify  IP addresses
+# verify IP addresses
 .br
 $ sudo firejail --join-network=browser ip addr
 .br
@@ -2134,7 +2139,7 @@ Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024).
 .TP
 \fB\-\-rlimit-cpu=number
 Set the maximum limit, in seconds, for the amount of CPU time each
-sandboxed process  can consume. When the limit is reached, the processes are killed.
+sandboxed process can consume. When the limit is reached, the processes are killed.
 
 The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds
 the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps
@@ -2178,7 +2183,7 @@ $ firejail \-\-net=eth0 \-\-scan
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list,
-which is  @default-nodebuggers unless \-\-allow-debuggers is specified,
+which is @default-nodebuggers unless \-\-allow-debuggers is specified,
 then it is @default.
 
 .br
@@ -2192,6 +2197,11 @@ More information about groups can be found in /usr/share/doc/firejail/syscalls.t
 .br
 
 .br
+The default list can be customized, see \-\-seccomp= for a description.
+It can be customized also globally in /etc/firejail/firejail.config file.
+.br
+
+.br
 System architecture is strictly imposed only if flag
 \-\-seccomp.block-secondary is used. The filter is applied at run time
 only if the correct architecture was detected. For the case of I386
@@ -2206,11 +2216,7 @@ Firejail will print seccomp violations to the audit log if the kernel was compil
 Example:
 .br
 $ firejail \-\-seccomp
-.br
 
-.br
-The default list can be customized, see \-\-seccomp= for a description. It can be customized
-also globally in /etc/firejail/firejail.config file.
 
 .TP
 \fB\-\-seccomp=syscall,@group,!syscall2
@@ -2865,7 +2871,7 @@ and it is installed by default on most Linux distributions. It provides support
 connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
 contents of other clients, stealing input events, etc.
 
-The untrusted mode has several limitations. A lot of regular programs  assume they are a trusted X11 clients
+The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients
 and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
 Firefox and transmission-gtk seem to be working fine.
 A network namespace is not required for this option.
@@ -3256,7 +3262,7 @@ The owner of the sandbox.
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
 /etc/passwd file for each user that needs to be restricted. Alternatively,
-you can specify /usr/bin/firejail  in adduser command:
+you can specify /usr/bin/firejail in adduser command:
 
 adduser \-\-shell /usr/bin/firejail username
 
@@ -3266,7 +3272,7 @@ Additional arguments passed to firejail executable upon login are declared in /e
 Several command line options can be passed to the program using
 profile files. Firejail chooses the profile file as follows:
 
-1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in  /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
+1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
 Example:
 .PP
 .RS
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 76b2f7be2..c4e6e15b3 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -56,7 +56,7 @@ Print route table for each sandbox.
 Print seccomp configuration for each sandbox.
 .TP
 \fB\-\-top
-Monitor the most CPU-intensive sandboxes. This command  is similar to
+Monitor the most CPU-intensive sandboxes. This command is similar to
 the regular UNIX top command, however it applies only to sandboxes.
 .TP
 \fB\-\-tree
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c
index 93bb3f73d..beff93199 100644
--- a/src/tools/profcleaner.c
+++ b/src/tools/profcleaner.c
@@ -72,4 +72,4 @@ int main(int argc, char **argv) {
         }
 
         return 0;
-}
\ No newline at end of file
+}
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index 152975c9d..1e1dd549b 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -112,14 +112,17 @@ echo "TESTING: rlimit (test/environment/rlimit.exp)"
 echo "TESTING: rlimit profile (test/environment/rlimit-profile.exp)"
 ./rlimit-profile.exp
 
+echo "TESTING: rlimit join (test/environment/rlimit-join.exp)"
+./rlimit-join.exp
+
 echo "TESTING: rlimit errors (test/environment/rlimit-bad.exp)"
 ./rlimit-bad.exp
 
 echo "TESTING: rlimit errors profile (test/environment/rlimit-bad-profile.exp)"
 ./rlimit-bad-profile.exp
 
-echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp"
+echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code.exp)"
 ./deterministic-exit-code.exp
 
-echo "TESTING: retain umask (test/environment/umask.exp"
+echo "TESTING: retain umask (test/environment/umask.exp)"
 (umask 123 && ./umask.exp)
diff --git a/test/environment/rlimit-join.exp b/test/environment/rlimit-join.exp
new file mode 100755
index 000000000..aa8a203c0
--- /dev/null
+++ b/test/environment/rlimit-join.exp
@@ -0,0 +1,36 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2021 Firejail Authors
+# License GPL v2
+
+set timeout 10
+cd /home
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --noprofile --name=\"rlimit testing\"\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+spawn $env(SHELL)
+send --  "firejail --rlimit-nofile=1234 --join=\"rlimit testing\"\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Switching to pid"
+}
+sleep 1
+
+send -- "cat /proc/self/limits\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Max open files            1234                 1234"
+}
+after 100
+
+send -- "exit\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/utils/build.exp b/test/utils/build.exp
index 104ac037c..b9733c137 100755
--- a/test/utils/build.exp
+++ b/test/utils/build.exp
@@ -13,7 +13,7 @@ after 100
 send -- "firejail --build cat ~/_firejail-test-file\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "allow $\{HOME\}/_firejail-test-file"
+        "whitelist $\{HOME\}/_firejail-test-file"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}